Wedefin · Smart Contract Security AssessmentWedefin Client Hub

Wedefin

Zealynx audited the Wedefin protocol, a decentralized index fund whose asset allocation is dictated by a community competition of trader-built portfolios ranked on-chain by liquidity, volatility, and profit. The review covered 15 Solidity contracts (1,294 nSLOC) including the portfolio, manager, ranker, swap, lender, and treasury modules. It identified 17 issues: 3 High (including a treasury reentrancy draining all ETH), 8 Low, and 6 Informational suggestions. All findings were acknowledged.

EthereumSoliditySmart Contract Code Review2024-05-28Zealynx methodology
Total findings
17
0 fixed · 17 acknowledged
Critical
00
High
03
Medium
00
Low + Info
14
02

Scope

15 files · 1,294 SLOC
Platform
Ethereum · Solidity
Methodology
Zealynx audit methodology
File
WEDXBasePortfolio.sol
WEDXProPortfolio.sol
WEDXIndexPortfolio.sol
distroMath.sol
IWEDXInterfaces.sol
WEDXGroup.sol
WEDXswap.sol
WEDXlender.sol
WEDXlenderSingle.sol
WEDXManager.sol
WEDXRanker.sol
WEDXTreasury.sol
WEDXConstants.sol
WEDXDeployerPro.sol
WEDXDeployerIndex.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
highF-2024-0001refundETH() missingAckhighF-2024-0002Reentrancy risk on WEDXIndexPortfolio's deposit() and withdraw()AckhighF-2024-0003WEDXTreasury's ETH balance can be drained completely by anyoneAcklowF-2024-0004Unnecessary gas consumption: Lack a check for zero inputAcklowF-2024-0005Not following CEI patternAcklowF-2024-0006Potential Mismanagement of Array Lengths in WEDXManagerAcklowF-2024-0007Sandwich Attacks During RebalancingAcklowF-2024-0008Unintended Reset of Portfolio with Empty newAssets ArrayAcklowF-2024-0009Unnecessary Swapping of WNATIVE to Itself Allowed in swapNative FunctionAcklowF-2024-0010Unexpected Matching InputsAcklowF-2024-0011_wedxGroupAddress needs to be passed in constructorAckinfoF-2024-0012Redundant Code in validatePoolAckinfoF-2024-0013Use external instead of public when not used internallyAckinfoF-2024-0014Consider adding address(0) check for function parametersAckinfoF-2024-0015Redundant conditions in WEDXIndexPortfolioAckinfoF-2024-0016Redundant function getAssetsExtendedAckinfoF-2024-0017WNATIVE should be passed in constructor instead of as constantAck
04

Key Findings

  • Missing refundETH() in WEDXswap::swapNative. SwapRouter swaps that end with unspent ETH (price limit hit, partial liquidity, positive slippage) leave that ETH inside the router, where anyone can claim it via refundETH(), causing direct user loss.
  • Reentrancy in WEDXIndexPortfolio.supplyLendToken and withdrawLendToken. Aave lending calls happen before state updates and ERC-777 tokensToSend / tokensReceived hooks let a malicious token reenter, manipulating balances or duplicating supplies and withdrawals.
  • WEDXTreasury ETH can be drained by anyone via reentrancy in redeem. redeem sends ether before burning the caller's tokens; a contract callback re-enters with the same amountToRedeem until the treasury balance is zero.
05

Team & approval

Lead Auditor
Sergio Corrales
@Seecoalba
Auditor
Bloqarl
@TheBlockChainer
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (25p)
ZEALYNX SECURITY · published 2024-05-28
17 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx