Skip to content

Shield Finance Pre-Launch Security Checklist

Comprehensive security checklist for Shield Finance fair launch on Flare Network mainnet. This checklist must be completed before deploying to production.

Status: 🟢 527 Tests Passing | ✅ Security Audit Complete
Last Security Review: December 6, 2025
Security Audit Status: All HIGH/MEDIUM/LOW findings resolved
Target Launch Date: TBD

Note: Test counts include token launch contracts, vault system contracts, and security/adversarial test suites. December 2025 added comprehensive vault coverage.


  • External Audit: Smart contracts audited by reputable firm
    • Audit report published publicly
    • ✅ All critical/high findings resolved
    • ✅ Medium/low findings documented with mitigation plan
    • See Section 1.5: Security Audit Findings for details
  • Internal Code Review: Team review completed
    • All contracts reviewed by 2+ developers
    • Security patterns verified (ReentrancyGuard, SafeERC20, Ownable)
    • No delegatecall, selfdestruct, or assembly without justification
  • Automated Analysis: Slither/Mythril/Echidna scans completed
    • No critical vulnerabilities found
    • Medium/low issues documented and reviewed
  • Token Launch Contracts: 189 tests
    • ShieldToken: 19 tests ✅
    • RevenueRouter: 38 tests ✅
    • MerkleDistributor: 23 tests ✅
    • StakingBoost: 42 tests ✅
    • AuditRemediation: 41 tests ✅
    • Integration: 26 tests ✅
  • Vault System Contracts: 235 tests
    • ShXRPVault: 164 tests ✅
    • ShXRPVault.MultiStrategy: 29 tests ✅
    • BuybackBurn: 29 tests ✅
    • VaultController: 13 tests ✅
  • Security/Adversarial Tests: 103 tests
    • RevenueRouter.Security: 26 tests ✅
    • MerkleDistributor.Security: 31 tests ✅
    • StakingBoost.Adversarial: 46 tests ✅
  • Testnet Deployment: Full deployment tested on Coston2
    • All contracts deployed successfully
    • Complete user flow tested (deposit → claim → stake → burn)
    • No errors or reverts in production-like environment
  • Mainnet Fork Testing: Local fork testing completed
    • SparkDEX V3 integration tested with real pool
    • wFLR interactions tested
    • Revenue distribution tested with actual DEX liquidity
  • ShieldToken.sol
    • ✅ No constructor parameters (simple deployment)
    • ✅ Fixed 10M supply (immutable)
    • ✅ Pure ERC20 (no taxes, no restrictions)
    • ✅ Burnable (ERC20Burnable from OpenZeppelin)
    • ✅ No mint function (supply fixed at deployment)
    • ✅ No ownership special privileges (Ownable only for transferOwnership)
  • RevenueRouter.sol (December 2025 Security Hardening)
    • ✅ 50/40/10 split verified (50% burn, 40% boost, 10% reserves)
    • ✅ SafeERC20 forceApprove() used for all token approvals
    • ✅ Allowances cleared after each operation (prevents residual approval attacks)
    • ✅ Configurable slippage protection (max 20%)
    • ✅ Price tracking for slippage calculations
    • ✅ rescueTokens() blocks FXRP extraction (operational token protection)
    • ✅ Owner-only withdrawReserves and configuration updates
    • ⚠️ SECURITY NOTE: distribute() can be called by anyone (intended design)
  • MerkleDistributor.sol
    • ✅ Immutable merkle root (prevents double-claim exploits)
    • ✅ Double-claim prevention (hasClaimed mapping)
    • ✅ Standard OpenZeppelin MerkleProof verification
    • ✅ SafeERC20 for token transfers
    • ✅ ReentrancyGuard on claim()
    • ✅ No updateMerkleRoot() function (intentionally removed)
    • ✅ Owner withdraw requires recipient != address(0)
  • StakingBoost.sol (Security Audit Completed - November 28, 2025)
    • ✅ 30-day lock period enforced (LOCK_PERIOD constant)
    • ✅ ReentrancyGuard on stake(), withdraw(), claim(), claimAndWithdraw(), distributeBoost(), recoverTokens()
    • ✅ SafeERC20 for all token transfers (forceApprove pattern for USDT-like tokens)
    • ✅ Boost calculation verified (1% per 100 SHIELD)
    • ✅ Lock period cannot be bypassed (timestamp checks)
    • ✅ Multiple stakes supported, lock resets on new stake
    • AUDIT FIX: Protected FXRP recovery system (owner cannot drain staker rewards)
    • AUDIT FIX: Fee-on-transfer token detection (rejects tokens with transfer fees)
    • AUDIT FIX: Zero-address validation on constructor parameters
    • AUDIT FIX: Orphaned rewards bucket for distributions when no stakers exist
  • ShXRPVault.sol (December 2025 - 193 tests)
    • ✅ ERC-4626 compliant vault implementation
    • ✅ Fee accrual system - fees tracked in accruedProtocolFees state variable
    • ✅ Fees claimed only from vault buffer when liquidity available (no unbacked share minting)
    • ✅ ReentrancyGuard on deposit(), withdraw(), redeem(), claimFees()
    • ✅ SafeERC20 for all token transfers
    • ✅ Multi-strategy architecture support via VaultController
    • ✅ Boost integration with StakingBoost contract
    • ✅ Pausable for emergency scenarios
    • ✅ Access control: ADMIN_ROLE, STRATEGY_ROLE, FEE_MANAGER_ROLE
    • ✅ Minimum deposit/withdrawal limits enforced
    • ✅ Share price manipulation protection
  • BuybackBurn.sol (December 2025 Security Hardening - 29 tests)
    • ✅ SafeERC20 forceApprove() used for all token approvals
    • ✅ Allowances cleared after each operation (forceApprove(0))
    • ✅ Configurable slippage protection (max 20%, default 5%)
    • ✅ Price tracking for slippage calculations
    • ✅ rescueTokens() blocks wFLR and SHIELD extraction (operational token protection)
    • ✅ Owner-only configuration updates (setSlippageTolerance, setMinBuybackAmount)
    • ✅ Event emissions for all state changes (BuybackExecuted, TokensBurned)
    • ✅ SparkDEX V3 router integration with proper swap path
  • VaultController.sol (December 2025 - 13 tests)
    • ✅ Multi-strategy allocation management (50% Firelight, 40% Kinetic, 10% buffer)
    • ✅ executeCompound() tracks actual yield by comparing totalAssets before/after
    • ✅ Rebalancing logic with configurable thresholds
    • ✅ Strategy addition/removal with proper validation
    • ✅ Emergency withdrawal capabilities
    • ✅ Access control: only vault can trigger rebalance operations
  • Ownership Verified:
    • ShieldToken: Deployer is owner (can only transferOwnership)
    • RevenueRouter: Deployer is owner (can withdrawReserves, setSlippage, setBoostAddress)
    • MerkleDistributor: Deployer is owner (can withdraw unclaimed)
    • StakingBoost: Owner with protected functions (cannot drain staker rewards)
    • ShXRPVault: Role-based (ADMIN_ROLE, STRATEGY_ROLE, FEE_MANAGER_ROLE)
    • BuybackBurn: Deployer is owner (can setSlippageTolerance, rescueTokens excluding wFLR/SHIELD)
    • VaultController: Vault-only access for rebalance operations

