Ribbon · Smart Contract Security AssessmentRibbon Client Hub

Ribbon Protocol Vault & Points

Zealynx audited Ribbon Protocol's HealthFi vault and points contracts: a tokenized primary healthcare platform that uses health information NFTs as collateral. The 202 nSLOC review identified 7 issues, 3 Medium (unchecked ERC20 transfers, token decimals mishandling, fee-on-transfer accounting) and 4 Low (single-step ownership, signature replay logic, zero address checks, input validation), all acknowledged.

EthereumSoliditySmart Contract Code Review2024-05-28Zealynx methodology
Total findings
7
0 fixed · 7 acknowledged
Critical
00
High
00
Medium
03
Low + Info
04
02

Scope

2 files · 202 SLOC
Platform
Ethereum · Solidity
Methodology
Zealynx audit methodology
File
points
ribbonVault
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
mediumF-2024-0001Implement Safe Transfer Methods for ERC20 TokensAckmediumF-2024-0002Incorrect handling of token decimalsAckmediumF-2024-0003Incorrect Handling of Fee-On-Transfer Tokens in swapToPaymentCoinAdmin FunctionAcklowF-2024-0004Single-Step Ownership Transfer Vulnerability in RibbonVault ConstructorAcklowF-2024-0005Potential Replay Attack Prevention Issue in Signature Verification LogicAcklowF-2024-0006Lack of Zero address checksAcklowF-2024-0007Lack of input parameter validation for amount parametersAck
04

Key Findings

  • Implement safe transfer methods for ERC20 tokens. The vault calls the original transfer function on ERC20 tokens without checking the return value, which several non-standard tokens (USDT among them) silently fail on. Five vault paths including withdrawfees, claimPointsAdmin, and swapToPaymentCoinAdmin are exposed.
  • Incorrect handling of token decimals. The contract assumes all ERC20 tokens have 18 decimals, hardcoding the assumption into transfer, calculation, and conversion functions. Tokens with fewer decimals would be processed at incorrect amounts, leading to balance discrepancies and operational failures.
  • Fee-on-transfer tokens break swapToPaymentCoinAdmin accounting. The function assumes the transferred amount is received in full, so any fee-on-transfer token causes amountReceived to be less than pointToSwap, producing incorrect calculations and accounting drift.
  • Single-step ownership transfer in RibbonVault constructor. The vault inherits OpenZeppelin's Ownable which transfers ownership in a single step. A typo at deployment would permanently brick every onlyOwner function with no recovery path.
05

Team & approval

Lead Auditor
Sergio (Secoalba)
@Seecoalba
Auditor
Carlos (Bloqarl)
@TheBlockChainer
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (17p)
ZEALYNX SECURITY · published 2024-05-28
7 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx