# Consolidated AI Audit **Last updated:** March 2026 — v3.2 audit fixes applied (GROK-M01, GPT-R3-3, GROK-L02, QWEN-I03) **Contracts:** evently.sol v5.4 · EventlyProfiles.sol v1.3 · EventlyMarketsV3.sol v3.2 (LMSR b=200 + CLOB bids/asks) **Chain:** MegaETH (Chain ID 4326) — Solidity ^0.8.20 *** ## Audit Overview All three evently smart contracts underwent multi-round security review using 7 AI audit engines. Each AI performed a 3-round systematic audit: vulnerability scanning, economic analysis, and triage with fix recommendations. | AI Tool | Contracts | Findings | Critical | High | Medium | Low | Info | | --------------- | -------------------------- | -------- | -------- | ---- | ------ | --- | ---- | | Claude Opus 4.6 | v5.4 · v1.3 · V3 LMSR+CLOB | 6 | 0 | 0 | 1 | 4 | 1 | | GPT-4o | v5.4 · v1.3 · V3 LMSR+CLOB | 13 | 2 | 4 | 5 | 0 | 2 | | Gemini 1.5 Pro | v5.4 · v1.3 · V3 LMSR+CLOB | 9 | 1 | 2 | 2 | 2 | 2 | | Grok (xAI) | v5.4 · v1.3 · V3 LMSR+CLOB | 6 | 0 | 0 | 1 | 2 | 3 | | DeepSeek R1 | v5.4 · v1.3 · V3 LMSR+CLOB | 7 | 0 | 1 | 2 | 2 | 2 | | Qwen3.5 | v5.4 · v1.3 · V3 LMSR+CLOB | 4 | 0 | 0 | 0 | 1 | 3 | | Perplexity | v5.4 · v1.3 · V3 LMSR+CLOB | — | — | — | — | — | — | *** ## Cross-Tool Finding Consensus The following findings were surfaced by **multiple independent tools** — highest confidence: | Finding | Tools | Severity consensus | Status | | -------------------------------------------------------------------------- | ------------------------------ | ------------------ | ------------------------------------------------------------ | | Missing `nonReentrant` on `resolveMarket` / `cancelMarket` / `slashMarket` | Claude, DeepSeek, Qwen, Gemini | Low | **Resolved — nonReentrant added (L-01)** | | Dead CLOB entries can block new orders after cancellation | DeepSeek, GPT-4o | High | **Resolved — \_cleanBook in cancelOrder (F-DS-M02)** | | `optionSupply` not updated on peer ERC-1155 transfers | Claude, GPT-4o | Low–Medium | **Acknowledged — by design, math correct** | | `subsidyDeposited` locked on market cancellation | Grok, DeepSeek | Medium | **Resolved — included in claimCancelRefund pool (GROK-M01)** | | `slashMarket` cannot handle `Disputed` status — dispute collateral stuck | GPT-4o, Gemini | Medium | **Resolved — Disputed added to slashMarket (GPT-R3-3)** | | View functions return silent zeros for nonexistent marketId | Grok | Low | **Resolved — createdAt != 0 guard added (GROK-L02)** | | `closeBetting` emits no event | Qwen, Gemini | Info | **Resolved — BettingClosed event added (QWEN-I03)** | | Outdated NatSpec (CPMM references, P2P sell-only description) | Grok | Info | **Resolved — NatSpec updated to LMSR + CLOB** | | LMSR `exp()` overflow threshold at `q/b ≈ 133` | Qwen, GPT-4o | Info | **Acknowledged — cap enforced, documented** | | `quoteBuy` binary search conservative flooring | Claude, Grok, DeepSeek | Low | **Acknowledged — < 0.001 share impact** | | Creator front-runs `settleDispute` to claim fees before slash | GPT-4o | High | **Resolved — Finalized guard on claimCreatorFees (R2-2)** | *** ## Consolidated Findings & Status ### Must Fix Before Deployment *No remaining open blockers.* ### Previously Fixed (Confirmed by All Tools) | ID | Severity | Contract | Title | Status | | -------- | -------- | ---------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------- | | F-01 | Critical | EventlyProfiles | `setAuthorizedCaller` always set true | **Fixed in v1.3** | | F-02 | Critical | EventlyMarketsV3 | `claimCancelRefund` double-counted burned shares | **Resolved** | | A-03 | Medium | EventlyMarketsV3 | Order book no cap — O(n) DoS on buy | **Resolved — MAX\_ORDERS\_PER\_BOOK = 200** | | F-05 | High | evently | `clickFree` did not update `lastClicker` | **Fixed in v5.4** | | F-12 | Low | evently | Treasury hard-revert in `_processClick` | **Fixed in v5.4** | | F-DS-M02 | High | EventlyMarketsV3 | Dead CLOB entries permanently block new orders | **Resolved — \_cleanBook called in cancelOrder** | | R2-2 | High | EventlyMarketsV3 | Creator front-runs dispute to claim fees before slash | **Resolved — claimCreatorFees requires Finalized** | | L-01 | Low | EventlyMarketsV3 | `resolveMarket`, `cancelMarket`, `slashMarket` lacked nonReentrant | **Resolved — nonReentrant added** | | GROK-M01 | Medium | EventlyMarketsV3 | `subsidyDeposited` permanently locked on cancel/slash | **Resolved — included in claimCancelRefund effective pool** | | GPT-R3-3 | Medium | EventlyMarketsV3 | `slashMarket` couldn't handle `Disputed` status — 50 USDm stuck | **Resolved — Disputed added; dispute collateral swept to treasury** | | GROK-L02 | Low | EventlyMarketsV3 | View functions silently returned zeros for nonexistent markets | **Resolved — createdAt != 0 guard on all views** | | QWEN-I03 | Info | EventlyMarketsV3 | `closeBetting` emitted no event | **Resolved — BettingClosed