# AI Analysis (multi-tool)

**Tool:** Claude (multi-tool simulation — Slither · Mythril · Aderyn · Solhint · SmartCheck · Securify) **Type:** Multi-tool AI simulation + vulnerability analysis **Contracts reviewed:** evently.sol v5.4 · EventlyProfiles.sol v1.3 · EventlyMarketsV3.sol v3.0 (LMSR) **Date:** March 2026 **Status:** Complete

***

## Summary

The three evently contracts were analyzed simulating the output of six automated security tools. **No critical vulnerabilities were found.** All high-severity patterns (reentrancy, integer overflow, access control on funds) were confirmed safe.

**No production blockers identified.**

***

## Findings

| ID  | Severity | Contract         | Title                                                     | Status                                             |
| --- | -------- | ---------------- | --------------------------------------------------------- | -------------------------------------------------- |
| #01 | Medium   | EventlyProfiles  | `recordSwap()` — missing access control                   | Fixed — v1.3: authorizedCallers + require          |
| #02 | Info     | EventlyProfiles  | `withdrawFees()` — owner pulls profile fees               | By design                                          |
| #03 | Low      | EventlyProfiles  | Leaderboard update — O(n) gas scaling                     | Acknowledged — view function only                  |
| #04 | Low      | EventlyProfiles  | Username case-sensitivity inconsistency                   | Fixed — v1.3: \_toLower() applied                  |
| #05 | Low      | EventlyProfiles  | `checkNFTHoldings()` — double `balanceOf` call            | Fixed — v1.3: refactored NFT check                 |
| #06 | Low      | EventlyProfiles  | `allPlayers` — unbounded array                            | Acknowledged                                       |
| #07 | Medium   | evently          | `_shouldEnd()` — on-chain pseudo-randomness               | By design (VRF roadmap)                            |
| #08 | Medium   | evently          | `_endGame()` — no `address(0)` guard on winner            | Fixed — v5.4: guard added, resets without transfer |
| #09 | Medium   | evently          | `dailyCheckIn()` — treasury call failure not handled      | Fixed — v5.4: accumulate pattern, no revert        |
| #10 | Medium   | evently          | Bonus click accounting — implicit insolvency assumption   | Fixed — v5.4: gameActive guard in loop             |
| #11 | Low      | evently          | Timer expiry — no auto-trigger mechanism                  | Frontend handles                                   |
| #12 | Info     | evently          | `creditBalance` intentional accounting model              | By design                                          |
| #13 | Medium   | EventlyMarketsV3 | Order book griefing — no MAX\_ORDERS cap                  | Fixed — MAX\_ORDERS\_PER\_BOOK = 200               |
| #14 | Low      | EventlyMarketsV3 | LMSR `quoteSell` rounding on small trades near MIN\_TRADE | Acknowledged — \~0.1% max, acceptable              |
| #15 | Info     | EventlyMarketsV3 | Empty ERC-1155 URI — no metadata for position tokens      | In resolution — URI added pre-deployment           |

***

## Finding Detail

### #01 — `recordSwap()` Missing Access Control

**Severity:** Medium **Contract:** EventlyProfiles.sol

`recordSwap()` could be called by any address, allowing arbitrary inflation of swap points and volume stats without actual swap activity.

**Fix:**

```solidity
modifier onlyAuthorized() {
    require(authorizedCallers[msg.sender], "Not authorized");
    _;
}
function recordSwap(address player, uint256 volumeUsdCents) external onlyAuthorized { ... }
```

**Status:** Fixed — v1.3

***

### #07 — On-Chain Pseudo-Randomness

**Severity:** Medium **Contract:** evently.sol

`_shouldEnd()` uses `block.timestamp`, `block.prevrandao`, `msg.sender`, `clickCount`, and a `_nonce` to determine random game end. On MegaETH, block producers can observe the entropy sources before finalizing a block.

**Status:** By design. The economic value extractable via manipulation is bounded by the click cost and timing constraints. VRF integration is on the roadmap for future versions.

***

### #08 — `_endGame()` address(0) Winner

**Severity:** Medium **Contract:** evently.sol

If `checkTimerExpiry()` is called before any click is placed in a round (`lastClicker == address(0)`), `_endGame()` would attempt to send the pot to `address(0)`.

**Fix:**

```solidity
if (lastClicker == address(0)) {
    return; // No winner — no transfer
}
```

**Status:** Fixed — v5.4

***

### #09 — Treasury Call Failure in `dailyCheckIn()`

**Severity:** Medium **Contract:** evently.sol

The treasury `call` in `dailyCheckIn()` reverted the entire transaction if it failed, meaning a broken treasury address would permanently block all check-ins.

**Fix:**

```solidity
(bool sent, ) = treasury.call{value: msg.value}("");
if (!sent) { pendingTreasuryFees += msg.value; }
```

**Status:** Fixed — v5.4

***

### #13 — Order Book Griefing — No MAX\_ORDERS Cap

**Severity:** Medium **Contract:** EventlyMarketsV3.sol

`createSellOrder` inserted into a sorted array with O(n) insertion. Without a cap, an attacker could spam thousands of tiny sell orders (MIN\_TRADE = 1e15) to make `buyShares` prohibitively expensive in gas for legitimate buyers.

**Fix:**

```solidity
uint256 public constant MAX_ORDERS_PER_BOOK = 200;
// in createSellOrder:
require(_orderBook[_marketId][_opt].length < MAX_ORDERS_PER_BOOK, "Order book full");
```

**Status:** Fixed

***

## Reentrancy Analysis

All state-mutating functions were verified for reentrancy:

* `_endGame()`: state (pot, round, lastClicker) reset **before** `winner.call{value}` — CEI compliant
* `claimWinnings()`: `pendingWithdrawals[msg.sender] = 0` before transfer — CEI compliant
* `withdrawCredits()`: `creditBalance[msg.sender] = 0` before transfer — CEI compliant
* `claimReferral()`: balance zeroed before transfer — CEI compliant
* `redeemWinnings()`: shares burned (state updated) before USDm transfer — CEI compliant
* `claimCancelRefund()`: pre-burn snapshot taken before any burn — CEI compliant
* Custom `_locked` mutex applied on all above functions

**Verdict: No reentrancy vulnerabilities found.**

***

## Integer Overflow

All contracts use Solidity `^0.8.20`. Overflow/underflow checks are built-in. No unsafe casting identified. LMSR math uses PRBMath SD59x18 (audited fixed-point library) for `exp` and `ln` operations.

***

## Access Control

| Function                | Protected           | Verified          |
| ----------------------- | ------------------- | ----------------- |
| `pause()` / `unpause()` | `onlyOwner`         | Yes               |
| `setTreasury()`         | `onlyOwner`         | Yes               |
| `updateClickStats()`    | `onlyGame`          | Yes               |
| `updateWinStats()`      | `onlyGame`          | Yes               |
| `withdrawFees()`        | `onlyOwner`         | Yes               |
| `resolveMarket()`       | creator only        | Yes               |
| `settleDispute()`       | `onlyAdmin`         | Yes               |
| `withdrawTreasury()`    | `onlyAdmin`         | Yes               |
| `recordSwap()`          | `authorizedCallers` | **Fixed in v1.3** |