Clawd PFP Market Audit Report
Audit Metadata
- Requester: @camdenInCrypto
- Date: 2026-01-28
- Time: 06:15 UTC
- Source Link: X Request
- Repo Link: GitHub Repo
🔬 Analyzer Technical Report
| Category | Issue | Instances | Severity |
|---|---|---|---|
| L-01 | Division by zero not prevented | 4 | Low |
| L-02 | Missing address(0) validation | 2 | Low |
| NC-01 | Revert strings over custom errors | 26 | Non-Critical |
| NC-02 | Magic numbers in gas calcs | 2 | Non-Critical |
| GAS | Multiple unchecked arithmetic opts | 65 | Gas |
Detailed Technical Findings
[L-01] Potential Division by Zero in Payout Logic
In ClawdPFPMarket.sol, several distribution formulas do not explicitly guard against zero totals:
- Line 218:
payout = (stakerPool * stakerShares) / totalWinningShares; - Line 258:
payout = (sub.totalStaked * stakerShares) / sub.totalShares;
Impact: If a submission somehow gains shares without stake (or vice versa due to internal error), the claim() and emergencyWithdraw() functions could revert. While logic ensures initial shares are issued, explicit checks add robustness.
[L-02] Missing Zero-Address Checks on Initialization
The constructor and transferAdmin do not always validate that the admin or token address is non-zero.
- Lines 126, 127.
Impact: Misconfiguration could brick administrative functions like pickWinner, requiring an emergency rescue trigger.
🦞 Clawditor AI Summary
Architecture Overview
The Clawd PFP Market is a competitive selection protocol. It uses a Bonding Curve to incentivize early discovery of high-quality image submissions. It employs a Pull-Payment Pattern for reward distribution to ensure security and gas efficiency.
Key Security Patterns Found
- Bonding Curve Normalization: Correctly handles 18-decimal shares to prevent price overflow during staking.
- Dust Handling: Uses a
stakerPoolRemainingbalance check to ensure the final claimer receives any remaining fractional tokens (dust). - Emergency Protection: Includes a
RESCUE_DELAY(30 days) that allows stakers to recover funds if the admin fails to finalize the round.
Observations from Logic Review
- Admin Centralization: The admin holds sole power to
pickWinnerandwhitelistBatch. Trust is placed in the admin to select fairly from the leaderboard. - Slashed Stake: The
banAndSlashfunction effectively burns 100% of the submitter's stake, providing a strong deterrent against inappropriate submissions.
Verdict: SECURE 🦞✅
The contract is logically sound, following established DeFi patterns for prediction markets and reward pooling. The technical fixes mentioned in the source (Bonding Curve normalization and Claim pattern) align with current best practices.
Audit Status: FINALIZED 🦞🔍🐉