Introduction
We express our gratitude to the MANSORY team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Mansory's staking contract is a soul-bound NFT system where users lock ERC-20 tokens for a fixed duration to receive a non-transferable NFT that represents their stake and tier. Users can increase their stake to upgrade their tier, and the contract supports airdrops, tier-based metadata, and time-based withdrawals after expiry.
| Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for MANSORY | 
| Audited By | Ataberk Yavuzer, Konstantinidis Panagiotis | 
| Approved By | Ivan Bondar | 
| Website | https://mansorytoken.io/→ | 
| Changelog | 19/06/2025 - Preliminary Report | 
| 25/06/2025 - Final Report | |
| Platform | BSC | 
| Language | Solidity | 
| Tags | Non-fungible Token (NFT) | 
| Methodology | https://hackenio.cc/sc_methodology→ | 
- Document - Name
- Smart Contract Code Review and Security Analysis Report for MANSORY
- Audited By
- Ataberk Yavuzer, Konstantinidis Panagiotis
- Approved By
- Ivan Bondar
- Website
- https://mansorytoken.io/→
- Changelog
- 19/06/2025 - Preliminary Report
- 25/06/2025 - Final Report
- Platform
- BSC
- Language
- Solidity
- Tags
- Non-fungible Token (NFT)
- Methodology
- https://hackenio.cc/sc_methodology→
 
| Review Scope | |
|---|---|
| Contract Address | https://bscscan.com/address/0xa033ab0640ed86206aefa73db81b4ee659b7bde3#code→ | 
| Remediation Address | https://bscscan.com/address/0x88fa770e4408b8b5ef7b6d0d42d29d321a31b7a8#code→ | 
- Review Scope - Remediation Address
- https://bscscan.com/address/0x88fa770e4408b8b5ef7b6d0d42d29d321a31b7a8#code→
 
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
- Functional requirements are included. 
- Technical description is provided. 
Code quality
- NatSpec is included across the contracts. 
- The code is clear and straightforward. 
Test coverage
Code coverage of the project is 0% as no tests provided.
System Overview
The Mansory project implements a soul-bound NFT staking system designed to lock ERC-20 tokens in exchange for non-transferable NFTs that represent staking positions. The core functionality is encapsulated in the NftTierStakingUpgradeable contract, an upgradeable ERC-721 implementation that supports tiered staking, time-based locking, and controlled deposits by privileged users (airdrop role) on behalf of others.
Users can stake a specified ERC-20 token by locking it for a fixed duration (default: ~6 months). Upon staking, the user receives a non-transferable NFT that records the amount staked, the expiry timestamp, and the assigned tier based on the staked amount. Tiers are configurable and define thresholds and optional image metadata. Users can later deposit more tokens to upgrade their tier, but this will reset their expiry timestamp. After expiry, users can burn their own NFT to reclaim their total amount staked.
The contract includes an airdrop mechanism allowing privileged roles to create or top-up staking positions for multiple users in batch. It also supports external tokenUriBuilder contracts for dynamic NFT metadata generation.
Key attributes and design features:
- ERC-20 staking token: Address set at initialization (name, symbol, decimals not defined in this contract) 
- ERC-721 token (soul-bound): Non-transferable NFTs with auto-incremented - tokenIds starting from 1
- Lock period: Uniform for all users, adjustable by the owner while the contract is paused 
- Tier structure: Configurable list of - TierDataentries, ordered by- requireAmount
- Upgradeable: Follows OpenZeppelin's - TransparentUpgradeableProxypattern
- Role-based access control: Privileged airdrop role managed by the owner. 
- Contract status: Starts paused for safety, with administrative control over pausing, URI builder, and tier updates 
This architecture enables secure token locking through non-transferable NFTs, supports transparent tier-based logic, and integrates customizable metadata for each tier position.
Privileged roles
The contract owner also holds administrative authority over critical system parameters, including:
- Pausing and unpausing the contract (global circuit breaker) 
- Updating the lock duration ( - lockTime)
- Modifying tier image URIs 
- Assigning or revoking airdrop roles 
- Setting or replacing the external - tokenUriBuildercontract
- Upgrading the contract through the proxy pattern (via ownership) 
The airdrop role (onlyAirdropRole) is a privileged role that can:
- Call the - airdropfunction to deposit tokens on behalf of users
Potential Risks
Dependency on External Logic for Implemented Functionality: Metadata generation and the contractURI() rely entirely on a separately deployed contract. This separation of responsibilities increases modularity but also adds external dependency risk—especially if the builder is upgraded or replaced with malicious logic.
System Reliance on External Contracts: The staking contract depends on an external tokenUriBuilder contract for rendering dynamic NFT metadata. Since this builder contract is not part of the audit scope, any vulnerabilities or failures in its logic could affect NFT display, user experience, or even lead to misleading token representations.
Owner’s Unrestricted State Modification: The contract grants the owner full control over key state parameters, including the ability to pause or unpause staking operations, change tier image URIs, and update the lock duration without delay or external approval. This flexibility allows quick reconfiguration but also exposes the system to potential misuse if the owner's account is compromised or misused internally.
Insufficient Multi-signature Controls for Critical Functions: No multi-signature requirement is enforced for critical owner-only functions, including upgrades and staking configuration changes. This centralizes decision-making power and increases the risk of unauthorized transactions or malicious actions being executed by a single compromised key.
Single Points of Failure and Control: The project is highly centralized, relying on a single owner address for executing critical administrative functions such as pausing and unpausing the contract, adjusting the global lock duration, modifying tier image, setting the external tokenUriBuilder contract, and managing airdrop roles. This concentration of power introduces significant operational risk in the event of private key compromise or mismanagement.
Absence of Time-lock Mechanisms for Critical Operations: Without time-locks on owner-only functions such as upgrades, lock duration changes, and role assignments, there is no buffer to review or revert potentially harmful actions, increasing the risk of rapid changes.
Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time via OpenZeppelin’s proxy pattern. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if the upgrade process is not properly governed or secured, potentially allowing unauthorized or malicious changes that could compromise the project's integrity and security.
Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.
Findings
| Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1105 | Missing Public View Function to Check NFT Expiry Status | fixed | Low | |
| F-2025-1105 | Contradictions Between Documentation and Implementation Create Misleading Expectations | fixed | Low | |
| F-2025-1105 | Failure to Handle Fee-On-Transfer Tokens Leads to Accounting Discrepancies | mitigated | Low | |
| F-2025-1105 | Typographical Error in Documentation and Function Name May Cause Confusion | fixed | Observation | |
| F-2025-1105 | Missing Check in setAidropRoleAllows Zero Address Assignment | fixed | Observation | |
| F-2025-1104 | Unused Custom Error | fixed | Observation | |
| F-2025-1104 | Duplicated Looping in Airdrop Function Increases Gas Consumption | mitigated | Observation | 
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
| Severity | Description | 
|---|---|
| Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. | 
| High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. | 
| Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. | 
| Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution. | 
- Severity 
- Critical
- Description 
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
- Severity 
- High
- Description 
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
- Severity 
- Medium
- Description 
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
- Severity 
- Low
- Description 
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
 
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
| Scope Details | |
|---|---|
| Contract Address | https://bscscan.com/address/0xa033ab0640ed86206aefa73db81b4ee659b7bde3#code→ | 
| Remediation Address | https://bscscan.com/address/0x88fa770e4408b8b5ef7b6d0d42d29d321a31b7a8#code→ | 
| Whitepaper | https://mansory-docs.gitbook.io/mansory-docs→ | 
| Requirements | N/A | 
| Technical Requirements | N/A | 
- Scope Details - Remediation Address
- https://bscscan.com/address/0x88fa770e4408b8b5ef7b6d0d42d29d321a31b7a8#code→
- Requirements
- N/A
- Technical Requirements
- N/A
 
Assets in Scope
Appendix 3. Additional Valuables
Verification of System Invariants
During the audit of Mansory, Hacken followed its methodology by performing fuzz-testing on the project's main functions. Echidna →, a tool used for fuzz-testing, was employed to check how the protocol behaves under various inputs. Due to the complex and dynamic interactions within the protocol, unexpected edge cases might arise. Therefore, it was important to use fuzz-testing to ensure that several system invariants hold true in all situations.
Fuzz-testing allows the input of many random data points into the system, helping to identify issues that regular testing might miss. A specific Echidna fuzzing suite was prepared for this task, and throughout the assessment, 9 invariants were tested over 10,000 runs. This thorough testing ensured that the system works correctly even with unexpected or unusual inputs .
| Invariant Description | Test Result | Run Count | 
|---|---|---|
| NFT must not be transferable (soul-bound) | ✅ Passed | ~10k | 
| totalStakedcannot become negative | ✅ Passed | ~10k | 
| Creating a lock below minimum tier must revert | ✅ Passed | ~10k | 
| Withdraw before lock expiry must revert | ✅ Passed | ~10k | 
| nextTokenIdmust always increment or stay the same | ✅ Passed | ~10k | 
| Tier list must remain strictly ascending | ✅ Passed | ~10k | 
| Creating a second lock must revert | ✅ Passed | ~10k | 
| All NFTs must have a positive staked amount | ✅ Passed | ~10k | 
| Withdraw must fail if called by an address not owning NFT | ✅ Passed | ~10k | 
- Invariant Description 
- NFT must not be transferable (soul-bound)
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- totalStakedcannot become negative
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- Creating a lock below minimum tier must revert
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- Withdraw before lock expiry must revert
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- nextTokenIdmust always increment or stay the same
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- Tier list must remain strictly ascending
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- Creating a second lock must revert
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- All NFTs must have a positive staked amount
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
- Invariant Description 
- Withdraw must fail if called by an address not owning NFT
- Test Result 
- ✅ Passed
- Run Count 
- ~10k
 
Additional Recommendations
The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.
To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:
- Detecting changes to ownership or critical permissions. 
- Monitoring large or unexpected transactions and minting events. 
- Pausing operations when irregularities are identified. 
These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.