Need an audit or want to learn more about Macro’s services?
Reach out for an audit or to learn more about Macro
Security Audit
Dec 2, 2025
Version 1.0.0
Presented by 0xMacro
This document includes the results of the security audit for Fleek's smart contract code as found in the section titled ‘Source Code’. The security audit was performed by the Macro security team from November 3rd - 9th, 2025.
The purpose of this audit is to review the source code of certain Fleek Solidity contracts, and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.
Disclaimer: While Macro’s review is comprehensive and has surfaced some changes that should be made to the source code, this audit should not solely be relied upon for security, as no single audit is guaranteed to catch all possible bugs.
The following is an aggregation of issues found by the Macro Audit team:
| Severity | Count | Acknowledged | Won't Do | Addressed |
|---|---|---|---|---|
| Critical | 1 | - | - | 1 |
| High | 1 | - | - | 1 |
| Medium | 1 | - | - | 1 |
| Low | 1 | - | - | 1 |
| Informational | 1 | - | - | - |
Fleek was quick to respond to these issues.
Our understanding of the specification was based on the following sources:
The following source code was reviewed during the audit:
f6ede261b4f069e4238f4f2e3f01805478f4a662
e0fa18f2b4ac2fd390660b7abdfb686b02f292d2
Specifically, we audited the following contracts within this repository:
| Source Code | SHA256 |
|---|---|
| src/creator-tokens/core/BondingCurveFactory.sol |
|
| src/creator-tokens/core/CreatorCoinFactory.sol |
|
| src/creator-tokens/core/CreatorTokenFactory.sol |
|
| src/creator-tokens/curve/BondingCurve.sol |
|
| src/creator-tokens/hooks/UniversalAntiFlipFeeHook.sol |
|
| src/creator-tokens/libraries/AntiFlipFeeLib.sol |
|
| src/creator-tokens/libraries/BaseUniswapDeployments.sol |
|
| src/creator-tokens/libraries/Config.sol |
|
| src/creator-tokens/libraries/LinearCurveMath.sol |
|
| src/creator-tokens/tokens/CreatorCoin.sol |
|
| src/creator-tokens/tokens/CreatorVesting.sol |
|
Note: This document contains an audit solely of the Solidity contracts listed above. Specifically, the audit pertains only to the contracts themselves, and does not pertain to any other programs or scripts, including deployment scripts.
Click on an issue to jump to it, or scroll down to see them all.
We quantify issues in three parts:
This third part – the severity level – is a summary of how much consideration the client should give to fixing the issue. We assign severity according to the table of guidelines below:
| Severity | Description |
|---|---|
|
(C-x) Critical |
We recommend the client must fix the issue, no matter what, because not fixing would mean significant funds/assets WILL be lost. |
|
(H-x) High |
We recommend the client must address the issue, no matter what, because not fixing would be very bad, or some funds/assets will be lost, or the code’s behavior is against the provided spec. |
|
(M-x) Medium |
We recommend the client to seriously consider fixing the issue, as the implications of not fixing the issue are severe enough to impact the project significantly, albiet not in an existential manner. |
|
(L-x) Low |
The risk is small, unlikely, or may not relevant to the project in a meaningful way. Whether or not the project wants to develop a fix is up to the goals and needs of the project. |
|
(Q-x) Code Quality |
The issue identified does not pose any obvious risk, but fixing could improve overall code quality, on-chain composability, developer ergonomics, or even certain aspects of protocol design. |
|
(I-x) Informational |
Warnings and things to keep in mind when operating the protocol. No immediate action required. |
|
(G-x) Gas Optimizations |
The presented optimization suggestion would save an amount of gas significant enough, in our opinion, to be worth the development cost of implementing it. |
The BondingCurve sells creator tokens for Fleek tokens whose price adjusts along a linear bonding curve. After a set amount of tokens have been sold, _graduate() is called, which initializes a UniswapV4 pool with Fleek received, and a set amount of creator tokens:
PoolKey memory poolKey = PoolKey({
currency0: Currency.wrap(token0),
currency1: Currency.wrap(token1),
fee: POOL_FEE,
tickSpacing: TICK_SPACING,
hooks: IHooks(metadata.universalHook)
});
POOL_MANAGER.initialize(poolKey, startingPrice);
uint256 tokenId =
_mintAndBurnLiquidityPosition(poolKey, token0, token1, amount0, amount1, startingPrice);
Reference: BondingCurve.sol#L531-542
However, the input parameters to initialize the pool are known before _graduate() may be called, and could be initialized beforehand. If that were to occur, when graduate() eventually does get called, it would revert when calling initialize(), would revert, locking the fleek and creator tokens in the contract.
