Matchain · Smart Contract Security AssessmentMatchain Client Hub

Matchain Genesis License

Zealynx audited the Matchain Genesis License NFT and its companion NFT-staking contract for Immunefi. The 3-day review identified 14 issues including 1 Critical (reward dilution from a fixed denominator that ignores actual staked count), 1 High (front-running rewardDistribution() to capture rewards without time staked), and 1 Medium (mint replay protection missing a nonce). 4 issues were fixed and 10 were acknowledged.

MatchainSoliditySmart Contract Code Review2025-07-10Zealynx methodology
Total findings
14
4 fixed · 10 acknowledged
Critical
01
High
01
Medium
01
Low + Info
11
02

Scope

2 files
Initial commit
f2af794e8686
Platform
Matchain · Solidity
Methodology
Zealynx audit methodology
File
GenesisLicense.sol
GenesisLicenseStaking.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
criticalF-2025-0001Incorrect reward distribution logic in GenesisLicenseStaking causes stakers to earn less than expectedAckhighF-2025-0002Front-running rewardDistribution() allows reward sniping without real stakingAckmediumF-2025-0003Replay protection in mint() lacks nonce, preventing legitimate repeated mints with same parametersAcklowF-2025-0004Missing signature expiration in EIP-712 mint authorization enables perpetual replay attacksAcklowF-2025-0005Lack of unclaimed rewards recovery mechanism leads to permanent token lockupAcklowF-2025-0006Missing return value check for EnumerableSet .add() and .remove() operationsAcklowF-2025-0007Inconsistent use of transfer instead of safeTransfer in stMAT operations enables silent failuresFixedlowF-2025-0008Use Ownable2StepUpgradeable instead of OwnableUpgradeableAcklowF-2025-0009Unbounded array input in batch functions allows potential DoS attacks and gas griefingAckinfoF-2025-0010Call __ReentrancyGuard_init() and __ERC721Enumerable_init() in initialize() for best practicesFixedinfoF-2025-0011Potential cross-chain and cross-contract replay attack on future deploymentsAckinfoF-2025-0012Identical error messages for different validation checks leads to reduced debugging clarityFixedinfoF-2025-0013Use Custom errors instead of string-based require statementsAckinfoF-2025-0014Use of floating pragma allows potential compiler version changes and reduces build determinismFixed
04

Key Findings

  • Reward distribution uses a fixed denominator instead of actual staked count. GenesisLicenseStaking divides incoming rewards by NFT_AMOUNT_PER_STAKING_POOL = 20000, assuming all 20,000 NFTs are minted and staked. In practice only a fraction are staked at any time, so each staker receives a share diluted across an inflated, fixed denominator.
  • rewardDistribution() is sandwich-attackable. Because pending rewards are computed as the delta of stakingRewardPerGL rather than weighted by staking time, a watcher can stake right before a known rewardDistribution() call and unstake immediately after, capturing the full reward without meaningful time staked.
  • mint() signature replay protection lacks a nonce. The EIP-712 hash is composed only of (to, value, stakingPool). Repeated legitimate mints with identical parameters all hash the same and are rejected as replays after the first; recommend adding a per-address nonce to the signed struct.
  • EIP-712 mint signatures have no expiration. Once issued, a mint() signature is valid indefinitely until used, so authorisations cannot be invalidated except by consuming them. Recommend adding a deadline parameter to the signed struct.
  • No recovery mechanism for unclaimed rewards. Rewards inserted into the claim queue can sit indefinitely if the user never calls claim(). There is no expiration window and no admin path to recover or redistribute the locked balance.
05

Team & approval

Auditor
Zealynx Security Researchers
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (31p)
ZEALYNX SECURITY · published 2025-07-10
14 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx