Potential Risks

DISCLAIMER // NFA // DYOR

This analysis is based on decompiled bytecode and observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.

⊙ generated by robots | curated by humans

METADATA
Proxy Address	`0x2a9848c39fff51eb184326d65f1238cc36764069` (etherscan)
Implementation Address	`0x435dc93869553123513148e5df4231c21dfca965` (etherscan)
Network	Ethereum Mainnet
Analysis Date	2026-03-29 (Updated)

Risk Summary

RISK CATEGORY	LEVEL	RATIONALE
Centralization	High	Single admin has sweeping powers; no multisig; instant proxy upgrades possible
Complexity	Medium	Reward accounting is complex; multiple mappings must stay in sync
Economic	Medium	Depends entirely on operator deposits; admin can drain funds after 24h
External Dependencies	Medium	Single point of failure on external token contract; no validation or fallback
Technical/Security	High	Reentrancy vulnerabilities observed; state updated after external calls
Upgrade Risk	Critical	Proxy admin can instantly upgrade to malicious implementation; no timelock

Overall Risk Assessment: High to Critical

Centralization Risks

Admin Powers

What the admin can do:

ACTION	TIMELOCK	IMPACT
Upgrade contract logic	☒ None	Can replace entire implementation
Emergency withdrawals	24 hours	Can withdraw any ETH or ERC20
Manipulate balances	☒ None	Can set any user's balance to arbitrary value
Add operators	☒ None	Immediate effect
Remove operators	24 hours	Queued with delay
Remove from blacklist	☒ None	Immediate effect
Change parameters	24 hours	Min balance requirement
Cancel timelocks	☒ None	Can cancel any queued action
Transfer admin	24 hours	Two-step process

Potential Impact:

△ Rug pull: Admin could upgrade to malicious implementation that steals all funds
△ Fund extraction: After 24 hours, admin can withdraw all ETH from reward pool
△ Reward manipulation: Admin can change user balances to favor certain addresses
△ Denial of service: Admin can prevent operators from functioning by removing them
△ Lock out users: Can blacklist addresses or pause their rewards indefinitely

Observed Mitigations:

☑ 24-hour timelock on critical operations (admin transfer, operator removal, parameter changes, emergency withdrawals)
☑ Two-step admin transfer (queue + accept) prevents accidental transfers
☑ Transparent proxy pattern prevents admin from calling implementation directly
☒ No timelock on proxy upgrades (proxy admin can instantly change implementation)
☒ No multisig requirement (single address has all power)
☒ No governance mechanism
☒ No limits on manual balance updates

Operator Powers

What operators can do:

ACTION	TIMELOCK	IMPACT
Control participation	☒ None	Open/close registration
Pause contract	☒ None	Block all user operations
Deposit rewards	☒ None	Required for system function
Blacklist users	☒ None	Block specific addresses
Pause individual users	☒ None	Block specific users from claiming
Force deregister	☒ None	Remove users without consent

Potential Impact:

△ Denial of service: Operators can prevent users from claiming by pausing
△ Selective access: Can blacklist or force-deregister targeted users
△ Registration manipulation: Can close registration after favored users join
△ Reward timing: Can delay reward deposits to manipulate distribution

Observed Mitigations:

☑ Operators can be removed by admin (with 24-hour timelock)
☑ Admin retains override capability (can unpause users, remove blacklist)
☒ No timelock on operator actions (instant effect)
☒ No checks/balances between operators
☒ Operator count unlimited

Upgrade Risks

ATTRIBUTE	VALUE
Upgrade Mechanism	EIP-1967 Transparent Proxy
Who can upgrade	Proxy admin (`0x39c983...8a77` — EOA)
Time lock	☒ None - instant upgrade possible
What could change	Everything (entire contract logic)
Storage collision risk	Medium
Upgrades observed	2 (both on 2026-03-27, 16 minutes apart)

Upgrade Concerns:

Proxy admin (0x39c9...8a77) is a separate EOA from implementation admin (0x9fBc...eA03)
No timelock means instant upgrade possible
Storage layout must be carefully maintained across upgrades
New implementation could:
- Steal all ETH in contract
- Manipulate balances arbitrarily
- Change reward calculation logic
- Add backdoors for fund extraction

Observed Upgrade Pattern (2026-03-27):

The contract was upgraded twice in rapid succession:

03:57 UTC — Upgraded to intermediate implementation 0xc09d9b...
04:13 UTC — Upgraded again to current implementation 0x435dc9... (just 16 minutes later)

This pattern suggests either a deployment error followed by a fix, or iterative deployment without thorough testing. Both scenarios raise questions about the quality assurance process.

