☕ Clarity Audit Notes

The canonical SIP-010 fungible token trait — Stacks' equivalent of ERC-20. Trait definition only (no executable logic, no vulnerabilities). Reference document explaining the standard, its 7 required functions, and a security checklist for implementors.

February 25, 2026

The foundational modular DAO framework for Stacks — widely forked by ALEX, Charisma, Megapont, aibtcdev. High: blanket as-contract grants unlimited asset authority to proposals/extensions. No emergency shutdown. Unverified sender parameter in execute. Elegant 68-line core with one-time bootstrap and replay protection. Essential Clarity 4 migration guide for forks.

February 25, 2026

ALEX Balancer-style weighted AMM with unequal token weights and EMA oracle. High: silent balance underflow masks insolvency; unbounded fee rates can brick pools. Oracle manipulable with low smoothing. Multi-hop double-fee compounding. Pre-Clarity 4 as-contract. 1,320 lines with inlined log/exp/pow math.

February 25, 2026

Trait-only contract defining 10 interfaces for StackerDAO's modular DAO framework. Zero executable code, zero attack surface. Duplicates canonical SIP-010 and SIP-009 traits (fragments interop). Governance token trait uses non-standard dmg- naming prefix.

February 25, 2026

Core ALEX DEX AMM — hybrid constant-product/constant-sum curve with oracle. High: multi-hop swaps (3-4 hops) have zero slippage protection. Fee rates unbounded; saturating balance subtraction can desync pool state from vault. Pre-Clarity 4 as-contract.

February 25, 2026

ExecutorDAO governance token for ALEX DEX — SIP-010 fungible token with dual-token lock mechanism. No approved-contract removal function (M-03) — once approved, contracts retain mint/burn access permanently. Privileged burn/transfer operate on arbitrary owners without consent. Deployer retains permanent mint/burn approval via hardcoded tx-sender. Mutable decimals could break all integrations.

February 25, 2026

Central custody vault for ALEX — the largest Stacks DEX. Holds all pool liquidity with allowlist-based access control and flash loans. No revocation mechanism for approved contracts (H-01) — once approved, a contract cannot be removed. Pre-Clarity 4 as-contract grants blanket asset authority (H-02). Flash loan missing post-balance verification and re-entrancy guard. Owner correctly set to executor-dao at deployment.

February 25, 2026

Central controller for Zest Protocol lending market (6 vaults, Pyth/DIA oracles, graduated liquidation). No critical or high findings. Exemplary Clarity 4 usage with as-contract? explicit asset allowances. Simplified liquidation curve exponent and edge-case bad debt socialization trigger. One of the best-engineered Clarity contracts audited.

February 24, 2026

Permissionless reputation system — Critical: no access control on increase/decrease-reputation, anyone can set any user's score to any value. No funds at risk (no token transfers). Action tracker disconnected from reputation scoring. Below normal audit threshold (0.75 < 1.8).

February 24, 2026

Minimal timelock contract for scheduling delayed operations. High: no access control — anyone can schedule and execute any operation. Zero-delay bypass defeats timelock purpose. Execute has no side effects (no-op registry). Not suitable for production use.

February 24, 2026

Collateral token parameter registry for Arkadiko Vaults. No funds at risk — pure configuration contract. Missing parameter bounds validation in set-token could allow DAO owner misconfiguration to brick vault operations. Clean minimal design with proper list management.

February 24, 2026

Core vault manager for Arkadiko stablecoin. High: missing owner check in close-vault allows anyone to force-close non-stacking vaults. Permissionless redeem-tokens lets anyone trigger fee distributions. Well-architected orchestration layer with comprehensive trait validation via DAO registry.

February 24, 2026

Thin helper/router for Zest lending protocol. Medium: liquidation event emits debt reserve state as collateral reserve state (copy-paste bug) — misleads off-chain liquidation bots. Clean stateless design with no custody risk. Security delegates to pool-borrow-v2-4.

February 24, 2026

Two-hop swap router for StackSwap DEX. Clean, minimal design — stateless and custody-free. Both hops have user-specified slippage protection (better than most routers). Missing swap deadline enables mempool delay attacks. Companion to stackswap-swap-v5k audit.

February 24, 2026

Charisma DEX stableswap multi-hop router (1-5 pools). Intermediate swaps pass hardcoded u1 min-amount (sandwich vector on multi-hop). Pre-Clarity 4 as-contract blanket authority. Low risk overall — stateless custody-free design with no stored funds.

February 24, 2026

XYK constant-product AMM router. High: get-dx quote uses wrong fee parameters (x-fees instead of y-fees), diverging from actual swap output. Add-liquidity has no max-y-amount bound (sandwich vector). Clean architecture with proper pool registration and slippage protection.

February 24, 2026

Charisma protocol's core ExecutorDAO — manages extensions, proposals, and bootstrap. High: blanket as-contract in Clarity 1 grants unlimited asset authority to proposals. Clean architecture with one-time bootstrap and replay protection, but no emergency shutdown mechanism.