All security audit findings have been addressed as of November 28, 2025.

FindingDescriptionResolution
Centralized FXRP Reward ControlOwner could potentially drain FXRP rewards via recoverTokens() before stakers claimedFIXED: Implemented totalUnclaimedRewards tracking at distribution time. recoverTokens() now only allows recovery of excess FXRP beyond (totalUnclaimedRewards + pendingOrphanedRewards). Owner cannot withdraw freshly distributed rewards.
FindingDescriptionResolution
Fee-on-Transfer Token VulnerabilityContract did not account for tokens that take fees on transfer, leading to accounting errorsFIXED: Added balance comparison checks in stake() and distributeBoost(). If received amount differs from expected, transaction reverts with “Fee-on-transfer tokens not supported”.
FindingDescriptionResolution
Missing Reentrancy ProtectionrecoverTokens() lacked nonReentrant modifierFIXED: Added nonReentrant modifier to recoverTokens() function.
Unsafe Approval PatternUsing raw approve() which fails for USDT-like tokensFIXED: Replaced with SafeERC20 forceApprove() pattern with reset to 0 after use.
Zero-Address ValidationConstructor did not validate revenueRouter addressFIXED: Added require(_revenueRouter != address(0)) validation in constructor.
Orphaned FXRP LossIf FXRP distributed when totalStaked == 0, rewards were lostFIXED: Implemented pendingOrphanedRewards bucket. Orphaned rewards are stored and distributed when staking resumes.