Storage Layout Risks:

Original implementation used slots 0-23
Current implementation extends to slots 24-26 (fee config)
Proxy uses special EIP-1967 slots (unlikely to collide)
New variables were correctly appended at end (safe pattern)
Future upgrades must maintain all variable positions through slot 26

External Dependencies

DEPENDENCY	ADDRESS	PURPOSE	RISK IF COMPROMISED
XCL Token	Set in `initialize()`	Balance queries determine reward share	System halts or manipulation possible

External Token Risks:

△ Trust assumption: Contract trusts token.balanceOf() returns accurate values
△ Availability: If token contract is paused or broken, entire system halts
△ Manipulation: If token allows balance manipulation, reward shares can be gamed
△ Gas: Token could have high gas costs, making operations expensive
△ Malicious: Token could be malicious contract that always reverts

Observed Validations:

☒ No check that token address is a valid contract during initialization
☒ No check that token implements ERC20 interface
☒ No fallback if token queries fail
☒ Token address cannot be changed after initialization

Fee Mechanism Risks (Added v1.0.0)

Priority Snapshot Fee Flow

The March 2026 upgrade introduced a priority snapshot mechanism where users pay ETH (currently 0.005 ETH) to trigger immediate balance snapshots.

ATTRIBUTE	VALUE
Fee amount	0.005 ETH (configurable by admin)
Fee recipient	`0xe1f3fbb1...37264a84` (EOA)
Fee cap	1000 ETH maximum (per error string)
Revenue destination	Fee recipient, not reward pool

Concerns:

△ Fee revenue flows to an EOA, not the reward pool — this is revenue extraction, not reward funding
△ Admin can change the fee recipient at any time without timelock
△ Admin can increase the fee up to 1000 ETH without timelock
△ No transparency mechanism for fee accounting
△ Fee recipient is an EOA with no on-chain governance

Observed Transaction Data:

Multiple transactions sending 0.005 ETH via selector 0x8bd94199 confirm active usage of the priority snapshot function. The fee recipient EOA (0xe1f3fbb1...37264a84) has no code deployed — it is a standard wallet.

Economic Risks

Underfunding

Can contract run out of funds?

Yes. Reward pool is depleted as users claim. If operators don't deposit more rewards, pool goes to zero.

What happens:

Claim transactions revert with "Insufficient reward pool"
Users cannot deregister if they have pending rewards (reverts during auto-claim)
Operator must deposit more rewards to restore functionality

Mitigations:

☒ None observed in code
System depends entirely on operators depositing funds

Zero Reward Distribution (as of 2026-03-29)

Despite 602 registered participants with ~633 million XCL in tracked balances, the contract has:

Zero ETH in the reward pool
Zero ETH total distributed
Zero ETH contract balance

This means no operator has ever deposited rewards since the contract was deployed on December 8, 2025 — over 3 months ago. Users are registering and paying gas fees (and in some cases 0.005 ETH snapshot fees) for a system that has never produced returns. Whether this represents a pre-launch preparation phase or a more concerning pattern depends on context not available from the code alone.

Overfunding

Can excess funds be extracted?

Yes, by admin via emergency withdrawal after 24-hour timelock. Reward pool accounting is separate from actual ETH balance.

Risks:

ETH sent directly to contract (not via depositRewards) not tracked in reward pool
Admin could extract this "untracked" ETH
Admin could extract legitimate reward pool funds

Price Manipulation

Any price oracle dependencies?

No. Contract does not use any price feeds.

Manipulation risks:

If external token allows flash loans or temporary balance inflation, attacker could:

Inflate balance
Register or update snapshot
Claim disproportionate rewards
Deflate balance

Mitigations:

☑ Snapshot interval rate-limits balance updates (default 1 hour)
☑ Registration requires sustained balance over block boundaries
☒ No flash loan protection
☒ No balance verification across multiple blocks

Game Theory

Incentive misalignments:

ISSUE	DESCRIPTION
Sybil resistance	None - user can split tokens across multiple addresses
Snapshot gaming	Users incentivized to maximize balance just before snapshots
First mover advantage	Early registrants with high balances get more rewards
Balance update incentive	Users must manually update balances (gas cost)
Operator incentive	Operators have no direct incentive to deposit rewards
Registration timing	When registration closed, existing users have monopoly

