TRUST Summit | Nov 3, 2025 | NYCWhere decision-makers define the next chapter of secure blockchain adoption.
Learn more

Blubird

Audit name:

[SCA] Blubird | BluBirdAdmin-Backend | Jul2025

Date:

Aug 12, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Blubird team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Blubird consists of an ERC20 token featuring configurable minting, burning, and pausing capabilities, alongside a token distribution contract that manages allocations with flexible vesting schedules, supply caps, and time-based claims.

Document

NameSmart Contract Code Review and Security Analysis Report for Blubird
Audited ByKornel Światłowski, David Camps
Approved ByIvan Bondar
Websitehttps://www.getblubird.com/
Changelog28/07/2025 - Preliminary Report
01/08/2025 - Final Report
12/08/2025 - Updated Final Report
PlatformETH/EVM
LanguageSolidity
TagsClaims, ERC-20, Timelock, Vesting.
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Blubird
    Audited By
    Kornel Światłowski, David Camps
    Approved By
    Ivan Bondar
    Website
    https://www.getblubird.com/
    Changelog
    28/07/2025 - Preliminary Report
    01/08/2025 - Final Report
    12/08/2025 - Updated Final Report
    Platform
    ETH/EVM
    Language
    Solidity
    Tags
    Claims, ERC-20, Timelock, Vesting.
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/BluBird-App/BluBirdAdmin-Backend
Commitf09c89c
Remediation Commit0c1ba84
Updated Remediation Commit459954d

Audit Summary

7Total Findings
6Resolved
1Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are present, but only at a high-level.

    • Overall system requirements are provided.

    • Basic system description is provided.

    • No roles description.

    • No NatSpec.

  • Technical description was not provided.

Code quality

  • The development environment is configured.

Test coverage

Code coverage of the project is 98.68% (branch coverage).

  • Deployment and basic user interactions are covered with tests.

  • Negative cases coverage is present.

System Overview

ERC20Token - The contract implements a configurable ERC20 token with optional minting, burning, and pausing features. Functionality is based on OpenZeppelin extensions, with feature flags controlling access to minting and burning logic as well as pause mechanisms. A custom decimal precision is defined at deployment, and initial supply can be optionally minted to the deployer.

ILDistribution - The contract implements a token distribution system with configurable allocation types, supporting linear and periodic vesting schedules, optional lockup periods, and optional immediate release. Allocation types define supply caps and are assigned to recipients with per-allocation tracking for claimed and unclaimed amounts. Token claims are based on time-based release logic, and optional cancellation or instant release can be toggled at deployment. Administrative functions allow batch processing of allocations

Privileged roles

The ERC20Token contract uses an Ownable mechanism from OpenZeppelin for access control. The contract owner can call:

  • mint() – mints tokens to a specified address if minting is enabled

  • pause() – pauses all token transfers if the pausing feature is enabled

  • unpause() – resumes token transfers if the pausing feature is enabled

The ILDistribution contract uses an AccessControl mechanism from OpenZeppelin for access control. The DEFAULT_ADMIN_ROLE can call:

  • setToken() – sets the token used for distribution

  • addAllocation() – adds a single allocation to a recipient

  • addAllocations() – adds multiple allocations in a batch

  • raiseAllocation() – increases the amount of a specific allocation

  • raiseAllocations() – increases the amount for multiple allocations

  • cancelAllocation() – cancels an individual allocation

  • cancelAllocations() – cancels multiple allocations in a batch

  • refundTokens() – transfers out specified ERC20 tokens from the contract

Potential Risks

Centralized Control of Minting Process: The token contract’s design allows for centralized control over the minting process, posing a risk of unauthorized token issuance, potentially diluting the token value and undermining trust in the project's economic governance.

Centralized Minting to a Single Address: The project concentrates minting tokens in a single address, raising the risk of fund mismanagement or theft, especially if key storage security is compromised.

Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Administrative Key Control Risks: The digital contract architecture relies on administrative keys for critical operations. Centralized control over these keys presents a significant security risk, as compromise or misuse can lead to unauthorized actions or loss of funds.

