DeFi continues to evolve rapidly, and protocols like PokPok are pushing the boundaries with innovative mechanics. To ensure the safety of its users and ecosystem, PokPok Protocol recently underwent a comprehensive smart contract audit by FailSafe.
The audit focused on vault mechanisms, yield farming, and options trading functions, identifying potential risks and validating PokPok’s ability to deliver secure, transparent, and reliable financial products.
This blog provides a detailed breakdown of the audit, key findings, and remediation strategies.
What is PokPok Protocol?
PokPok Protocol is a decentralized finance (DeFi) platform that combines:
- Options trading and yield farming with unique “chicken game” dynamics.
- Vault-based investment mechanisms to maximize returns.
- Advanced position and risk management systems for capital efficiency.
By integrating playful gamification with serious financial strategies, PokPok is carving out a unique space in the DeFi ecosystem. However, such complex contracts must undergo thorough testing and auditing to prevent vulnerabilities .
Audit Overview
- Auditor: FailSafe
- Project Name: PokPok Protocol
- Audit Timeline: July 22 – August 20, 2025
- In-scope Contracts: PokPokVault.sol, PokPokVaultFactory.sol
- Source Code: PokPok GitHub Repository
FailSafe used its multi-layered audit methodology, including:
- Threat modeling of attack vectors.
- Manual line-by-line code review.
- Functional testing with Hardhat & Foundry.
- Fuzzing & invariant testing for extreme cases.
- Edge case analysis for vaults and harvesting operations.
- Collaborative remediation and verification with the PokPok team .
PokPok Audit Goals
The audit was structured around seven security and performance goals:
- Security Assurance – eliminating critical vulnerabilities.
- Functional Correctness – ensuring accurate handling of vaults, harvesting, and risk management.
- Gas Optimization – reducing unnecessary costs for users.
- Access Control & Privileges – preventing misuse of admin or minter roles.
- Upgradability & Maintainability – supporting long-term extensibility.
- Compliance & Documentation – clear, well-documented practices.
- Reporting & Remediation Guidance – actionable fixes with post-fix verification .
Summary of Findings
The audit revealed 6 issues across different severity levels:
| Severity | Total | Status |
|---|---|---|
| Critical | 0 | – |
| High | 1 | Resolved |
| Medium | 2 | Resolved |
| Low | 2 | Partially Resolved / Resolved |
| Info | 1 | Acknowledged |
Key Audit Findings
1. Missing Validation for Stuck Harvest in
resetHarvestState
- Severity: High | Status: Resolved
- The function could prematurely drop matured positions without proper validation, risking lost yields and desynchronized states.
- Remediation: Added timeout and pending checks to ensure only genuinely stuck harvests can be reset .
2. Desynchronization & Silent Failures in Batch Harvest Logic
- Severity: Medium | Status: Resolved
- Certain failure cases allowed vault desynchronization, where reported TVL/positions didn’t match actual assets. Silent failures were also not logged.
- Remediation: Introduced stricter revert conditions and consistent event logging .
3. Silent Failures in NFT Approval Operations
- Severity: Medium | Status: Resolved
- NFT approvals sometimes failed silently, risking inconsistent or insecure vault states.
- Remediation: Events now emit on failures, and critical approvals revert transactions .
4. Parameter & Initialization Validation Deficiencies
- Severity: Low | Status: Partially Resolved
- Loose validation in constructor and admin updates allowed extreme values (e.g., zero deposits, excessive risk parameters), potentially locking funds or overexposing TVL.
- Remediation: Bounds were added, though some parameter caps remain policy-driven (e.g., maxVaR at 80% instead of 50%) .
5. Missing Events for State Changes
- Severity: Low | Status: Resolved
- Critical updates (e.g., fees, deposits, resets) lacked event emissions, hindering off-chain monitoring and transparency.
- Remediation: Consistent event logging was introduced across state-modifying functions .
6. Front-Running & Timing Attacks on Share Price Updates
- Severity: Info | Status: Acknowledged
- Price updates could be exploited by front-runners during deposits/withdrawals, leading to minor dilution (0.1-1% per transaction) in high MEV environments.
- Remediation: The team acknowledged this and plans mitigation in future updates.
FailSafe’s Conclusion
The PokPok Protocol audit confirmed that no critical vulnerabilities were present. The most severe finding (stuck harvest resets) was quickly patched, and the team demonstrated outstanding responsiveness, implementing fixes within hours for critical issues.
With strong remediation and improved event logging, PokPok now stands on a much safer and more transparent foundation. The only remaining consideration lies in long-term policy decisions, such as acceptable risk parameter caps .
Related Articles
The Future of Smart Contract Audits
Smart Contract Audit in Minutes, Not Months: Automated Security for Blockchain Developers A traditional smart contract audit typically costs $50,000-150,000 and...
dbook Smart Contract Audit
dbook is a fully on-chain EVM orderbook exchange designed to deliver decentralized trading with high performance, gas efficiency, and self-custody. The protocol...
Aegis JUSD Smart Contract Audit
Aegis is a multichain stablecoin protocol powering JUSD and YUSD, featuring minting, redemption, staking vaults, rewards distribution, and cross-chain bridging ...
Ready to secure your project?
Get in touch with our security experts for a comprehensive audit.
Contact Us