February 25, 2026

Charisma protocol's user-facing batch router for interaction contracts. High: explore panics on partial input — optional parameters are broken by unconditional unwrap-panic in output tuple, forcing all 8 slots. Silent error swallowing prevents failure detection. Minimal attack surface — no state, no funds, no privileges.

February 25, 2026

ALEX protocol's non-transferable auto-compounding power token (SIP-010 with disabled transfers). Medium: mutable decimals breaks fixed-point math; burn allows arbitrary sender targeting without consent. Simple, DAO-governed accounting token — low overall risk.

February 25, 2026

SIP-013 semi-fungible token wrapping SIP-010 assets into "lands" with passive energy generation. Critical: store function calls tap(tx-sender) then writes result to recipient's energy — any incoming transfer permanently destroys the recipient's accumulated energy. Transfer executes state mutations before input validation; pre-Clarity 4 as-contract blanket access risk.

February 25, 2026

Central token operation gateway for Charisma protocol managing XP, energy, and governance tokens. High: status effects contract has unrestricted power to manipulate amounts and redirect targets for all token operations. Multi-owner claims are misleading — single owner has full unilateral control with no multi-sig or timelock.

February 25, 2026

Hold-to-earn staking engine using trapezoidal numerical integration of historical token balances. High: discrete balance sampling (2–39 points) allows inter-sample manipulation — attacker acquires tokens before sample blocks, inflates integral, sells after. Division-by-zero risk if total supply reaches zero.

February 25, 2026

Minimal DAO extension for minting Charisma governance tokens as quest rewards. Clean authorization pattern, no critical issues. Low: no maximum reward cap — defense-in-depth recommendation.

February 25, 2026

SIP-010 wrapper for Charisma governance token with rate-limiting and red-pill gates. High: unwrap liquidity cap is dead code — always bypassed due to logic error in red-pill check. Cumulative block-counter will eventually permanently lock operations.

February 24, 2026

Core constant-product AMM for StackSwap DEX. High: all pair state delegated to external LP token contracts creates trust boundary risk. Good safe-transfer protections but centralization risk via DAO owner LP token replacement.

February 24, 2026

Pool signer contract managing STX stacking delegation to PoX-4 signers. Handles delegate-stack-stx, extend, increase, and aggregation commits. Medium: no timelock on admin changes (reward address, ownership) + blanket as-contract (pre-Clarity 4). Clean architecture with consistent access control.

February 25, 2026

SIP-010 liquid staking token for StackingDAO. DAO-gated mint/burn with clean architecture. Medium: inconsistent auth — set-token-uri checks tx-sender while mint/burn check contract-caller. Protocol contracts can burn from any address. Pre-Clarity 4.

February 25, 2026

V3 upgrade of StackingDAO liquid stacking core. Adds fee cap (but at 100%), removes cancel-withdraw, fixes off-by-one in withdrawal timing. High: fee cap at 100% still allows total confiscation. Still pre-Clarity 4 with blanket as-contract. Includes v2→v3 diff analysis.

February 25, 2026

Core user-facing contract for StackingDAO liquid stacking (deposit STX → stSTX, NFT-based withdrawals). High: no fee cap — admin can set 100% deposit/withdrawal fees (v1 had MAX_COMMISSION, v2 removed it). Pre-Clarity 4 as-contract grants blanket asset authority to trait-parameterized contracts. Clean architecture with DAO registry validation on all external calls.

February 25, 2026

Token migration wrapper for ALEX staking. High: blocklist bypass via direct reserve pool interaction. Thin wrapper with minimal attack surface; security depends on underlying reserve pool.

February 24, 2026

Multi-hop swap router for Velar DEX (2-5 token paths). Medium: zero output not validated — dust swaps silently lose funds. Stateless design with no admin surface. Pre-Clarity 4, no deadline mechanism.

February 25, 2026

Core constant-product AMM for Velar DEX (Uniswap V2 port). Medium: swap fee validation parentheses bug bypasses protocol-fee check; no minimum liquidity lock; pre-Clarity 4 as-contract blanket authority. Strong anti-rug guards and constant-product invariant enforcement.

February 25, 2026

Thin routing layer for Velar DEX (UniswapV2 fork). High: no transaction deadline enables stale-swap sandwich attacks. Swaps execute before precondition validation. Trait parameters unverified at router level.

February 24, 2026

Pool configuration registry for ALEX DEX. No token operations — pure state management. Medium: update-pool allows pool-id mismatch between maps; fee rates have no upper bound despite existing unused error constant.

February 25, 2026

Core AMM for ALEX DEX (highest TVL on Stacks). Critical: multi-hop swaps pass none for intermediate slippage — sandwich vector. Pool owner has unilateral parameter control. Silent balance underflow masks insolvency.

