Nexalo · Smart Contract Security AssessmentNexalo Client Hub

Nexalo Smart Contract Audit

Zealynx audited Nexalo, an autonomous on-chain raffle protocol with six raffle products, Chainlink VRF for provably fair draws, multi-level referral commissions, NXL token vesting schedules, proportional staking rewards, and a BTC-backed treasury. The 4-day review identified 22 issues including 3 Critical (private key exposure, NXL distribution failure causing fund lockup, snapshot-balance manipulation), 5 High (ticket ownership overwrite, flawed staking reward distribution, locked stablecoins, diluted rewards, and broken ticket index continuity), 10 Medium and 4 Low. 14 findings were fixed; 8 were acknowledged or resolved by removing the feature.

EthereumSoliditySmart Contract Code Review2025-12-22Zealynx methodology
Total findings
22
14 fixed · 8 acknowledged
Critical
03
High
05
Medium
10
Low + Info
04
02

Scope

6 files · 1,150 SLOC
Initial commit
da7c925bec3b
Platform
Ethereum · Solidity
Methodology
Zealynx audit methodology
File
NexumManager.sol
ReferralNetwork.sol
AmbassadorRegistry.sol
NXLToken.sol
NexaloStaking.sol
TreasuryBTC.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
criticalF-2025-0001Private key in plain sight in .envFixedcriticalF-2025-0002NXL distribution failure during ticket purchase leads to permanent fund lockup and broken lottery roundsFixedcriticalF-2025-0003TreasuryBTC::claimRewards can be manipulated due to balanceOf()AckhighF-2025-0004Ticket ownership can be overwritten due to incorrect logic in NexumManager::buyTicketsFixedhighF-2025-0005Flawed reward distribution mechanism causes pool depletion and DOS in NexaloStakingFixedhighF-2025-0006Raffles may not distribute all funds, resulting in locked stablecoins during distributionFixedhighF-2025-0007Idle NXL in the token contracts result in diluted rewards for users in TreasuryBTCAckhighF-2025-0008Broken ticket index continuity leads to invalid winner selection and product.maxTickets invariant breakAckmediumF-2025-0009Incorrect access control in TreasuryBTC::withdrawForStakingAckmediumF-2025-0010Denial of service in AmbassadorRegistry::distributeFunds due to usdc/usdt blacklist behaviourFixedmediumF-2025-0011fulfillRandomWords may revert, causing loss of funds and DoS in rewards distributionFixedmediumF-2025-0012Funds available for distribution are burned if a user paid for more rewards, resulting in a loss of rewardsFixedmediumF-2025-0013Incomplete accounting in receiveFunds() leads to permanent denial of service after reward claimsFixedmediumF-2025-0014Missing VRF Failure Handling Leads to Permanent Round Lock and Fund FreezingFixedmediumF-2025-0015Immutable audit funds address and missing approval mechanism leads to unreachable cleanup logic and mixed fund accountingFixedmediumF-2025-0016Broken token burn logic prevents undistributed reward cleanupAckmediumF-2025-0017Insufficient available rewards will result in locked staked funds for usersAckmediumF-2025-0018Distribution of NXL failing during round settlement will not deactivate the product, resulting in a new raffle with new rewards availableFixedlowF-2025-0019Unsafe ERC20 transfer operations allow silent failures and incompatibility with non-standard tokensFixedlowF-2025-0020Incorrect Emergency Withdrawal Implementation Allows Extraction of Active Round FundsAcklowF-2025-0021Uninitialized lastWithdrawalTime allows immediate first withdrawal bypassing 30-day timelockAcklowF-2025-0022Raffle winner can also win instant rewards, which will give them more than 50% of the expected allocationFixed
04

Key Findings

  • Private key in plain sight in .env. Sensitive credentials including API keys and private keys were committed to environment files in the repository, exposing critical secrets to anyone with repository access. All keys required immediate rotation and the .env file added to .gitignore.
  • NXL distribution failure causes permanent fund lockup. buyTickets() and buySpecificTickets() accept payment and assign tickets before distributing NXL rewards. When NXL is exhausted, _distributeNXL() deactivates the product mid-transaction, leaving rounds incomplete with funds permanently trapped and no recovery mechanism.
  • TreasuryBTC::claimRewards manipulation via live balanceOf(). Reward claims use live NXL balances at claim time instead of snapshot balances, allowing users to transfer NXL between addresses and claim the same snapshot rewards multiple times, draining the TreasuryBTC contract.
  • Ticket ownership overwrite in NexumManager::buyTickets. Sequential ticket assignment does not check existing ownership. Tickets previously bought via buySpecificTickets at high indices can be overwritten by sequential purchases, allowing attackers to steal ticket ownership and claim prizes intended for other buyers.
  • Flawed reward distribution causes pool depletion and DOS in NexaloStaking. Rewards are calculated independently per user using hardcoded USD values rather than proportionally to the available WBTC pool, causing reward sums to exceed the pool balance and DoSing all subsequent stakes and unstakes.
  • Broken ticket index continuity violates product.maxTickets invariant. buySpecificTickets allows non-consecutive ticket numbers but only increments round.ticketsSold by count, creating gaps in ownership. The protocol can select winners from unowned indices, sending rewards to address(0).
05

Team & approval

Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
Auditor
Stephen
@derastephh
Auditor
Springfield Yonga
@0xspryon
Auditor
Strapontin
@0xStrapontin
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (54p)
ZEALYNX SECURITY · published 2025-12-22
22 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx