Introduction
We express our gratitude to the Acecoin team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The Acecoin platform is a subscription-based staking system that allows users to stake ACE tokens and earn monthly rewards through a tiered reward structure.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Acecoin |
| Audited By | Ataberk Yavuzer, Viktor Lavrenenko |
| Approved By | Panagiotis Konstantinidis |
| Website | https://acecoin.io/→ |
| Changelog | 06/01/2026 - Preliminary Report |
| 27/01/2026 - Final Report | |
| Platform | Polygon, Arbitrum, Base, Avalanche |
| Language | Solidity |
| Tags | Fungible token, Staking, Incentives |
| Methodology | https://docs.hacken.io/methodologies/smart-contracts→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Acecoin
- Audited By
- Ataberk Yavuzer, Viktor Lavrenenko
- Approved By
- Panagiotis Konstantinidis
- Website
- https://acecoin.io/→
- Changelog
- 06/01/2026 - Preliminary Report
- 27/01/2026 - Final Report
- Platform
- Polygon, Arbitrum, Base, Avalanche
- Language
- Solidity
- Tags
- Fungible token, Staking, Incentives
Review Scope | |
|---|---|
| Repository | https://github.com/AMGAceToken/Ace-SmartContracts→ |
| Commit | ac6261b |
| Remediation Commit | 825eaaf |
Review Scope
- Commit
- ac6261b
- Remediation Commit
- 825eaaf
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
{Finding_Table?columns=title,severity,status&setting.filter.type=Vulnerability}
Documentation quality
Functional requirements are provided:
The project’s purpose is described.
Business logic is complete.
Use cases are provided.
Technical description is partially provided:
Key function descriptions are provided for the files in the scope.
Architectural overview is missing.
Roles and authorization are described.
Information on used technologies is provided.
Code quality
Best practices are followed.
The development environment is configured.
Test coverage
Code coverage of the project is 60.5% (branch coverage):
Deployment and basic user interactions are covered with tests.
Negative cases coverage is partially provided.
Interactions by several users are not tested thoroughly.
System Overview
AMG AceToken - a subscription-based staking platform with the following contracts:
AceCoin - simple ERC-20 token that mints all initial supply to a deployer. Additional minting is not allowed.
It has the following attributes:
Name: AceCoin
Symbol: ACE
Decimals: 18
Total supply: 30m tokens.
MemoryManager - a utility smart-contract which provides internal helper functions to group numeric values into fixed-size “tiers” (buckets of 1000), manage them, and paginate over them.
Subscription - the main subscription contract for AceCoin ecosystem. Manages user registrations, main subscriptions, level subscriptions (0–11), referral trees up to 12 levels, and fees in an AceCoin ecosystem, using USDT for payments. It leverages MemoryManager to store downlines in tiered arrays for gas-efficient pagination and counting.
StakingAndRewards - a smart-contract which allows eligible users to stake ACE tokens to earn time-based rewards. Note that during the unstake operation, the user is permanently banned from the system and loses all future access to its functionality.
Privileged roles
The owner of the
StakingAndRewardscontract can:transfer ownership to another address via
transferOwnership()function.renounce the ownership via
renounceOwnership()function.set the new address of the
aceFoundationWalletviasetAceFoundationWallet()function.
The owner of the
Subscriptioncontract can:set default fee for all users and levels via
setDefaultFee()function. The default fee can be updated by the owner within the range of 1 to 3 USDT.set a custom fee for a specific user via
setCustomFee()function. The custom fee can be set within the range of 1 to 100 USDT.update the ace foundation wallet address via
setAceFoundationWallet()function.transfer ownership to another address via
transferOwnership()function.renounce the ownership via
renounceOwnership()function.
Potential Risks
Centralized Minting to a Single Address: The token AceCoin contract concentrates minting tokens in a single address, raising the risk of fund mismanagement or theft, especially if key storage security is compromised.
Lack of Upgradeability: The project's smart contracts are non-upgradable. While this approach enhances immutability, it also limits the ability to patch vulnerabilities, fix bugs, or introduce improvements after deployment. In the event of unintended behavior or security issues, the absence of an upgrade mechanism significantly reduces the available response options, potentially leading to prolonged downtime or the need for a full contract migration.
Administrative Key Control Risks: The digital contract architecture relies on administrative keys for critical operations. Centralized control over these keys presents a significant security risk, as compromise or misuse can lead to unauthorized actions or loss of funds. It is recommended to use a multi-signature wallet.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1449 | Team Rewards Accumulate Without Required Active Stake | fixed | High | |
| F-2025-1448 | Staking Capacity Permanently Lost as Stakes Complete | fixed | High | |
| F-2025-1444 | Incorrect Assumption of USDT Decimals Leads to Fee Miscalculations | fixed | Medium | |
| F-2026-1450 | Unstake Forfeits Accumulated Rewards Without Documentation/Notice | accepted | Medium | |
| F-2025-1448 | Second Stake Inherits Old Activity Time - Reduced Reward Window | accepted | Medium | |
| F-2025-1448 | Missing State Validation Enables Re-Subscription to An Active Level | fixed | Medium | |
| F-2025-1447 | Users Can Permanently Block Themselves by Calling unstake() Without Active Stakes | accepted | Medium | |
| F-2025-1447 | Unregistered Users Can Unstake Without Subscription | accepted | Medium | |
| F-2025-1446 | Custom Fee Change Instantly Invalidates Active Subscriptions | accepted | Medium | |
| F-2025-1445 | Mismatch Between Tier Assignment and Enumeration Breaks Tier Determinism | fixed | Medium |
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/AMGAceToken/Ace-SmartContracts→ |
| Commit | ac6261b18edc783a17770764280229bb099fdb61 |
| Remediation Commit | 825eaafb269566ff3f5e64d1d5cb1f336ee3bfe1 |
| Whitepaper | N/A |
| Requirements | README.md |
| Technical Requirements | README.md, Natspec |
Scope Details
- Commit
- ac6261b18edc783a17770764280229bb099fdb61
- Remediation Commit
- 825eaafb269566ff3f5e64d1d5cb1f336ee3bfe1
- Whitepaper
- N/A
- Requirements
- README.md
- Technical Requirements
- README.md, Natspec
Assets in Scope
Appendix 3. Additional Valuables
Additional Recommendations
The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.
To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:
Detecting changes to ownership or critical permissions.
Monitoring large or unexpected transactions and minting events.
Pausing operations when irregularities are identified.
These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, and the Penetration Testing Execution Standard (PTES) →, These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.