Watt Protocol allows users to stake their LP tokens obtained from providing liquidity. Stakers collect rewards from wrapping & unwrapping tokens, and transaction fees.
Watt engaged Ackee Blockchain Security to perform a security review with a total time donation of 10 engineering days in a period between May 28 and May 13, 2025.
A second, fix review was performed of the fixes from the previous revision, and took place between June 25 and June 27.
METHODOLOGY
We began our review by familiarizing ourselves with the core concepts and main functionality of the protocol, including reading through the documentation provided by the client. In this initial phase of the audit, we aimed to gather comprehensive information about the protocol’s expected operation, logic, and potential vulnerability spots.
In the second phase, we started digging deeper into the codebase. We began writing Proof of Concept (PoC) tests to verify the core functionality of the protocol, observe its behavior, and test our vulnerability hypotheses. During this phase, we paid special attention to ensuring:
- the core protocol functionality is correct and works as expected;
- user funds are always safe;
- all Cross Program Invocations (CPIs) are correctly implemented and validated;
- all accounts entering the instructions are properly used, modified, and validated;
- the protocol behaves fairly to all users;
- no excessive admin rights are in place; and
- all computations are correct.
SCOPE
The audit was performed on commit 78128cf and the scope was the following:
- Watt Protocol, excluding external dependencies.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the Warning or Informational severity ratings.
Our review resulted in 20 findings, ranging from Info to Critical severity. The fix review resulted in one new finding (W5).
All Critical, High and Medium severity findings have been fixed by the client, and all Warning and Informational severity findings have been either fixed, partially fixed or acknowledged by the client.
Critical severity
C1: Mismatched LP token and pool state validation leads to inflated rewards
C2: Incorrect return statement can cause incorrect liquidity accumulation
C3: Possibility to accumulate additional fees from users through Amplifier Config repeated initialization
C4: Unstake function allows full withdrawal while maintaining staking position
C5: Repeated unstake-stake cycle enables unlimited liquidity multiplication
C6: Missing FeeConfig validation allows zero-fee mint creation
C7: Possibility to use fraudulent Raydium pool to stake worthless LP Tokens and receive staking rewards for legitimate token
High severity
H1: Division by zero in unstake due to uninitialized global accumulator
H2: Protocol state reset discards accumulated fees
H3: Preemptive lamport transfer blocks mint initialization
H4: Unrestricted fee configuration allows excessive fees
Medium severity
M1: Unvalidated Token-2022 extensions enable vault draining
M2: Unvalidated freeze authority enables permanent fund lockup
M3: Unvalidated fee configuration can prevent token unwrapping
Low severity
No Low severity issues were found.
Warning severity
W1: Zero distribution rate initialization blocks fee claims
W2: Inconsistent naming between epoch field and slot data
W3: Single field updates require complete configuration reentry
W4: Mint authority validation placed in wrong instruction
W5: FeeConfig account not updated when transfer fees are updated
Informational severity
I1: Unnecessary / Unusual source code
I2: Use Raydium SDK instead of own implementation if possible
TRUST MODEL
Watt does not implement any Role-Based Access Control (RBAC) mechanism. However, there are two roles used within the protocol.
Users must trust the following entities:
- protocol admin, to fairly and correctly update the
FeeConfig, which contains all important fee parameters and rates of the protocol; - admin, to correctly update the
Metadataof the Watt tokens; - admin, to appoint
Amplifiersfairly, responsibly, and correctly; and - the server, to not overly censor the tokens initialized into the protocol, as the signature of this entity is required for introducing new tokens.
CONCLUSION
Ackee Blockchain Security recommends Watt Protocol to:
- Fix the issues found during the audit before proceeding to production deployment.
Ackee Blockchain Security’s full Watt Protocol audit report can be found here.
We were delighted to work with Watt and look forward to working with them again in the future.
