Review scope & methodology
Scope & methodology
Read-only, multi-pass assessment of the wenakita/4626 monorepo: baseline validation, parallel subsystem analysis, and manual verification of high-severity candidates at file:line granularity.
Report metadata
| Report ID | 4626-FABLE-2026-06 |
|---|---|
| Review type | Read-only technical security assessment |
| Review period | 9–13 June 2026 |
| Validation | Baseline lint / typecheck / test / forge gates; parallel workstreams; manual candidate verification |
| Finding grades | VERIFIED · REFUTED · ALREADY-KNOWN (with evidence citations) |
| Lead session | Full-codebase review (0a513245…) |
Release conclusion (at review date)
The working tree was not ready for a clean release tag — impairment side-pocket and x402 payment paths required resolution or explicit risk acceptance. The review did not identify a remotely exploitable unauthenticated RCE or web-tier fund-drain.
8
Parallel workstreams
350+
API handlers reviewed
3 + 6
Critical + high findings
72+
Forge unit tests in baseline
Review coverage
In-scope systems
Smart contracts
CreatorOVault, impairment side-pocket, ShareOFT, DeploymentBatcher, lottery and gauge modules
Application frontend
Swap, deploy, waitlist and auth, wallet execution (canonical ERC-4337 and EOA tracks)
API & server
Vercel handlers, paymaster, keeper jobs, Stripe and x402 strategy payments
Infrastructure
GitHub Actions CI, Semgrep and Slither gates, cron workflows, dependency posture
Cross-chain
Solana share-mesh program, bridge adapter, KPR keeper workflows
Messaging runtime
Railway XMTP/Eliza runtime, Hermit, Telegram Mini App flows
Key on-chain components (Base mainnet)
Infrastructure modules referenced in critical findings. Full registry: Contract addresses.
| Component | Role | Address |
|---|---|---|
| CreatorOVaultCoreModule | Impairment side-pocket logic (C-2, C-3, H-1) | 0xD4553478780571A1A5F6cCCC0735F897F15a85Cf |
| DeploymentBatcher | Vault deploy orchestration | 0x660B251F2feB28f61A8e23e65C66F9b917Ee61c1 |
| CreatorRegistry | Creator ↔ vault registry | 0xDD7B106a15540bA2F59464590222bF47D8C9394E |
| SolanaBridgeAdapter | Cross-chain bridge | 0x8e99bb0270bbdf2d64ff6854509CD2410A28fBae |
Per-vault contracts (e.g. CreatorORecoveryEscrow) are deployed at launch; see CreatorOVault and source on GitHub.
Methodology
- Repository baseline — Install dependencies; run lint, typecheck, unit tests, forge build/test, and repository guard scripts.
- Lead review — Full-codebase assessment in session 0a513245… with parallel workstreams covering architecture, CI/CD, frontend, data layer, security, and contracts.
- Security follow-up — Dedicated pass in session c603521c… on the same scope.
- Production readiness — Follow-on sessions (including 6318a55b…) traced launch blockers into remediation planning.
- Evidence grading — Each candidate finding verified or refuted with file:line references before inclusion in the report register.
Out of scope
- Formal verification or manual proof review of contract economics
- Live mainnet penetration testing or funded exploit attempts
- Third-party infrastructure operated outside the repository (Privy, Supabase, Railway) beyond integration boundaries documented in code
- Post-review remediation verification unless separately documented
Citation
4626 Technical Security Review (June 2026). Report 4626-FABLE-2026-06.
https://docs.4626.fun/audits/fable/full-repo-review-2026-06
Was this page helpful?