Technical/Security Risks

Complexity Level: Medium

Complex Areas:

Reward accounting math:
- Uses fixed-point arithmetic with 10^18 scaling
- Reward debt calculation spans multiple functions
- Risk of rounding errors or overflow
Array management:
- Participant array compaction during deregistration
- Index tracking in separate mapping
- Risk of index corruption if not synchronized
Multi-mapping state:
- User state spread across 8+ mappings
- Must all stay in sync
- Partial updates could leave inconsistent state
Timelock system:
- Complex nested mapping for different action types
- Multiple parameters encoded in hash
- Risk of hash collisions or incorrect parameter passing

Reentrancy Potential: High Risk

Multiple functions make external calls (ETH transfers, token queries) before state updates complete.

Vulnerable functions:

FUNCTION	ISSUE
`claimRewards()`	Updates state after ETH transfer
`deregister()`	Updates state after claim
`updateBalanceSnapshot()`	Updates state after claim
Emergency withdrawal	Could be attacked if recipient is contract

Reentrancy Attack Scenario:

1. Attacker registers with minimal balance
2. Attacker calls claimRewards()
3. Contract calculates pending rewards
4. Contract transfers ETH to attacker
5. Attacker's receive() function calls claimRewards() again
6. Contract hasn't updated rewardDebt yet
7. Attacker receives rewards twice
8. Contract updates rewardDebt (too late)

Mitigation status:

☒ No checks-effects-interactions pattern consistently applied
☒ No ReentrancyGuard modifier observed
☒ State updates occur after external calls in several functions

Observed Safety Features

Positive:

☑ 24-hour timelocks on admin transfers, operator removal, parameter changes, emergency withdrawals
☑ Two-step admin transfer (queue + accept)
☑ Transparent proxy pattern prevents selector clashes
☑ Registration closed by default
☑ Multiple pause mechanisms (global, per-user, blacklist)
☑ Snapshot interval rate limiting
☑ Initialized flag prevents re-initialization
☑ Balance tracking validation
☑ Solvency checks before transfers
☑ Event emissions for transparency

Missing:

☒ No reentrancy guards
☒ No timelock on proxy upgrades
☒ No multisig requirement
☒ No pause on individual functions (all-or-nothing)
☒ No maximum operator count
☒ No limits on admin powers (manual balance updates unlimited)
☒ No validation of external token contract
☒ No flash loan protection
☒ No audit results referenced

Trust Assumptions

To use this contract safely, users must trust:

Proxy Admin

Will not upgrade to malicious implementation
Will not instantly rug pull (no timelock on upgrades)
May or may not be same address as implementation admin

Implementation Admin

Will not use emergency withdrawal to steal funds (24-hour warning)
Will not manipulate user balances maliciously
Will not abuse timelock cancel to prevent legitimate operations
Will not grant operator role to malicious addresses
Will use manual balance update function responsibly

Operators

Will deposit rewards regularly for system to function
Will not abuse pause functionality to deny service
Will not blacklist or force-deregister users arbitrarily
Will not close registration unfairly

External Token Contract

Returns accurate balances
Will not be paused or broken
Is not malicious (could DOS entire system)
Cannot be changed once initialized

Economic Model

Operators will continue to fund rewards
Token balances reflect legitimate holdings, not flash loans
System will maintain solvency

Code Correctness

Decompiled code accurately represents deployed bytecode
Reward accounting math is correct
No hidden functions or backdoors
Array management doesn't corrupt indices

Questions for Team/Community

Governance

Who is the admin address? Is it a multisig?
Is the proxy admin the same as the implementation admin?
Who are the operators? How are they selected?
Is there a timelock on proxy upgrades planned?
Are there plans to decentralize governance?

Technical

What is the address of the external token contract?
Has reentrancy been addressed in the deployed bytecode?
Where do the ETH rewards come from?
How often are global snapshots triggered?

Security

Has this contract been professionally audited?
Is there a bug bounty program?
Is the contract monitored for suspicious activity?
Have there been any security incidents?

Economic

What is the source of ETH rewards?
Is there a schedule for reward deposits?
How long can the reward system be sustained?
Why have zero rewards been deposited after 3+ months of operation?
Where do priority snapshot fees go and how are they accounted for?
Who controls the fee recipient address?
Why was the implementation upgraded twice in 16 minutes?