event added** | | G-I01 | Info | EventlyMarketsV3 | Outdated NatSpec — CPMM/P2P references | **Resolved — NatSpec updated** | ### Acknowledged — By Design | ID | Severity | Contract | Title | Rationale | | ----- | -------- | ---------------- | --------------------------------------------- | --------------------------------- | | A-01 | Low | EventlyMarketsV3 | `quoteSell` rounding loss near MIN\_TRADE | \~0.1% max, acceptable | | A-02 | Low | EventlyMarketsV3 | `optionSupply` not updated on peer transfers | Tracks total minted; math correct | | A-04 | Low | EventlyMarketsV3 | `settleDispute` creator collateral accounting | Logic correct | | A-05 | Low | EventlyMarketsV3 | `_cancelAllOrders` unbounded gas | Low risk on MegaETH | | A-06 | Info | EventlyMarketsV3 | Empty ERC-1155 URI | URI added pre-deployment | | Q-I03 | Info | EventlyMarketsV3 | `whitelistedCount` never read on-chain | Informational only | ### Disputed / False Positives | ID | Tool | Finding | Verdict | | -------- | ------ | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | GPT-R2-1 | GPT-4o | "LMSR pool + subsidy may not cover max winning payout" | **False positive** — LMSR solvency is mathematically guaranteed: `poolBalance + subsidyDeposited = C(q) ≥ q_winner`. Proven formally in Claude audit. | | GPT-R3-1 | GPT-4o | "`optionSupply` desync causes over-refunds on cancel" | **Partially false** — `claimCancelRefund` uses `optionSupply`, which IS updated on burn. Peer transfers don't affect cancel refund math. | | GEM-C01 | Gemini | "P2P shares create insolvency gap" | **Not applicable** — P2P replaced by CLOB. CLOB fills use escrowed shares (SELL) or escrowed USDm (BUY); AMM fills mint new shares backed by net USDm. No insolvency gap. | *** ## Architecture Change: P2P → CLOB EventlyMarketsV3 has been migrated from a **P2P sell-only order book** to a full **Central Limit Order Book (CLOB)** with bids and asks: | | Previous (P2P) | Current (CLOB) | | ------------------ | ------------------------------ | ----------------------------------------- | | Order types | SELL only | BUY and SELL | | Matching | Manual (buyer calls buyShares) | Automatic on placeOrder | | Price priority | Ascending ask price | Price-time priority (best price, FIFO) | | Dead entry cleanup | On buyShares only | Immediately on cancelOrder (F-DS-M02 fix) | | AMM integration | AMM fallback after P2P fills | AMM fallback for unmatched BUY budget | | Liquidity source | Sellers + AMM | Bidders + Askers + AMM (LMSR) | The LMSR AMM is retained as market maker of last resort, providing baseline liquidity independent of CLOB depth. This is the recommended design for projects with early-stage volume. *** ## Reentrancy Surface (Consolidated) All 7 audits confirmed no exploitable reentrancy in active trading paths. | Function | Guard | Consensus | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | --------------------------------------- | | `placeOrder`, `sellToAMM`, `redeemWinnings`, `claimCancelRefund`, `claimCreatorFees`, `disputeMarket`, `settleDispute`, `cancelOrder`, `burnLosingShares` | `nonReentrant` + CEI | ✅ Safe | | `resolveMarket`, `cancelMarket`, `slashMarket` | `nonReentrant` + CEI | ✅ **Fixed — nonReentrant added (L-01)** | *** ## Economic Analysis Summary ### Market Solvency (EventlyMarketsV3 LMSR) — SOLVENT * Mathematical proof: `poolBalance + subsidyDeposited = C(q) ≥ max(q[i]) = q_winner` * 1 winning share pays exactly 1 USDm — no pro-rata rounding * `redeemWinnings` draws from `poolBalance` first, then `subsidyDeposited` * `claimCancelRefund` uses pre-burn snapshot (F-02 fix) * CLOB fills do not affect LMSR solvency: BUY orders escrow USDm, SELL orders escrow shares ### Pot Solvency (evently.sol) — SOLVENT * Direct clicks: 85% to pot, 10% treasury, 5% referral * Credit clicks: exact 85% backing from `buyCredits()` deposit *** ## Contract Versions | Contract | Address | Version | Fixes Applied | | -------------------- | -------------------------------------------- | -------------- | ------------------------------------------------------------------------------- | | evently.sol | `0x051B5a8B20F3e49E073Cf7A37F4fE2e5117Af3b6` | v5.4 | F-05, F-12 | | EventlyProfiles.sol | `0x9F0708145BCCD1F5B16F610cB8a75A63fA4A9a24` | v1.3 | F-01 | | EventlyMarketsV3.sol | *Pending deployment* | v3.2 LMSR+CLOB | F-02, A-03, F-DS-M02, R2-2, L-01, G-I01, GROK-M01, GPT-R3-3, GROK-L02, QWEN-I03 | *** ## Next Steps 1. **25 automated tool audits** (Slither, Mythril, Aderyn, Echidna, Halmos, etc.) 2. **Professional audit engagement** — shortlist: Cyfrin, OtterSec, Sherlock, Spearbit 3. **Keeper bot implementation** — monitor `MarketFinalized` events, call `burnLosingShares` after 24h 4. **Deployment** of EventlyMarketsV3 (LMSR + CLOB) on MegaETH mainnet *** *This page documents pre-audit AI security review. It does not replace a professional security audit.*