Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • gunz
  • [SCA] Gunzilla / GUNZ / Mar2025
GUNZ logo

GUNZ

Audit name:

[SCA] Gunzilla / GUNZ / Mar2025

Date:

Mar 31, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Gunzilla team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

GUNZ is a Layer 1 blockchain designed for AAA Web3 gaming, developed by Gunzilla Games. It powers a comprehensive gaming ecosystem with services tailored to the needs of both developers and players.

Document

NameSmart Contract Code Review and Security Analysis Report for Gunzilla
Audited ByOlesia Bilenka
Approved ByIvan Bondar
Websitehttps://gunzillagames.com/en/
Changelog30/01/2025 - Preliminary Report
30/01/2025 - Final Report
PlatformAvalanche C-Chain
LanguageSolidity
TagsFungible Token; Upgradable; Centralization
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Gunzilla
    Audited By
    Olesia Bilenka
    Approved By
    Ivan Bondar
    Website
    https://gunzillagames.com/en/
    Changelog
    30/01/2025 - Preliminary Report
    30/01/2025 - Final Report
    Platform
    Avalanche C-Chain
    Language
    Solidity
    Tags
    Fungible Token; Upgradable; Centralization
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/Gunzilla-Games/gunzilla-token
Commitd8af45b

Audit Summary

4Total Findings
0Resolved
4Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are detailed.

    • Project overview is detailed.

    • All roles in the system are described.

    • Use cases are described and detailed.

    • For each contract, all futures are described.

    • All interactions are described.

  • Technical description is detailed.

    • Run instructions are provided.

    • Technical specification is provided.

    • The NatSpec documentation is sufficient.

Code quality

  • The development environment is configured.

Test coverage

Code coverage of the project is 100% (branch coverage).

  • All the main flows are covered.

System Overview

  • GUNZ.sol (Avalanche C-Chain) - ERC-20 token with burn and mint capabilities, representing wrapped GUN coins on Avalanche. Integrated with role-based access control and guardian validation.

Privileged roles

  • DEFAULT_ADMIN_ROLE:

    • Can mint and burn GUNZ.

    • Sets the guardian contract.

  • BRIDGE_ROLE (Assigned to GunzBridge):

    • Can mint/burn during bridge operations.

Potential Risks

System Reliance on External Contracts: The functioning of the system significantly relies on specific external contracts. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.

Centralized Control of Minting Process: The token contract’s design allows for centralized control over the minting process, posing a risk of unauthorized token issuance, potentially diluting the token value and undermining trust in the project's economic governance.

Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.

Findings

Code
Title
Status
Severity
F-2025-9545Unrestricted Minting by Admin May Bypass Bridge Logic and Cause Token Imbalance
accepted

Medium
F-2025-9546Centralized External Guardian Controls May Lead to Lock of Token and Bridge Functionality
accepted

Low
F-2025-9548Floating Pragma
accepted

Observation
F-2025-9547Missing _disableInitializers() in Upgradable Contract Constructor
accepted

Observation
1-4 of 4 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/Gunzilla-Games/gunzilla-token/
Commitd8af45b64c82dd2935002a5901225dcf1d70dc7c
WhitepaperN/A
RequirementsREADME.md; NatSpec
Technical RequirementsREADME.md; NatSpec

Assets in Scope

GUNZ.sol - GUNZ.sol

Disclaimer