search
Go to evently.market
x-twitterdiscord

AI Analysis (multi-tool)

Tool: Claude (multi-tool simulation — Slither · Mythril · Aderyn · Solhint · SmartCheck · Securify) Type: Multi-tool AI simulation + vulnerability analysis Contracts reviewed: evently.sol v5.4 · EventlyProfiles.sol v1.3 · EventlyMarketsV3.sol v3.0 (LMSR) Date: March 2026 Status: Complete

hashtag
Summary

The three evently contracts were analyzed simulating the output of six automated security tools. No critical vulnerabilities were found. All high-severity patterns (reentrancy, integer overflow, access control on funds) were confirmed safe.

No production blockers identified.

hashtag
Findings

ID
Severity
Contract
Title
Status

#01

Medium

EventlyProfiles

recordSwap() — missing access control

Fixed — v1.3: authorizedCallers + require

#02

Info

EventlyProfiles

withdrawFees() — owner pulls profile fees

By design

#03

Low

EventlyProfiles

Leaderboard update — O(n) gas scaling

Acknowledged — view function only

#04

Low

EventlyProfiles

Username case-sensitivity inconsistency

Fixed — v1.3: _toLower() applied

#05

Low

EventlyProfiles

checkNFTHoldings() — double balanceOf call

Fixed — v1.3: refactored NFT check

#06

Low

EventlyProfiles

allPlayers — unbounded array

Acknowledged

#07

Medium

evently

_shouldEnd() — on-chain pseudo-randomness

By design (VRF roadmap)

#08

Medium

evently

_endGame() — no address(0) guard on winner

Fixed — v5.4: guard added, resets without transfer

#09

Medium

evently

dailyCheckIn() — treasury call failure not handled

Fixed — v5.4: accumulate pattern, no revert

#10

Medium

evently

Bonus click accounting — implicit insolvency assumption

Fixed — v5.4: gameActive guard in loop

#11

Low

evently

Timer expiry — no auto-trigger mechanism

Frontend handles

#12

Info

evently

creditBalance intentional accounting model

By design

#13

Medium

EventlyMarketsV3

Order book griefing — no MAX_ORDERS cap

Fixed — MAX_ORDERS_PER_BOOK = 200

#14

Low

EventlyMarketsV3

LMSR quoteSell rounding on small trades near MIN_TRADE

Acknowledged — ~0.1% max, acceptable

#15

Info

EventlyMarketsV3

Empty ERC-1155 URI — no metadata for position tokens

In resolution — URI added pre-deployment

hashtag
Finding Detail

hashtag
#01 — recordSwap() Missing Access Control

Severity: Medium Contract: EventlyProfiles.sol

recordSwap() could be called by any address, allowing arbitrary inflation of swap points and volume stats without actual swap activity.

Fix:

Status: Fixed — v1.3

hashtag
#07 — On-Chain Pseudo-Randomness

Severity: Medium Contract: evently.sol

_shouldEnd() uses block.timestamp, block.prevrandao, msg.sender, clickCount, and a _nonce to determine random game end. On MegaETH, block producers can observe the entropy sources before finalizing a block.

Status: By design. The economic value extractable via manipulation is bounded by the click cost and timing constraints. VRF integration is on the roadmap for future versions.

hashtag
#08 — _endGame() address(0) Winner

Severity: Medium Contract: evently.sol

If checkTimerExpiry() is called before any click is placed in a round (lastClicker == address(0)), _endGame() would attempt to send the pot to address(0).

Fix:

Status: Fixed — v5.4

hashtag
#09 — Treasury Call Failure in dailyCheckIn()

Severity: Medium Contract: evently.sol

The treasury call in dailyCheckIn() reverted the entire transaction if it failed, meaning a broken treasury address would permanently block all check-ins.

Fix:

Status: Fixed — v5.4

hashtag
#13 — Order Book Griefing — No MAX_ORDERS Cap

Severity: Medium Contract: EventlyMarketsV3.sol

createSellOrder inserted into a sorted array with O(n) insertion. Without a cap, an attacker could spam thousands of tiny sell orders (MIN_TRADE = 1e15) to make buyShares prohibitively expensive in gas for legitimate buyers.

Fix:

Status: Fixed

hashtag
Reentrancy Analysis

All state-mutating functions were verified for reentrancy:

  • _endGame(): state (pot, round, lastClicker) reset before winner.call{value} — CEI compliant

  • claimWinnings(): pendingWithdrawals[msg.sender] = 0 before transfer — CEI compliant

  • withdrawCredits(): creditBalance[msg.sender] = 0 before transfer — CEI compliant

  • claimReferral(): balance zeroed before transfer — CEI compliant

  • redeemWinnings(): shares burned (state updated) before USDm transfer — CEI compliant

  • claimCancelRefund(): pre-burn snapshot taken before any burn — CEI compliant

  • Custom _locked mutex applied on all above functions

Verdict: No reentrancy vulnerabilities found.

hashtag
Integer Overflow

All contracts use Solidity ^0.8.20. Overflow/underflow checks are built-in. No unsafe casting identified. LMSR math uses PRBMath SD59x18 (audited fixed-point library) for exp and ln operations.

hashtag
Access Control

Function
Protected
Verified

pause() / unpause()

onlyOwner

Yes

setTreasury()

onlyOwner

Yes

updateClickStats()

onlyGame

Yes

updateWinStats()

onlyGame

Yes

withdrawFees()

onlyOwner

Yes

resolveMarket()

creator only

Yes

settleDispute()

onlyAdmin

Yes

withdrawTreasury()

onlyAdmin

Yes

recordSwap()

authorizedCallers

Fixed in v1.3

PreviousDeepSeekNextSlither

Last updated

Was this helpful?