Protected FXRP Recovery System:

// Tracking at distribution time (not user interaction time)
function distributeBoost(uint256 fxrpAmount) external {
// ... transfer checks ...
totalUnclaimedRewards += fxrpAmount; // Increment BEFORE any staker interacts
// ... reward distribution logic ...
}
function claim() external {
uint256 reward = rewards[msg.sender];
rewards[msg.sender] = 0;
totalUnclaimedRewards -= reward; // Decrement on claim
// ... transfer to vault ...
}
function getRecoverableFxrp() public view returns (uint256) {
uint256 balance = fxrpToken.balanceOf(address(this));
uint256 reserved = totalUnclaimedRewards + pendingOrphanedRewards;
return balance > reserved ? balance - reserved : 0;
}

This ensures:

  1. Owner can only recover truly excess FXRP (rounding dust or accidentally sent tokens)
  2. Immediately after distributeBoost(), totalUnclaimedRewards is already incremented
  3. Staker rewards are protected even before they interact with the contract
  • Ownership Transfer Plan:
    • Multisig address prepared (if transferring)
    • Multisig threshold configured (e.g., 3-of-5)
    • All signers verified and have access
    • Ownership transfer tested on testnet
  • Role-Based Access Control (if applicable):
    • No additional roles beyond Ownable
    • All owner functions documented and justified

  • Private Key Security:
    • Deployer private key generated on hardware wallet (Ledger/Trezor)
    • Private key never exposed in plaintext
    • Deployment from secure, air-gapped environment
    • Multi-signature deployment (optional but recommended)
  • Deployment Wallet:
    • Deployer address funded with 5 FLR (deployment + buffer)
    • No prior transactions on deployer address (fresh wallet recommended)
    • Nonce verified before each deployment
  • Network Configuration:
  • Pre-Deployment:
    • All tests passing (527) ✅
    • Contracts compiled with optimizer enabled (200 runs)
    • Solidity version verified: 0.8.20
    • Dependencies verified (OpenZeppelin 5.0.1)
  • Deployment Steps:
    • Step 1: Deploy ShieldToken
      • Verify total supply = 10M
      • Verify deployer balance = 10M
      • Block explorer verification complete
    • Step 2: Deploy RevenueRouter
      • Verify SHIELD address correct
      • Verify wFLR address: 0x1D80c49BbBCd1C0911346656B529DF9E5c2F783d
      • Verify router address: 0x8a1E35F5c98C4E85B36B7B253222eE17773b2781
      • Block explorer verification complete
    • Step 3: Deploy StakingBoost
      • Verify SHIELD address correct
      • Verify lock period = 2,592,000 seconds (30 days)
      • Block explorer verification complete
    • Step 4: Deploy MerkleDistributor
      • Verify SHIELD address correct
      • CRITICAL: Verify merkle root matches generated tree
      • Test claim with valid proof
      • Block explorer verification complete
    • Step 5: Add SparkDEX V3 Liquidity
      • Verify pool fee = 3000 (0.3%)
      • Verify amounts: 1M SHIELD + 535,451 wFLR
      • Verify initial price ≈ $0.01 per SHIELD
      • LP NFT received
    • Step 6: Lock LP NFT
      • LP NFT locked for 365 days on Team Finance
      • Lock receipt saved securely
      • Ownership transferred to locker contract
    • Step 7: Fund MerkleDistributor
      • 2M SHIELD transferred to MerkleDistributor
      • Distributor balance verified = 2M SHIELD
      • Remaining tokens distributed per Treasury Allocations
  • Token Distribution:
    • Team: 900K SHIELD (9%) ✓
    • Advisors: 500K SHIELD (5%) ✓
    • Ecosystem Development: 1.5M SHIELD (15%) ✓
    • Airdrops: 2M SHIELD (20%) ✓
    • Marketing: 350K SHIELD (3.5%) ✓
    • Ambassadors: 250K SHIELD (2.5%) ✓
    • Treasury: 1M SHIELD (10%) ✓
    • Liquidity / MM / Exchanges: 1M SHIELD (10%) ✓
    • Future Liquidity Adds: 2.5M SHIELD (25%) ✓
    • Total: 10M SHIELD ✓
  • Block Explorer Verification:
    • All contracts verified on Flare Explorer
    • Constructor arguments correct
    • Source code matches deployed bytecode
  • Functional Testing:
    • Test airdrop claim (1 address minimum)
    • Test stake on StakingBoost
    • Test distribute() on RevenueRouter (with wFLR)
    • Verify all functions work as expected

  • Weekly Burn Automation:
    • GitHub Actions workflow configured
    • Runs every Sunday at 00:00 UTC
    • Private key stored in GitHub Secrets
    • Workflow uses minimal permissions
    • No sensitive data logged (addresses, tx hashes, balances)
  • Manual Burn Process:
    • Backup process documented if automation fails
    • Owner can manually call distribute()
    • Minimum balance threshold: 5000 wFLR
  • Reserve Withdrawal:
    • Only owner can withdraw reserves
    • Multi-sig recommended for large withdrawals
    • Withdrawal events monitored on-chain
  • Merkle Tree Generation:
    • Tree generated from verified allocation list
    • No duplicate addresses
    • Total allocation = 2M SHIELD exactly
    • Proofs generated and tested
    • Tree saved securely (off-chain backup)
  • Claim Process:
    • Frontend validates proofs before submission
    • Users can generate proofs independently
    • No centralized claim approval required
  • Unclaimed Tokens:
    • Owner can withdraw unclaimed after 3-6 months
    • Withdrawal plan documented
    • Community notified before withdrawal
  • On-Chain Monitoring:
    • Block explorer alerts for all contracts
    • Price feed monitoring (CoinGecko/CoinMarketCap)
    • Liquidity pool monitoring (SparkDEX analytics)
    • Revenue accumulation tracking
  • Security Monitoring:
    • Large transfers monitored (>100k SHIELD)
    • Unusual contract interactions flagged
    • Owner function calls logged and reviewed
  • Community Monitoring:
    • Discord/Telegram alerts for community questions
    • Bug bounty program active
    • Emergency contact info published

4.1 Fair Launch Economics (TBC - Launch Pending)

Section titled “4.1 Fair Launch Economics (TBC - Launch Pending)”
  • Initial Price:
    • Target: $0.01 per SHIELD (TBC)
    • LP Ratio: 535,451 wFLR / 1M SHIELD ≈ 0.535 wFLR per SHIELD (TBC)
    • Total Liquidity: ~$10,000 (TBC)
  • Supply Distribution:
    • Team allocation: 9% (with vesting recommended)
    • Treasury allocations transparent on-chain
    • Airdrop vested via merkle distributor (no unlock)
    • LP locked for 12 months (TBC)
  • Revenue Distribution Mechanics:
    • 50% of revenue → SHIELD buyback/burn (deflationary) ✓
    • 40% of revenue → StakingBoost rewards (FXRP to stakers) ✓
    • 10% of revenue → Protocol reserves (sustainability) ✓
    • Distribution triggered via RevenueRouter.distribute()
    • Burn events public on-chain

4.2 Liquidity Security (TBC - Launch Pending)

Section titled “4.2 Liquidity Security (TBC - Launch Pending)”
  • LP Lock:
    • 12-month lock via Team Finance (TBC)
    • Lock duration: 31,536,000 seconds (365 days)
    • Lock receipt publicly verifiable
    • Unlock date communicated to community
  • Initial Liquidity:
    • Sufficient depth for initial trading (~$10k) (TBC)
    • Wide price range (±100%) for stability
    • 0.3% fee tier (standard for most pairs)
  • Anti-Rug Measures:
    • No team tokens unlocked at launch
    • No mint function (supply fixed)
    • LP locked (cannot be removed) (TBC)
    • Ownership renounced or multisig (optional)
  • Price Oracle:
    • SparkDEX V3 pool is source of truth
    • RevenueRouter uses amountOutMinimum: 0 (⚠️ MEV risk)
    • TODO: Consider price oracle integration (Chainlink/Flare FTSO)
  • Slippage Protection:
    • Wide LP range reduces slippage
    • Large trades may still experience slippage
    • Users should use limit orders when possible
  • Liquidity Depth:
    • $10k initial liquidity may not support large trades (TBC)
    • Community encouraged to add liquidity over time
    • Protocol revenue increases liquidity via buy pressure

