DreamX

We express our gratitude to the Drteam for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

HODLBonds is a DeFi protocol where users deposit token pairs into vaults, and the protocol's trader swaps between them.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are partially missed.

• Technical description is provided.

Code quality

• Best practices were applied.

• The development environment is configured.

Test coverage

Code coverage of the project is 35.59% (branch coverage).

• Negative cases and edge conditions, such as boundary parameter values, non-standard token decimals, failed transfers, and oracle error handling, are largely missed.

• DEX behavior in SwapBase, LiquidityBookSwap, and BlackholeSwap is only partially validated; fork tests are provided, but coverage still leans on simplified assumptions/mocks and doesn’t comprehensively exercise router-specific revert/encoding/slippage/approval corner cases.

• Access control, factory configuration setters, and multi-user interaction scenarios are not tested thoroughly.

HODL Bonds is a dual-token bond protocol on Avalanche with the following contracts:

DualTokenVaultFactory — factory contract that deploys vault instances. It manages approved trading pairs, fee configurations (management and performance fees in basis points), a global trader Merkle root for authorization, and maintains a registry of all created vaults. Vault creation and bond issuance are performed atomically through this contract.

DualTokenVault — core vault contract that handles the complete bond lifecycle across three states: BOND_ISSUANCE, TRADING, and SETTLED. During issuance, a user deposits a vault token (e.g., AVAX) and a stable token (e.g., USDC) calculated via a Chainlink oracle and reserve ratio. During the trading period, an authorized protocol trader swaps between the two tokens via integrated DEX protocols. At maturity, the bond is redeemed — performance fees are deducted from any vault token profit, and remaining balances are returned to the redeemer.

LiquidityBookSwap — abstract contract providing swap functionality through Trader Joe's Liquidity Book protocol. Supports single-hop and multi-hop swaps with configurable bin steps and versions, and handles native token wrapping/unwrapping.

BlackholeSwap — abstract contract providing swap functionality through the Blackhole (Solidly/Velodrome-style) DEX protocol. Supports route-based single-hop and multi-hop swaps with configurable pair addresses, stable/volatile pool selection, and native token handling.

VaultReceiptToken — ERC1155 token that serves as a bond receipt. Minted to the depositor at bond issuance and burned upon redemption.

PaymentSplitterUpgradeable — upgradeable contract for splitting fee payments among multiple payees according to predefined shares in basis points. Distributes both ERC20 tokens and native currency.

MerkleTreeHelper — library for Merkle tree operations used to verify authorized traders via proof verification against a global Merkle root stored in the factory.

Privileged roles

• The DEFAULT_ADMIN_ROLE on the factory can grant and revoke all other roles, including MODERATOR_ROLE. This role is assigned to the deployer at construction.

• The MODERATOR_ROLE on the factory can update fee parameters (management and performance fees without upper bounds), set the fee splitter address, update the trader Merkle root affecting all active vaults, and manage approved trading pairs.

• The MINTER_ROLE on the VaultReceiptToken is granted to the factory deployer and to each newly created vault, allowing them to mint receipt tokens.

• The MODERATOR_ROLE on the PaymentSplitter can update payee addresses and share allocations at any time, including while funds are pending distribution.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope