Overview
As the proliferation of Stablecoins accelerates in emerging markets, so does the risk landscape. National initiatives like cNGN, Nigeria’s blockchain-based Stablecoin project—require rigorous pre-deployment hardening to avoid technical pitfalls that could erode trust or destabilize operations. FailSafe was engaged to audit the smart contract suite powering cNGN, with particular focus on its meta-transaction infrastructure, pausing mechanisms, permission architecture, and supply management guarantees.
This case study documents our audit in detail, unpacking our methodology, breaking down every finding with technical context, and outlining actionable mitigations. It is intended for smart contract engineers, auditors, and protocol teams seeking deep visibility into how to secure complex permissioned token systems.
Project Details
Project WrappedCBDC Stablecoin – cNGN (Solidity)
URL https://cngn.co/
Source Code https://github.com/wrappedcbdc/stablecoin-cngn
Initial Commit df82ba1d3a6837403fc649689a6b276adfb2bf2f
Interim Commit cbf142b19b916504870f2c016f20f0bbd29cbfa7
Final Commit 5bcd4541d9a2952cf7edae47f47305d5d0a5c2eb
Timeline 13th May 2025 – 18th June 2025
Findings Summary
We identified five issues with varying levels of severity. All issues were communicated to the cNGN team and collaboratively discussed in follow-up sessions.
| ID | Title | Severity | Status |
|---|---|---|---|
| 01 | External-to-Internal Transfer Results in Token Destruction | High | Acknowledged |
| 02 | Meta-Tx Nonce Handling Allows Replay or Out-of-Order Execution | Medium | Resolved |
| 03 | Ambiguous Meta-Tx Sender Resolution via Custom Forwarder | Medium | Resolved |
| 04 | Incomplete Enforcement of Pause Modifier | Low | Resolved |
| 05 | Nonstandard _msgSender() Resolution Across Contracts | Low | Resolved |
1. External-to-Internal Redemption Flow Results in Unintended Token Destruction
Severity: High
Status: Acknowledged
Overview:
Transfers from external whitelisted addresses to internal whitelisted ones result in the tokens being burned immediately after transfer, emitting standard Transfer events. This may confuse off-chain systems and users since the tokens are removed from circulation without explicit redemption logs, violating expected ERC-20 behavior.
Comment:
The developers confirmed this behavior is intentional for their cross-chain redemption flow. Tokens are burned on the source chain and minted on a destination chain using an off-chain indexer system and multisig-controlled APIs. Auditors noted the centralization risks, but the issue was acknowledged based on architectural design.
2. Non-Sequential Nonce Validation in Meta-Transaction System
Severity: Medium
Status: Resolved
Overview:
The Forwarder contract lacked strict enforcement that the req.nonce must equal the user’s current on-chain nonce, allowing out-of-order execution. This could invalidate previously signed requests and impair dApp usability.
Comment: Resolved
3. Custom Meta-Transaction Implementation Requires Security Enhancement
Severity: Medium
Status: Resolved
Overview:
The customSender() logic and the onlyDeployerOrForwarder modifier exposed potential security and compliance risks by conflating gas-payer and privileged roles. A compromised forwarder could exploit mint/burn routes.
Comment: Resolved
4. Incomplete Pause Mechanism Implementation
Severity: Low
Status: Resolved
Overview:
transfer() and burnByUser() were not protected by the whenNotPaused modifier, meaning core token functions could operate during emergencies even if the contract was paused.
Comment: Resolved
5. Inconsistent Meta-Transaction Context Implementation
Severity: Low
Status: Resolved
Overview:
Cngn2 functions used _msgSender() directly instead of leveraging customSender() or ERC-2771-compatible _msgSender() context, leading to possible forwarder identity confusion.
Comment: Resolved
Conclusion
The cNGN audit surfaces a pattern that is common in stablecoin deployments: the tension between functional customization and security predictability. Meta-transaction layers and privileged flows demand special scrutiny to ensure emergent behaviors do not violate financial invariants or user trust.
FailSafe’s review went beyond standard vulnerability scans to focus on structural integrity, governance enforceability, and operational correctness under edge cases. We commend the cNGN team for responsiveness and their intent to align with these security recommendations prior to mainnet launch.
For technical integration support, or to initiate a similar audit, contact us for a quote!
Get a quote in 1 hour!
Related Articles
dbook Smart Contract Audit
dbook is a fully on-chain EVM orderbook exchange designed to deliver decentralized trading with high performance, gas efficiency, and self-custody. The protocol...
Aegis JUSD Smart Contract Audit
Aegis is a multichain stablecoin protocol powering JUSD and YUSD, featuring minting, redemption, staking vaults, rewards distribution, and cross-chain bridging ...
The Moats V3 Smart Contract Audit
The Moats are a flexible staking and rewards protocol enabling project teams to configure easy governance participation, time-weighted incentives, and multi-tok...
Ready to secure your project?
Get in touch with our security experts for a comprehensive audit.
Contact Us