The ERC20 token contract does not enforce a maximum supply cap, allowing unlimited minting. This introduces a monetary policy risk, as unchecked inflation can dilute existing holders, reduce trust in the token’s value, and lead to potential abuse by privileged roles. Without a hard cap or clearly defined minting rules, the token’s economic model lacks predictability, which may deter users and integrations with external protocols.

The ERC20 token contract includes a pausability mechanism that allows privileged roles to halt transfers at any time. While useful for emergency control, this introduces centralization risk, as token holders are exposed to arbitrary disruption of transfers, which may affect usability, investor confidence, and integration with third-party protocols that rely on uninterrupted token functionality.

The ERC20 token contract allows users to burn their own tokens and permits third parties to burn tokens on behalf of others if granted allowance. While this functionality can be intentional and useful (e.g., for deflationary models), it introduces a token supply reduction mechanism that, if misused or poorly understood, could lead to unexpected token loss. Projects should clearly document this behavior and ensure interfaces or integrations handle it safely to avoid accidental or unintended burns.

The contract does not include a direct mechanism to recover tokens that may become unintentionally stuck in vesting allocations. While this could temporarily restrict access to those tokens, the impact is mitigated by the ability to create new vesting allocations to withdraw and redistribute the locked tokens.

The claim and claimAll functions lack explicit access control, allowing any user to invoke them. While this does not pose a severe risk—since tokens can only be claimed from existing allocations and ultimately benefit the allocation owner—this unrestricted access may lead to unintended interactions.

Findings

Code
Title
Status
Severity
F-2025-1212Incorrect Percentage Returned Before Token Release Start
fixed

Low
F-2025-1193Release Schedule Start Time Can Be Set in the Past
accepted

Observation
F-2025-1192Revert Error Messages are Split Across Multiple Strings
fixed

Observation
F-2025-1192Inefficient Array Length Access in claimable() and claimAll()
fixed

Observation
F-2025-1190Commented Code Parts
fixed

Observation
F-2025-1189Redundant Variable Initialization Increases Deployment Gas Cost
fixed

Observation
F-2025-1189Floating Pragma
fixed

Observation
1-7 of 7 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope

ERC20Token.sol - ERC20Token.sol
ILDistribution.sol - ILDistribution.sol

Appendix 3. Additional Valuables

Verification of System Invariants

During the audit of Blubird / BluBirdAdmin-Backend, Hacken followed its methodology by performing fuzz-testing on the project's main functions. Foundry , a tool used for fuzz-testing, was employed to check how the protocol behaves under various inputs. Due to the complex and dynamic interactions within the protocol, unexpected edge cases might arise. Therefore, it was important to use fuzz-testing to ensure that several system invariants hold true in all situations.

Fuzz-testing allows the input of many random data points into the system, helping to identify issues that regular testing might miss. A specific Foundry fuzzing suite was prepared for this task, and throughout the assessment, 7 invariants were tested over 10000 runs each. This thorough testing ensured that the system works correctly even with unexpected or unusual inputs.

Invariant

Test Result

Run Count

Total supply equals sum of contract and user balancesPassed10000
Allocated amounts never exceed allocation type supplyPassed10000
Total claimed tokens match actual tokens transferred from contractPassed10000
Total claimed tokens equal sum of all user balancesPassed10000
Each user's token balance equals their total claimed tokensPassed10000
Total claimable tokens do not exceed contract token balancePassed10000
Number of canceled allocations never exceeds number of created allocationsPassed10000

  • Invariant

    Total supply equals sum of contract and user balances

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Allocated amounts never exceed allocation type supply

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Total claimed tokens match actual tokens transferred from contract

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Total claimed tokens equal sum of all user balances

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Each user's token balance equals their total claimed tokens

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Total claimable tokens do not exceed contract token balance

    Test Result

    Passed

    Run Count

    10000

    Invariant

    Number of canceled allocations never exceeds number of created allocations

    Test Result

    Passed

    Run Count

    10000

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Disclaimer