  • Documentation:
    • Deployment guide published (SHIELD_DEPLOYMENT.md) ✅
    • Security checklist published (this document) ✅
    • User guides published (How to claim, stake, etc.)
    • FAQ document prepared
  • Code Transparency:
    • GitHub repository public
    • All contracts open source
    • Test suite public (527 tests documented)
    • Deployment scripts public
  • Community Engagement:
    • Discord/Telegram community established
    • Social media accounts verified
    • Launch announcement drafted
    • AMA scheduled (optional)
  • Launch Announcement:
    • Contract addresses published
    • Block explorer links shared
    • LP lock proof shared
    • Merkle tree published (for claims)
  • User Instructions:
    • How to add SHIELD to wallet (contract address)
    • How to claim airdrop (proof generation)
    • How to stake (StakingBoost UI)
    • How to trade (SparkDEX link)
  • Security Warnings:
    • Only official contract addresses
    • Beware of scam tokens
    • Verify contract on block explorer
    • No official DMs or support via DM
  • Community Support:
    • Support channels monitored 24/7 (first week)
    • Bug reports triaged and responded to
    • Questions answered promptly
  • Incident Response:
    • Emergency contact info published
    • Security incident response plan prepared
    • Contract pause mechanism (if applicable)
    • Community notification plan for incidents

  • Regulatory Compliance:
    • Legal counsel consulted (if applicable)
    • Securities laws reviewed (fair launch model)
    • No securities offering (tokens distributed fairly)
    • Terms of service prepared
  • Disclaimers:
    • No investment advice disclaimers
    • Smart contract risk disclaimers
    • Loss of funds warnings
    • Experimental software warnings
  • Intellectual Property:
    • Open source license chosen (MIT recommended)
    • License included in repository
    • No trademark/copyright violations
  • Restricted Jurisdictions:
    • No specific geographic restrictions (decentralized)
    • Users responsible for local compliance
    • Disclaimer: “Not available in prohibited jurisdictions”
  • KYC/AML:
    • No KYC required (permissionless protocol)
    • No central entity controlling funds
    • On-chain transparency only

  • Vulnerability Response Plan:
    • Security contact email published (security@shyield.finance)
    • Bug bounty program active (Immunefi recommended)
    • Vulnerability disclosure policy published
    • Emergency multisig prepared (if applicable)
  • Contract Pause Mechanism:
    • NOTE: Shield Finance contracts are NOT pausable (by design)
    • No emergency pause function (cannot stop trades/claims/burns)
    • Immutable contracts = trustless but cannot be paused
  • Mitigation Strategies:
    • If critical bug found: Deploy fixed contracts, migrate liquidity
    • If RevenueRouter bug: Deploy new router, update revenue source
    • If MerkleDistributor bug: Deploy new distributor, re-fund airdrop
    • All mitigation plans require community communication
  • Communication Plan:
    • Discord/Telegram emergency announcements
    • Twitter/X emergency thread
    • Block explorer warning (if possible)
    • Email subscribers (if newsletter exists)
  • Technical Response:
    • Smart contract experts on call
    • Auditor contact info ready
    • Blockchain forensics team identified (if needed)
    • Emergency fund for remediation (if needed)

  • All 527 tests passing
  • External audit completed and published (November 28, 2025)
  • Testnet deployment successful
  • Deployer wallet funded (5 FLR)
  • Merkle tree generated and verified
  • SparkDEX addresses verified
  • Team Finance locker tested
  • Emergency procedures documented
  • Community communication ready
  • Block explorer verification prepared
  • Bug bounty program launched (Immunefi)
  • Mainnet fork testing completed
  • Ownership transferred to multisig
  • Price oracle integration (for RevenueRouter)
  • Community review period (1-2 weeks)
  • Marketing materials prepared
  • DEX listings prepared (CoinGecko, CMC)
  • Analytics dashboard prepared
  • Branded UI for claiming/staking
  • Mobile app integration
  • Third-party integrations (wallets, aggregators)
  • Partnerships announced
  • Influencer outreach
  • Press release drafted

Deployment Approved By:

NameRoleSignatureDate
__________Lead Developer________________
__________Security Auditor________________
__________Project Manager________________
__________Legal Counsel________________

Deployment Date: _______________
Network: Flare Mainnet (Chain ID: 14)
Version: 1.0.0



Security Checklist Version: 1.1.0
Last Updated: November 28, 2025
Audit Status: ✅ All Findings Resolved
Status: ✅ Ready for Deployment