RXT Token · Smart Contract Security AssessmentRXT Token Client Hub

RXT Token NFT Contract

Co-audit conducted by Zealynx and Soken of the RXT Token NFT contract on Polygon, an OpenSea-style ERC-1155 asset contract with native meta-transaction support. The 12 findings (4 High, 2 Medium, 3 Low, 3 Informational) focus on meta-transaction security: gas griefing and replay risks in NativeMetaTransaction, reentrancy in executeMetaTransaction, ERC-165 supportsInterface gas accounting, and unbounded loops in batch operations. All findings reported as Open at the time of publication.

PolygonSoliditySmart Contract Code Review2023-10-06polygonscan.com/address/0x2953399124f0cbb46d2cbacd8a89cf0599974963Zealynx methodology
Total findings
12
0 fixed · 12 acknowledged
Critical
00
High
04
Medium
02
Low + Info
06
02

Scope

1 file
Repository
polygonscan.com/address/0x2953399124f0cbb46d2cbacd8a89cf0599974963
Platform
Polygon · Solidity
Methodology
Zealynx audit methodology
File
RXT Token (Polygon address 0x2953399124f0cbb46d2cbacd8a89cf0599974963)
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
highF-2023-0001Insufficient Gas Griefing AttackAckhighF-2023-0002Reentrancy on meta TXs execution can lead to loss of fundsAckhighF-2023-0003Risk of Incorrect Interface Reporting Due to Insufficient GasAckhighF-2023-0004Gas limit DOS attack via unbounded operationsAckmediumF-2023-0005No account existence check on low-level callAckmediumF-2023-0006The owner is a single point of failure and a centralization riskAcklowF-2023-0007Doesn't check if _ids and _quantities length is the same in batchBurnAcklowF-2023-0008Owner can renounce ownershipAcklowF-2023-0009Lack of double step Transfer ownership patternAckinfoF-2023-0010Consider using named mappingsAckinfoF-2023-0011Save big amount of gas by using uint256 instead of bool in mappingAckinfoF-2023-0012Cache array length outside of loop saves gasAck
04

Key Findings

  • Insufficient gas griefing attack on NativeMetaTransaction. The executeMetaTransaction flow only increments the user nonce after the inner verify(...) and signature check, so a transaction that runs out of gas mid-execution leaves the nonce unchanged and allows the same signed payload to be replayed.
  • Reentrancy in executeMetaTransaction can lead to loss of funds. The function performs address(this).call(...) without a reentrancy guard, letting a malicious recipient re-enter the meta-transaction handler and manipulate nonce state or value transfers during the call.
  • Unbounded loops across balanceOfBatch, safeBatchTransferFrom, _batchMint, _burnBatch, batchBurn, and batchMint. Each iterates over an unrestricted input array, so a sufficiently long array exhausts the block gas limit and bricks the call, potentially locking assets and degrading user experience.
  • Owner is a single point of failure and a centralization risk. Sixteen privileged functions are gated by a single EOA owner with no timelock and no multisig requirement, so a compromised key can cause severe damage to the project.
  • supportsInterface is exposed to insufficient-gas misreporting. The ERC-165 helper relies on the caller supplying enough gas; under EIP-150's 1/64 rule the function can throw out-of-gas and silently return that an interface is unsupported when in fact it is, breaking downstream integrations.
05

Team & approval

Lead Auditor
Soken
Co-auditor
Zealynx Security
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (27p)
ZEALYNX SECURITY · published 2023-10-06
12 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx