Skip to main content

Review scope & methodology

June 2026 · Technical security review

Scope & methodology

Read-only, multi-pass assessment of the wenakita/4626 monorepo: baseline validation, parallel subsystem analysis, and manual verification of high-severity candidates at file:line granularity.

Report metadata
Report ID4626-FABLE-2026-06
Review typeRead-only technical security assessment
Review period9–13 June 2026
ValidationBaseline lint / typecheck / test / forge gates; parallel workstreams; manual candidate verification
Finding gradesVERIFIED · REFUTED · ALREADY-KNOWN (with evidence citations)
Lead sessionFull-codebase review (0a513245…)
Release conclusion (at review date)
The working tree was not ready for a clean release tag — impairment side-pocket and x402 payment paths required resolution or explicit risk acceptance. The review did not identify a remotely exploitable unauthenticated RCE or web-tier fund-drain.
8 Parallel workstreams
350+ API handlers reviewed
3 + 6 Critical + high findings
72+ Forge unit tests in baseline

Review coverage

In-scope systems

Smart contracts CreatorOVault, impairment side-pocket, ShareOFT, DeploymentBatcher, lottery and gauge modules
Application frontend Swap, deploy, waitlist and auth, wallet execution (canonical ERC-4337 and EOA tracks)
API & server Vercel handlers, paymaster, keeper jobs, Stripe and x402 strategy payments
Infrastructure GitHub Actions CI, Semgrep and Slither gates, cron workflows, dependency posture
Cross-chain Solana share-mesh program, bridge adapter, KPR keeper workflows
Messaging runtime Railway XMTP/Eliza runtime, Hermit, Telegram Mini App flows

Key on-chain components (Base mainnet)

Infrastructure modules referenced in critical findings. Full registry: Contract addresses.

ComponentRoleAddress
CreatorOVaultCoreModuleImpairment side-pocket logic (C-2, C-3, H-1)0xD4553478780571A1A5F6cCCC0735F897F15a85Cf
DeploymentBatcherVault deploy orchestration0x660B251F2feB28f61A8e23e65C66F9b917Ee61c1
CreatorRegistryCreator ↔ vault registry0xDD7B106a15540bA2F59464590222bF47D8C9394E
SolanaBridgeAdapterCross-chain bridge0x8e99bb0270bbdf2d64ff6854509CD2410A28fBae

Per-vault contracts (e.g. CreatorORecoveryEscrow) are deployed at launch; see CreatorOVault and source on GitHub.

Methodology

  1. Repository baseline — Install dependencies; run lint, typecheck, unit tests, forge build/test, and repository guard scripts.
  2. Lead review — Full-codebase assessment in session 0a513245… with parallel workstreams covering architecture, CI/CD, frontend, data layer, security, and contracts.
  3. Security follow-up — Dedicated pass in session c603521c… on the same scope.
  4. Production readiness — Follow-on sessions (including 6318a55b…) traced launch blockers into remediation planning.
  5. Evidence grading — Each candidate finding verified or refuted with file:line references before inclusion in the report register.

Out of scope

  • Formal verification or manual proof review of contract economics
  • Live mainnet penetration testing or funded exploit attempts
  • Third-party infrastructure operated outside the repository (Privy, Supabase, Railway) beyond integration boundaries documented in code
  • Post-review remediation verification unless separately documented

Citation

4626 Technical Security Review (June 2026). Report 4626-FABLE-2026-06.
https://docs.4626.fun/audits/fable/full-repo-review-2026-06