The Moats V3 Smart Contract Audit

The Moats are a flexible staking and rewards protocol enabling project teams to configure easy governance participation, time-weighted incentives, and multi-token reward distribution systems. Trusted by teams including Hefe the Walrus, Bensi Box, and Lucid Things, The Moats V3 introduces advanced lock mechanics and reward accounting designed for broad composability and reuse across ecosystems.

To support its mission of secure, permissionless participation, The Moats team commissioned FailSafe to perform a thorough smart contract audit prior to mainnet deployment. This audit examined economic logic, reward calculations, lock and multiplier dynamics, access control, and edge-case behavior across the core staking and factory contracts.

FailSafe’s review identified vulnerabilities across multiple components of the protocol. All Critical and High severity issues were remediated and verified prior to report finalization, ensuring a robust release candidate for production use.

Summary of Findings

Severity	Total	Status
Critical	2	2 Resolved
High	2	2 Resolved
Medium	8	6 Resolved, 2 Acknowledged
Low	5	2 Resolved, 3 Acknowledged
Informational	2	1 Resolved, 1 Acknowledged
Total	19	All Critical/High Resolved

Key Findings

1. Hardcoded POINTS_SCALING_FACTOR Incompatible with Low-Decimal Tokens

Severity: Critical | Status: Resolved

The protocol hardcoded POINTS_SCALING_FACTOR to 1e12 without considering the staking token’s decimal places. This created critical incompatibility with tokens having fewer than 12 decimals, such as USDT and WBTC.

This resulted in two severe issues:

• Normal users could not earn points due to impossibly high staking requirements.
• Precision truncation enabled attackers to accumulate points at near-zero cost.

The issue was fully resolved by updating the scaling logic to correctly account for token decimals.

---

2. Lock Multiplier Precision Loss Due to Premature Division

Severity: Critical | Status: Resolved

The lock multiplier calculation performed division before multiplication, causing precision loss. This resulted in permanent point loss for users and undermined the protocol’s incentive mechanisms.

The arithmetic order was corrected to preserve precision throughout calculations.

---

3. Burn Migration Grants Retroactive Rewards

Severity: High | Status: Resolved

Users migrating burned locks were able to claim rewards retroactively that they were no longer entitled to.

Reward accounting logic was updated to prevent retroactive reward claims following burn migrations.

---

4. Expired Lock Point Recalculation Causes Reward Loss and System Imbalance

Severity: High | Status: Resolved

Expired locks triggered point recalculations that caused reward loss and system imbalance.

The recalculation logic was corrected to maintain consistent reward distribution.

---

Read about other findings in the full report below.

The Moats V3 Security Posture

The Moats team demonstrated a strong commitment to security throughout the audit process. Critical vulnerabilities were acknowledged promptly and remediated with clean, maintainable solutions. The team’s responsiveness to feedback and willingness to re-architect core reward logic shows engineering maturity and a deep understanding of incentive design.

MoatV3’s design is inherently complex, with time-weighted stakes, multi-token reward pipelines, and external reward scheduling. The successful remediation of key issues ensures the protocol’s staking and reward features behave reliably under real usage patterns.

By addressing all Critical and High findings and carefully documenting lower-severity tradeoffs, The Moats has positioned V3 for broader adoption with significantly reduced risk.

FailSafe’s Closing Remarks

Our collaboration with The Moats was focused on clarity, correctness, and economic robustness. Through detailed review cycles and iterative fixes, MoatV3’s contracts have reached a level of quality appropriate for live deployment.

As The Moats continue to expand their ecosystem integrations and support additional projects, FailSafe remains available as a long-term strategic security partner.