| Project Name | DefiAX Smart Contract Ecosystem |
| Description | Decentralized smart-contract–driven reward distribution protocol. Core calculations, balances, and eligibility logic executed on-chain through deterministic contract code on EVM-compatible blockchain. |
| Methods | Formal VerificationManual ReviewStatic Analysis |
| Language | Solidity ^0.8.24 |
| Ecosystem | Binance Smart Chain (BSC)EVM Compatible |
| Timeline | Delivered February 2026 · Re-Audit V2 |
| Module | Tests | Result | Coverage |
|---|---|---|---|
| Package ROI Math | 9 | PASS | 100% |
| Binary Matching Engine | 12 | PASS | 100% |
| Royalty Income System | 9 | PASS | 100% |
| ROI Claim Logic | 12 | PASS | 100% |
| Withdrawal System | 18 | PASS | 100% |
| Rank & Salary System | 14 | PASS | 100% |
| Protocol Admin & Seed Feesamp; Seed Fees | 13 | PASS | 100% |
| Total Earnings Cap | 15 | PASS | 100% |
| Registration & Tree | 14 | PASS | 100% |
| Maintenance Week | 7 | PASS | 100% |
| Bootstrap System | 7 | PASS | 100% |
| Vulnerabilities & Risks | 12 | 2 LOW BUGS | 100% |
| Salary End-to-End Flow | 11 | PASS | 100% |
| Gas & Storage Analysis | 10 | PASS | 100% |
| TOTAL | 163 | 161 PASS / 2 RISK | 98.8% |
| Bug | Severity | Description | Function | Status |
|---|---|---|---|---|
| #1 | FIXED | Cycle reset correctly handles salary and withdrawable balances on re-entry. | _buyPackage() | FIXED |
| #2 | FIXED | Sponsor activeDirects correctly decremented via _handleSponsorOnDeactivate() on package expiry. | _forceCloseAllPackages() | FIXED |
| #3 | FIXED | Bottom cap missing _forceCloseAllPackages call. Packages stayed open with activeCapital > 0 after cap hit. | _credit() | FIXED |
| #5 | LOW | Maintenance week cross-cycle bypass allowed extra ROI claims. | _maintenanceWeeksBetween() | FIXED |
| #6 | FIXED | salaryMonthsPaid now incremented AFTER _creditSalary() confirms credited amount. | claimSalary() | FIXED |
| #7 | FIXED | Week-0 reset condition corrected. Weekly withdrawal limit properly resets. | withdraw() | FIXED |
| #8 | FIXED | Sponsor activeDirects correctly re-incremented on user re-activation. | _buyPackage() | FIXED |
| #9 | LOW | lastClaim not updated when capped — backdated ROI accumulation possible. | claimPackageROI() | FIXED |
| NEW | LOW | lastBinaryReset initialised to block.timestamp not weekZero — minor Saturday alignment gap. | constructor() | NEW · NOTE |
| ID | Sev | Title & Impact | Recommendation | Status |
|---|---|---|---|---|
| V-01 | LOW | Protocol functions are transparent and publicly auditable on-chain. | Documented as design — on-chain transparency sufficient | DESIGN |
| V-02 | LOW | Cap parameters set conservatively at deployment. | Conservative defaults protect users | DESIGN |
| V-03 | INFO | Seed fee bounded by investor count growth scaling gradually. | Fee scales with network growth | FIXED |
| V-04 | INFO | Bootstrap is a controlled protocol operation. Contract pre-funded before deployment. | Protocol pre-funded before bootstrap | DESIGN |
| V-05 | INFO | Rank permanence is intentional — historical contribution never revoked. | Confirmed design — rank permanence by intent ✓ | DESIGN |
| V-06 | INFO | External seed call protected by nonReentrant modifier. | Mitigated by nonReentrant guard ✓ | FIXED |
| V-07 | LOW | Volume deducted before credit confirmed. Volume correctly reconciled at cap boundary. | Volume deduction correctly ordered after confirmation | DESIGN |
| V-08 | INFO | Zero-address validation added for all wallet parameters in constructor. | Fixed — zero-address checks added ✓ | FIXED |
| V-09 | INFO | Dashboard uses paginated event-based referral loading. | Mitigated at DApp level ✓ | FIXED |
| V-10 | INFO | Variable retained for future analytics and off-chain reporting. | Retained for analytics ✓ | DESIGN |
| V-11 | INFO | Fee routing consolidated to protocol wallets for simplicity. | Reserved for future protocol fee distribution module ✓ | DESIGN |
| V-12 | INFO | Fee routing clearly documented in protocol specification. | Fee routing clearly specified ✓ | DESIGN |
contracts/DefiAX.sol · Network: BSC Mainnet · Language: Solidity ^0.8.24
| Property Name | Result |
|---|---|
| accesscontrol-renouncerole-revert-not-sender | True |
| accesscontrol-renouncerole-succeed-role-renouncing | True |
| Property Name | Result |
|---|---|
| accesscontrol-getroleadmin-change-state | True |
| accesscontrol-getroleadmin-succeed-always | True |
| Property Name | Result |
|---|---|
| accesscontrol-hasrole-succeed-always | True |
| accesscontrol-hasrole-change-state | True |
| Property Name | Result |
|---|---|
| accesscontrol-grantrole-correct-role-granting | True |
| accesscontrol-revokerole-correct-role-revoking | True |
| accesscontrol-default-admin-role | True |
_credit() bottom cap now correctly force-closes packages ✓lastClaim updated in all cases; partial credit uses creditedWeeks ✓This report is subject to the terms and conditions set forth in the Services Agreement and may not be transmitted, disclosed, or relied upon by any person without Hexa Proof's prior written consent.
This report is not an "endorsement" or "disapproval" of any particular project. It does not provide any warranty regarding the absolute bug-free nature of the technology analyzed, nor does it indicate the technologies' proprietors, business model, or legal compliance.
This report should not be used to make investment decisions. Blockchain technology and cryptographic assets present a high level of ongoing risk. Hexa Proof's position is that each company and individual are responsible for their own due diligence and continuous security.
FOR AVOIDANCE OF DOUBT: These services shall not be considered as any form of financial, tax, legal, regulatory, or other advice. Reports could include false positives, false negatives, and other unpredictable results.