Watt Protocol allows users to stake their LP tokens obtained from providing liquidity. Stakers collect rewards from wrapping & unwrapping tokens, and transaction fees.<\/p>\n
Watt engaged Ackee Blockchain Security to perform a security review with a total time donation of 10 engineering days in a period between May 28 and May 13, 2025.<\/p>\n
A second, fix review was performed of the fixes from the previous revision, and took place between June 25 and June 27.<\/p>\n
We began our review by familiarizing ourselves with the core concepts and main functionality of the protocol, including reading through the documentation provided by the client. In this initial phase of the audit, we aimed to gather comprehensive information about the protocol\u2019s expected operation, logic, and potential vulnerability spots.<\/p>\n
In the second phase, we started digging deeper into the codebase. We began writing Proof of Concept (PoC) tests to verify the core functionality of the protocol, observe its behavior, and test our vulnerability hypotheses. During this phase, we paid special attention to ensuring:<\/p>\n
The audit was performed on commit The classification of a security finding is determined by two ratings: <\/span>impact<\/b> and <\/span>likelihood<\/b>. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span>medium<\/span><\/i> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the W<\/em><\/span>arning<\/span><\/i> or I<\/em><\/span>nformational<\/span><\/i> severity ratings.<\/span><\/p>\n Our review resulted in 20 findings, ranging from Info to Critical severity. The fix review resulted in one new finding (W5).<\/p>\n All Critical, High and Medium severity findings have been fixed by the client, and all Warning and Informational severity findings have been either fixed, partially fixed or acknowledged by the client.<\/strong><\/p>\n C1: Mismatched LP token and pool state validation leads to inflated rewards<\/p>\n C2: Incorrect return statement can cause incorrect liquidity accumulation<\/p>\n C3: Possibility to accumulate additional fees from users through Amplifier Config repeated initialization<\/p>\n C4: Unstake function allows full withdrawal while maintaining staking position<\/p>\n C5: Repeated unstake-stake cycle enables unlimited liquidity multiplication<\/p>\n C6: Missing FeeConfig validation allows zero-fee mint creation<\/p>\n C7: Possibility to use fraudulent Raydium pool to stake worthless LP Tokens and receive staking rewards for legitimate token<\/p>\n H1: Division by zero in unstake due to uninitialized global accumulator<\/p>\n H2: Protocol state reset discards accumulated fees<\/p>\n H3: Preemptive lamport transfer blocks mint initialization<\/p>\n H4: Unrestricted fee configuration allows excessive fees<\/p>\n M1: Unvalidated Token-2022 extensions enable vault draining<\/p>\n M2: Unvalidated freeze authority enables permanent fund lockup<\/p>\n M3: Unvalidated fee configuration can prevent token unwrapping<\/p>\n No Low severity issues were found.<\/p>\n W1: Zero distribution rate initialization blocks fee claims<\/p>\n W2: Inconsistent naming between epoch field and slot data<\/p>\n W3: Single field updates require complete configuration reentry<\/p>\n W4: Mint authority validation placed in wrong instruction<\/p>\n W5: FeeConfig account not updated when transfer fees are updated<\/p>\n I1: Unnecessary \/ Unusual source code<\/p>\n I2: Use Raydium SDK instead of own implementation if possible<\/p>\n Watt does not implement any Role-Based Access Control (RBAC) mechanism. However, there are two roles used within the protocol.<\/p>\n Users must trust the following entities:<\/p>\n Ackee Blockchain Security recommends Watt Protocol to:<\/p>\n Ackee Blockchain Security<\/a>\u2019s full Watt Protocol audit report can be found here<\/a><\/b>.<\/b><\/p>\n We were delighted to work with Watt and look forward to working with them again in the future.<\/p>\n","protected":false},"excerpt":{"rendered":" Watt Protocol allows users to stake their LP tokens obtained from providing liquidity. Stakers collect rewards from wrapping & unwrapping tokens, and transaction fees. Watt engaged Ackee Blockchain Security to perform a security review with a total time donation of 10 engineering days in a period between May 28 and May 13, 2025. A second, fix review was performed of the fixes…<\/p>\n","protected":false},"author":30,"featured_media":1070,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5,113],"tags":[21,89,6],"class_list":["post-1067","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","category-trident","tag-audit","tag-audit-summary","tag-solana"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/07\/Watt-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/07\/Watt-1-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1067"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1067\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1070"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}78128cf<\/code> and the scope was the following:<\/p>\n\n
FINDINGS<\/span><\/h2>\n
Critical severity<\/span><\/h3>\n
High severity<\/span><\/h3>\n
Medium severity<\/span><\/h3>\n
Low severity<\/span><\/h3>\n
Warning severity<\/span><\/h3>\n
Informational severity<\/span><\/h3>\n
TRUST MODEL<\/span><\/h2>\n
\n
FeeConfig<\/code>, which contains all important fee parameters and rates of the protocol;<\/li>\nMetadata<\/code> of the Watt tokens;<\/li>\nAmplifiers<\/code> fairly, responsibly, and correctly; and<\/li>\nCONCLUSION<\/span><\/h2>\n
\n