February 24, 2026

Liquity-style vault manager for Arkadiko stablecoin. Critical: redemption fee block-last overflow bricks future redemptions via uint underflow. Stability fees crystallize into vault principal on partial redemption.

February 24, 2026

Rewards distribution for stSTX/stSTXbtc liquid staking. sBTC rewards silently lost when both token supplies are zero during processing. Pre-Clarity 4 as-contract grants blanket authority to commission trait contracts.

February 24, 2026

Liquidation auction engine for Arkadiko stablecoin protocol. Critical: DIKO backstop uses manipulable DEX spot price with zero slippage protection — sandwich attack extracts value during every backstop activation. No auction timeout leaves collateral locked indefinitely.

February 24, 2026

PoX stacking proxy for Arkadiko protocol. Critical: return-stx has no access control — anyone can drain unlocked STX back to reserve, griefing stacking operations. Hardcoded pox-3 makes contract functionally deprecated.

February 24, 2026

Multisig price oracle for Arkadiko DeFi protocol. Critical: oracle signatures permanently burned on failed updates via front-running — enables oracle denial of service. No staleness protection on price reads. No price deviation bounds.

February 24, 2026

Uniswap v2-style AMM on Stacks. Critical: no token pair binding allows complete asset drain via fake token contracts. Bulk operations swallow failures silently. Fee recipient permanently set by first caller.

February 23, 2026

Futures tranches for Stacked STX. Authorized stacker captures 100% of BTC yield; hardcoded PoX v1 makes it non-functional on current mainnet. Some findings corrected after deeper review.

February 21, 2026

UTXO contract calls non-existent send-bitcoin and uses invalid error types — undeployable. Initialize has no access control.

February 21, 2026

Payouts sent back to contract via as-contract bug. V2/V3 accept fees but have no betting or claims. Owner can drain all deposits.

February 21, 2026

Staking vault sends funds to owner's wallet — architectural rug-pull vector. Token launchpad creates map entries, not actual FTs.

February 21, 2026

Deployer backdoor allows unlimited sBTC minting. Repayment check uses balance deltas — receivers can keep minted tokens. Fees burned.

February 21, 2026

Never calls stx-transfer? — entire insurance mechanism is pure bookkeeping with no real funds. Withdrawal math is identity function.

February 21, 2026

Unrestricted mock-resolve backdoor lets anyone steal all vault funds. Refund underflow permanently locks user funds.

February 21, 2026

Integer truncation in STX-scale math causes ~46% of sell positions to revert. Self-service cap bypass in auto-buy functions.

February 20, 2026

Self-certifiable activity completion with no verification. Unconditional refund defeats the incentive model. Treasury accounting bug.

February 20, 2026

Every outbound transfer broken due to systemic as-contract misuse — all deposited funds permanently locked.

February 21, 2026

No actual token transfers — pure bookkeeping bridge. Transfer limit ratchets to zero permanently via integer division bug.

February 21, 2026

Voting escrow has infinitely recursive to-int that aborts every lock. Five contracts not integrated with each other.

February 21, 2026

Registry can't verify ownership of registered tokens — anyone can register any contract with fake data.

February 21, 2026

Withdrawal sends STX back to contract (permanent lock). FT defined with zero max supply — no rewards can ever mint.

February 21, 2026

None of the five contracts ever take custody of NFTs. Marketplace collects payment without delivering tokens.

February 21, 2026

Uses tx-self (non-existent keyword), type mismatches everywhere — never compiled or tested. Completely non-functional.

February 21, 2026

Phantom internal balances with no real transfers — completely non-functional. Square root returns x/2+1 instead of √x.

February 21, 2026

Core escrow works, but arbitration collects real STX for a resolution system that can't enforce outcomes. NFT contract has no transfer mechanism.

February 21, 2026

All contributions sent to hardcoded external treasury. claim-funds and claim-refund update bookkeeping but transfer zero STX.

February 21, 2026

Immutable audit trail undermined by last-write-wins patterns and unenforced state machine transitions. No financial functions.

February 21, 2026

Bounties calculated and tracked but never paid out — no STX transfer exists. AI auditors can't be removed once added.

February 21, 2026

Tips and follows only work between creators. NFT marketplace collects payment without transferring tokens. Fees permanently locked.

February 21, 2026

Deposit creates balance from nothing — no actual transfer. Single-dimension trading makes fills circular. No withdrawal or cancellation.

February 21, 2026

Reputation exploitable via repeated same-direction voting. No duplicate flag prevention. Self-voting unrestricted.

February 21, 2026

Contract never holds funds (deposits go to owner). Owner has unilateral veto on approved transactions. Signer count bugs can brick wallet.

February 21, 2026

Factory LP token with unvalidated token parameter in transfer-token (H-01). DAO unwrap-panic creates permanent freeze risk. Pair state coupling increases systemic risk.

February 25, 2026

Multi-hop swaps lack intermediate slippage protection (sandwich risk). Oracle maps manipulable by any swapper. Stateless custody-free design is strong.

February 24, 2026