# Pre-Audit Review The three evently contracts have been scanned with AI-powered security tools, following the methodology from [z0r0z/majeur](https://github.com/z0r0z/majeur/tree/main?tab=readme-ov-file#audits). Full reports with per-finding review notes are in [`/audit`](https://github.com/isonips/evently-docs/tree/main/audit) on GitHub. *** ## Contracts Reviewed | Contract | Version | Address | | -------------------- | ----------- | -------------------------------------------- | | EventlyProfiles.sol | v1.3 | `0x9F0708145BCCD1F5B16F610cB8a75A63fA4A9a24` | | evently.sol | v5.4 | `0x051B5a8B20F3e49E073Cf7A37F4fE2e5117Af3b6` | | EventlyMarketsV3.sol | v3.0 (LMSR) | TBD (pending deployment) | *** ## AI Tool Scan Results | Auditor | Type | Findings | Report | | ----------------------------------------------------------------------------- | ---------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------ | | [Claude Opus 4.6](https://docs.evently.market/audit-reports-ai/claude) | 3-round AI audit | 1 Medium, 4 Low, 1 Info — no production blockers | [claude.md](https://docs.evently.market/audit-reports-ai/claude) | | [GPT-5.3](https://docs.evently.market/audit-reports-ai/chatgpt) | 3-round AI audit | 2 High, 2 Medium, 1 Low — findings documented | [chatgpt.md](https://docs.evently.market/audit-reports-ai/chatgpt) | | [Gemini 3.1 Pro](https://docs.evently.market/audit-reports-ai/gemini) | 3-round AI audit | 1 Critical, 1 High, 2 Medium, 2 Low — production blockers identified | [gemini.md](https://docs.evently.market/audit-reports-ai/gemini) | | [Perplexity GPT-5.1](https://docs.evently.market/audit-reports-ai/perplexity) | 3-round AI audit | 1 High, 3 Medium, 4 Low — findings documented | [perplexity.md](https://docs.evently.market/audit-reports-ai/perplexity) | | [Grok-4 (xAI)](https://docs.evently.market/audit-reports-ai/grok) | 3-round AI audit | 1 High, 1 Medium, 1 Low, 1 Info — findings documented | [grok.md](https://docs.evently.market/audit-reports-ai/grok) | | [DeepSeek R1](https://docs.evently.market/audit-reports-ai/deepseek) | 3-round AI audit | 1 Critical, 1 High, 2 Medium, 1 Low, 2 Info — findings documented | [deepseek.md](https://docs.evently.market/audit-reports-ai/deepseek) | | [Qwen3.5](https://docs.evently.market/audit-reports-ai/qwen) | 3-round AI audit | 1 Critical, 1 High, 3 Medium, 1 Low — findings documented | [qwen.md](https://docs.evently.market/audit-reports-ai/qwen) | > Additional tool scans (Slither, Aderyn, Semgrep, Halmos, Echidna, Medusa, Foundry, and cloud tools) in progress. Reports will be added as completed. *** ## Cross-Tool Finding Consensus The following findings were surfaced by **multiple independent tools** — highest confidence: | Finding | Tools | Severity consensus | Status | | ------------------------------------------------------------- | ----------------------------------------- | ------------------ | ---------------------------------------- | | Order book griefing — no cap on sell orders per option | Claude, multiple | Medium | **Fixed — MAX\_ORDERS\_PER\_BOOK = 200** | | `claimCancelRefund` insolvency — double-counted burned shares | Multiple | Critical | **Fixed — pre-burn snapshot** | | `_endGame()` address(0) winner edge case | Claude, Perplexity | Medium | **Fixed in v5.4** | | Username case-sensitivity inconsistency | Claude, ChatGPT, Grok, Perplexity, Gemini | Low–Medium | **Fixed in v1.3** | | On-chain randomness `_shouldEnd()` | All tools | Medium | **By design (VRF roadmap)** | | `allPlayers[]` unbounded array | All tools | Low | **Acknowledged** | *** ## Finding Severity Summary (consolidated) | Severity | Count | Fixed | False positive | By design / Acknowledged | | ------------- | ----- | ----- | -------------- | ------------------------ | | Critical | 4 | 2 | 2 | 0 | | High | 4 | 3 | 0 | 1 | | Medium | 8 | 4 | 0 | 4 | | Low | 7 | 1 | 0 | 6 | | Informational | 5 | 0 | 0 | 5 | *** ## Fix Log | ID | Finding | Severity | Tool(s) | Status | | ---- | ------------------------------------------------ | -------- | -------- | ---------------------------------------- | | F-01 | `setAuthorizedCaller` always set true | Critical | Multiple | **Fixed in v1.3** | | F-02 | `claimCancelRefund` double-counted burned shares | Critical | Multiple | **Fixed** | | F-03 | Multi-option AMM sell broke invariant | High | Multiple | **Superseded — LMSR replaces CPMM** | | A-03 | Order book no cap — O(n) DoS on `buyShares` | Medium | Claude | **Fixed — MAX\_ORDERS\_PER\_BOOK = 200** | | F-05 | `clickFree` did not update `lastClicker` | High | Multiple | **Fixed in v5.4** | | F-12 | Treasury hard-revert in `_processClick` | Low | Multiple | **Fixed in v5.4** | | F-04 | Redemption rounding favours early redeemers | High | Multiple | **N/A — LMSR fixed-payout model** | | F-07 | Virtual pool underflow on extreme buys | Medium | Multiple | **N/A — LMSR replaces virtual pools** |