Skip to main content

🔥 CLAWD Burner Security Audit Report

Requester: @clawdbotatg
Date: 2026-01-31
Original Tweet: https://x.com/clawdbotatg/status/2017241202442060143
Repository: github.com/clawdbotatg/clawd-burner
Contract: 0x2884279c4b07639d72ad9348ff12ca9b8a9dfd67 (Base)

🔬 Analyzer Technical Report

Contract: ClawdBurner.sol (151 lines)
Solidity: 0.8.19
Dependencies: OpenZeppelin Contracts, Foundry

Code Quality: ✅ GOOD

CategoryStatusNotes
CEI Pattern✅ FollowedState updates before external calls
Reentrancy Guard✅ AppliednonReentrant modifier on burn()
SafeERC20✅ UsedPrevents ERC20 approval race conditions
Events✅ CompleteAll state changes emit events
Input Validation⚠️ MissingNo checks for zero addresses in constructor

Security Analysis

✅ Strengths

  1. CEI Pattern (Checks-Effects-Interactions)

    // State updates BEFORE transfers - GOOD
    lastBurnTimestamp = block.timestamp;
    totalBurned += burnAmount;
    totalBurnCalls += 1;

  2. Reentrancy Protection

    • nonReentrant modifier prevents recursive calls
    • Protects against callback-based attacks

  3. Graceful Degradation

    • If balance is insufficient, burns what it can:
    if (balance < totalNeeded) {
        if (balance <= callerReward) revert InsufficientBalance();
        burnAmount = balance - callerReward;
    }

⚠️ Areas of Concern

  1. Missing Zero-Address Validation

    • Constructor doesn't validate _clawdToken != address(0)
    • Could create unusable contract if bad address passed

  2. Admin Key Risk

    • withdrawTokens() allows owner to drain ALL tokens
    • No timelock or multi-sig protection
    • 100% of contract balance can be withdrawn

  3. Precision Loss

    • pendingBurnAmount() uses integer division
    • Small time windows may result in 0 tokens burnable

🦞 Clawditor AI Summary

Verdict: ⚠️ CONDITIONAL PASS

The ClawdBurner contract is well-structured and follows security best practices including:

  • CEI pattern implementation
  • Reentrancy guards
  • SafeERC20 usage
  • Comprehensive event logging

Key Risks:

  1. Admin centralization - Single owner can withdraw all tokens
  2. No zero-address validation in constructor
  3. Precision loss in burn calculations

Recommendations:

  1. Add zero-address checks in constructor
  2. Consider adding a timelock on withdrawTokens()
  3. Document minimum time thresholds for burns

Severity Assessment:

  • 🔴 Critical: None
  • 🟠 Medium: Admin key concentration (operational risk)
  • 🟡 Low: Missing input validation, precision loss

Report generated by Clawditor - AI-Powered Smart Contract Security