Q1 2026 Security & Compliance Report44 incidents, $482M in losses, insights from 11 industry leaders.
Read the report

Audit name:

[SCA] SyFu | Staking | mar2026

Date:

Mar 24, 2026

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the SyFu team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

SyFu is a Web3 wallet with GameFi (Game Finance) features that convert payment data into digital assets.

Document

NameSmart Contract Code Review and Security Analysis Report for SyFu
Audited ByKhrystyna Tkachuk
Approved ByKornel Światłowski
Websitehttps://syfu.io/
Changelog10/03/2026 - Preliminary Report
19/03/2026 - Final Report
PlatformBSC
LanguageSolidity
TagsStaking, Upgradable
Methodologyhttps://docs.hacken.io/methodologies/smart-contracts

Review Scope

Repositoryhttps://github.com/SyFu-Project/syfu_staking
Initial Commited75700
Final Commit8ca0aa5

Audit Summary

4Total Findings
4Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are detailed.

    • Project overview is detailed

    • All roles in the system are described.

    • Use cases are described and detailed.

    • All futures are described

  • Technical description is detailed.

    • Run instructions are provided.

    • Technical specification is provided.

    • NatSpec is sufficient.

Code quality

  • The project extensively utilizes OpenZeppelin contracts.

  • The development environment is configured.

Test coverage

Code coverage of the project is 80.8% (branch coverage).

  • Deployment and basic user interactions are covered with tests.

  • Negative cases coverage is partially covered.

System Overview

SyFuStaking.sol is a UUPS-upgradeable vault on BNB Smart Chain for holding EVT tokens under predefined pool-specific lock periods. The contract is responsible only for custody of locked tokens, enforcement of lock durations, and accounting of stake, pool, and global balances. All broader business logic, including reward calculation, pool configuration strategy, eligibility checks, CAP enforcement, snapshots, and lottery mechanics, is handled off-chain by the protocol backend.

The contract supports the core staking vault flow by allowing users to lock EVT tokens into administrator-defined pools and withdraw them once the relevant lock period has expired. It maintains per-stake records, per-user balances per pool, per-pool totals, and the overall amount locked in the vault. Administrative functionality includes creation and configuration of pools through lock-duration settings, while emergency controls allow authorized roles to pause all lock and withdrawal activity and, when necessary, recover ERC-20 tokens or native BNB from the contract during incident handling. This keeps the on-chain implementation focused on token custody, lock enforcement, accounting, and essential administrative and emergency operations.

Privileged roles

  • DEFAULT_ADMIN_ROLE: Manages granting or revoking privileged roles.

  • ADMIN_ROLE: Manages core administrative actions, including configuring pool lock durations.

  • EMERGENCY_ROLE: Handles incident-response actions, including pausing or unpausing the contract and executing emergency recovery of ERC-20 tokens or force-sent BNB while paused.

  • UPGRADE_ROLE: Authorizes contract implementation upgrades through the UUPS proxy mechanism.

Potential Risks

Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.

Emergency Withdrawal Can Break Accounting Consistency: The emergencyWithdraw function intentionally allows privileged operators to recover ERC-20 tokens from the contract without updating internal accounting variables such as per-stake, per-pool, or total locked balances. While this behavior is designed for emergency response and is only available when the contract is paused, it creates a scenario where on-chain accounting may no longer accurately reflect the actual token balance held by the vault. As a result, following emergency intervention, recorded locked amounts may become inconsistent with recoverable assets unless additional off-chain reconciliation or operational remediation is performed.

Heavy Reliance on Off-Chain Backend Logic: A significant portion of the protocol’s functional and economic logic is enforced exclusively by the off-chain Go backend rather than by the smart contract itself. This includes reward calculations, EVT-days accumulation, contribution scoring, lottery handling, soft-to-hard pool transitions, and per-pool CAP tracking. While this design keeps the on-chain contract minimal, it also introduces operational and trust dependencies on the correctness, security, and availability of the backend systems. If the backend is misconfigured, unavailable, or compromised, important protocol rules may be applied incorrectly or not enforced at all, even though the smart contract itself continues to operate as designed.

Admin Lock Duration Update Can Front-Run User Lock: The lock() function uses the current poolLockDuration[poolId] value at execution time to determine the stake expiry. Because setPoolLockDuration() can update this value at any time through the DEFAULT_ADMIN_ROLE, a user’s pending lock() transaction may be front-run by an admin duration update. As a result, a user who submitted a transaction expecting the previous lock period may instead have their tokens locked for a newly increased duration once the transaction is mined. This creates timing dependence on privileged admin actions and may lead to users being locked under terms they did not anticipate at submission time.

String-Based Pool IDs Increase Gas Costs: The contract uses string values for poolId, which introduces additional gas overhead compared to a fixed-size type such as bytes32. Dynamic string handling is generally more expensive, particularly for storage writes, comparisons, and hashing. Additionally, poolId currently has no explicit length restriction, meaning longer values may increase execution costs unnecessarily. While this may be manageable in a system with a small, backend-controlled set of pools, it remains a design choice that trades gas efficiency for readability and flexibility.

Findings

Code
Title
Status
Severity
F-2026-1534Inconsistent Granular Role Separation
fixed

Observation
F-2026-1534Redundant Imports
fixed

Observation
F-2026-1534Lack of Event Emitting for Emergency Withdraw Operations
fixed

Observation
F-2026-1533Floating Pragma
fixed

Observation
1-4 of 4 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/SyFu-Project/syfu_staking
Initial Commited757003bb95409642b20fc754d7a25285d4912f
Final Commit8ca0aa51e881664399c7b8b42606a375c7a3c4b2
WhitepaperN/A
Requirementshttps://github.com/SyFu-Project/syfu_staking
Technical Requirementshttps://github.com/SyFu-Project/syfu_staking

Assets in Scope

SyFuStaking.sol - SyFuStaking.sol

Appendix 3. Additional Valuables

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Frameworks and Methodologies

This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment , and the Penetration Testing Execution Standard (PTES) , These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.

Disclaimer