PinLink

We express our gratitude to the PinLink team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

PinLink is the first RWA-tokenized DePIN platform, dedicated to driving down costs for AI developers and creating new revenue streams for DePIN asset owners.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are partially missed.

• Technical description is provided.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is 81.05% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• Negative cases coverage is missed.

• Interactions by several users are not tested thoroughly.

Pinlink is a both staking and a marketplace protocol with the following contracts:

FractionalToken  — an ERC-1155–based fractional ownership token contract that lets authorized minters create and extend supply of tokens, enforces rental restrictions via a linked marketplace, and manages per-token metadata.

PinToken — an ERC-20 token with an owner-controlled tax system that mints a fixed supply at deployment and applies different transfer fees—regular, buy/sell via whitelisted DEXs, or tax-exempt—distributing collected taxes between a staking contract and a treasury.

It has the following attributes:

• Name: PinLink

• Symbol: PIN

• Decimals: 18

• Total supply: 100000000 tokens.

Marketplace — a rental marketplace for ERC-1155 fractions where a designated renter lists token fractions; users (rentees) rent them by posting ERC-20 collateral and earn hourly rewards in a separate ERC-20 as reward token.

• A renter deposits token fractions into the marketplace and specifies the collateral currency, how much collateral must be locked per fraction, and the hourly reward rate that rentees will earn.

• While tokens are rented, the rentee accumulates reward tokens based on the number of fractions rented and the defined hourly rate. If the marketplace is paused during the rental, that period is excluded from reward calculations.

• The renter can temporarily stop rentals and later resume them. Any paused periods are excluded from rentees’ reward accruals.

PinStaking — a simple, owner-managed staking pool where users lock a single ERC-20 token to earn that same token as rewards, released linearly over configurable reward periods.

• Rewards are distributed continuously over time using a global “rewards-per-staked-token” meter to keep earnings fair regardless of when users joined.

• An authorized owner funds new reward periods by sending tokens to the contract and specifying a duration (in days).

• Any undistributed remainder from a previous period is rolled into the next, ensuring nothing is lost—only the schedule changes.

Privileged roles

• FractionalToken

• • Admin (initial owner): Grants/revokes roles and sets the marketplace address, which holders cannot later revoke.

  • Minter(s): Can create new token IDs, expand supply, and set metadata.

• Marketplace

• • Admin (initial owner): Assigns or revokes renters.

  • Renter(s): Control listings, set collateral/reward rates, pause/resume rentals, delist items, and enforce returns.

• PinToken

• • Owner: Can set staking/treasury addresses, adjust taxes (within limits), whitelist DEXs, and mark accounts tax-exempt.

• PinStaking

• • Owner: Starts new reward periods and determines size/duration of emissions (cannot withdraw once funded).

The scope of the project includes the following smart contracts from the provided repository:

Contracts in Scope