Franklin Templeton Benji Contracts

Findings · 20

1. 1 cancel_self_service_request can be called on any pending transaction High
2. 2 Closing and reopening pending transactions allows a user to execute malicious actions High
3. 3 Shareholders can escape being frozen by increasing their nonce High
4. 4 Incorrect logging of transferred shares Low
5. 5 remove_submitters can remove all submitters High
6. 6 is_frozen is checked on the wrong variable during the transfer of shares Medium
7. 7 Self-service functions can be called when the self-service is disabled Low
8. 8 Frozen account can still cancel transactions Low
9. 9 Code duplication between recover_account and recover_asset Informational
10. 10 Missing call to is_valid_submitter in AddSubmitters Informational
11. 11 Bump seeds are not stored in PDAs Informational
12. 12 API key exposure in configuration files Medium
13. 13 solana_multisig uses an outdated version of anchor-lang Informational
14. 14 Multiple tautologies make the checks always return true Informational
15. 15 No evidence of linter usage Informational
16. 16 Mix of debugging and production code Informational
17. 17 Lack of documentation Informational
18. 18 Insufficient test coverage Informational
19. 19 Insufficient logging Informational
20. 20 Incorrect fix pushed mid-review Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.