Introduction
We express our gratitude to the SyFu team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
SyFu is a Web3 wallet with GameFi (Game Finance) features that convert payment data into digital assets.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for SyFu |
| Audited By | Khrystyna Tkachuk |
| Approved By | Kornel Światłowski |
| Website | https://syfu.io/→ |
| Changelog | 10/03/2026 - Preliminary Report |
| 19/03/2026 - Final Report | |
| Platform | BSC |
| Language | Solidity |
| Tags | Staking, Upgradable |
| Methodology | https://docs.hacken.io/methodologies/smart-contracts→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for SyFu
- Audited By
- Khrystyna Tkachuk
- Approved By
- Kornel Światłowski
- Website
- https://syfu.io/→
- Changelog
- 10/03/2026 - Preliminary Report
- 19/03/2026 - Final Report
- Platform
- BSC
- Language
- Solidity
- Tags
- Staking, Upgradable
Review Scope | |
|---|---|
| Repository | https://github.com/SyFu-Project/syfu_staking→ |
| Initial Commit | ed75700 |
| Final Commit | 8ca0aa5 |
Review Scope
- Initial Commit
- ed75700
- Final Commit
- 8ca0aa5
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are detailed.
Project overview is detailed
All roles in the system are described.
Use cases are described and detailed.
All futures are described
Technical description is detailed.
Run instructions are provided.
Technical specification is provided.
NatSpec is sufficient.
Code quality
The project extensively utilizes OpenZeppelin contracts.
The development environment is configured.
Test coverage
Code coverage of the project is 80.8% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases coverage is partially covered.
System Overview
SyFuStaking.sol is a UUPS-upgradeable vault on BNB Smart Chain for holding EVT tokens under predefined pool-specific lock periods. The contract is responsible only for custody of locked tokens, enforcement of lock durations, and accounting of stake, pool, and global balances. All broader business logic, including reward calculation, pool configuration strategy, eligibility checks, CAP enforcement, snapshots, and lottery mechanics, is handled off-chain by the protocol backend.
The contract supports the core staking vault flow by allowing users to lock EVT tokens into administrator-defined pools and withdraw them once the relevant lock period has expired. It maintains per-stake records, per-user balances per pool, per-pool totals, and the overall amount locked in the vault. Administrative functionality includes creation and configuration of pools through lock-duration settings, while emergency controls allow authorized roles to pause all lock and withdrawal activity and, when necessary, recover ERC-20 tokens or native BNB from the contract during incident handling. This keeps the on-chain implementation focused on token custody, lock enforcement, accounting, and essential administrative and emergency operations.
Privileged roles
DEFAULT_ADMIN_ROLE: Manages granting or revoking privileged roles.ADMIN_ROLE: Manages core administrative actions, including configuring pool lock durations.EMERGENCY_ROLE: Handles incident-response actions, including pausing or unpausing the contract and executing emergency recovery of ERC-20 tokens or force-sent BNB while paused.UPGRADE_ROLE: Authorizes contract implementation upgrades through the UUPS proxy mechanism.
Potential Risks
Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.
Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.
Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.
Emergency Withdrawal Can Break Accounting Consistency: The emergencyWithdraw function intentionally allows privileged operators to recover ERC-20 tokens from the contract without updating internal accounting variables such as per-stake, per-pool, or total locked balances. While this behavior is designed for emergency response and is only available when the contract is paused, it creates a scenario where on-chain accounting may no longer accurately reflect the actual token balance held by the vault. As a result, following emergency intervention, recorded locked amounts may become inconsistent with recoverable assets unless additional off-chain reconciliation or operational remediation is performed.
Heavy Reliance on Off-Chain Backend Logic: A significant portion of the protocol’s functional and economic logic is enforced exclusively by the off-chain Go backend rather than by the smart contract itself. This includes reward calculations, EVT-days accumulation, contribution scoring, lottery handling, soft-to-hard pool transitions, and per-pool CAP tracking. While this design keeps the on-chain contract minimal, it also introduces operational and trust dependencies on the correctness, security, and availability of the backend systems. If the backend is misconfigured, unavailable, or compromised, important protocol rules may be applied incorrectly or not enforced at all, even though the smart contract itself continues to operate as designed.
Admin Lock Duration Update Can Front-Run User Lock: The lock() function uses the current poolLockDuration[poolId] value at execution time to determine the stake expiry. Because setPoolLockDuration() can update this value at any time through the DEFAULT_ADMIN_ROLE, a user’s pending lock() transaction may be front-run by an admin duration update. As a result, a user who submitted a transaction expecting the previous lock period may instead have their tokens locked for a newly increased duration once the transaction is mined. This creates timing dependence on privileged admin actions and may lead to users being locked under terms they did not anticipate at submission time.
String-Based Pool IDs Increase Gas Costs: The contract uses string values for poolId, which introduces additional gas overhead compared to a fixed-size type such as bytes32. Dynamic string handling is generally more expensive, particularly for storage writes, comparisons, and hashing. Additionally, poolId currently has no explicit length restriction, meaning longer values may increase execution costs unnecessarily. While this may be manageable in a system with a small, backend-controlled set of pools, it remains a design choice that trades gas efficiency for readability and flexibility.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2026-1534 | Inconsistent Granular Role Separation | fixed | Observation | |
| F-2026-1534 | Redundant Imports | fixed | Observation | |
| F-2026-1534 | Lack of Event Emitting for Emergency Withdraw Operations | fixed | Observation | |
| F-2026-1533 | Floating Pragma | fixed | Observation |
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/SyFu-Project/syfu_staking→ |
| Initial Commit | ed757003bb95409642b20fc754d7a25285d4912f |
| Final Commit | 8ca0aa51e881664399c7b8b42606a375c7a3c4b2 |
| Whitepaper | N/A |
| Requirements | https://github.com/SyFu-Project/syfu_staking→ |
| Technical Requirements | https://github.com/SyFu-Project/syfu_staking→ |
Scope Details
- Initial Commit
- ed757003bb95409642b20fc754d7a25285d4912f
- Final Commit
- 8ca0aa51e881664399c7b8b42606a375c7a3c4b2
- Whitepaper
- N/A
- Requirements
- https://github.com/SyFu-Project/syfu_staking→
- Technical Requirements
- https://github.com/SyFu-Project/syfu_staking→
Assets in Scope
Appendix 3. Additional Valuables
Additional Recommendations
The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.
To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:
Detecting changes to ownership or critical permissions.
Monitoring large or unexpected transactions and minting events.
Pausing operations when irregularities are identified.
These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, and the Penetration Testing Execution Standard (PTES) →, These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.