Remediations to Consider
Setup a beforeInitialize() callback to the UniversalAntiFlipFeeHook that reverts if the bondingCurve has not graduated, to prevent it from being initialized until it is ready.
There are additional fees set for selling either in the BondingCurve or in the uniswap pool via the UniversalAntiFlipFeeHook, which is determined in the AntiFlipFeeLib’s getTotalFee():
if (!isBuy) {
uint256 lastBuyTime = userLastBuy[user];
if (lastBuyTime > 0) {
uint256 windowDuration =
calculateWindow(user, creatorToken, lastBuyTime, entropyTimestamp);
uint256 elapsed = block.timestamp - lastBuyTime;
if (elapsed < windowDuration) {
totalFee += SNIPE_PENALTY_BPS;
}
}
}
Reference: AntiFlipFeeLib.sol#L90-78
The lastButTime is marked for a user on purchase, however, there is nothing preventing a user from transferring their tokens to another address that does not a set lastBuyTime, circumventing these extra fees intended to disincentivize sniping and selling without waiting, and results in less fees collected.
Remediations to Consider
Allow for tokens to be locked on purchase via the bondingCurve or hook for the duration of the window, with the exception of transferring to the bondingCurve or pool to allow for selling.
Additional fees are applied if selling within a variable window from the time of purchase. This variance of window is intended to be random and a fun way to help prevent disincentivize users from flipping the tokens, especially on launch of the token or creation of the pool. There is a clear advantage to having a smaller window for users that may want to flip the token without incurring fees. This window is determined by the time of last purchase, the users address, time the token was created, and the creator token address:
function calculateWindow(
address user,
address creatorToken,
uint256 buyTimestamp,
uint256 entropyTimestamp
) internal pure returns (uint256) {
uint256 seed = uint256(
keccak256(abi.encodePacked(user, creatorToken, buyTimestamp, entropyTimestamp))
);
return MIN_WINDOW + (seed % WINDOW_RANGE);
}
Reference: AntiFlipFeeLib.sol#47-58
Since the user is a input in determining the window, this can leveraged by a contract that could try a bunch seeds for addresses until i finds one that would generate a minimum window for their desired purchase.
Remediations to Consider
Use msg.origin for the user, to prevent attempting with multiple addresses in a singular transaction, additionally use block.prevrandao for added uncertainty as opposed to buy timestamp. Additionally instead of storing last purchase time, store the window calculated, and update it only if the new window is greater than the currently stored.
In LinearCurveMath, when calculating the amount of tokens purchased via calculateBuyAmount(), there is a check at the end to ensure a non-zero amount of tokens are purchased before returning the result:
if (UD60x18.unwrap(outputFP) == 0) revert OutputTooSmall();
return _fromUD60x18(outputFP, buyTokenDecimals);
Reference: LinearCurveMath.sol#L24-26
However, the check assumes the buy token is in 18 decimals, while the return value converts it using the proper decimals. In the case where the buy token has a small amount of decimals ie 6, this function could result in a small value for outputFP say 0.0000000000000005, which would evaluate to 500 via unwrap() and pass the check, but would result in zero tokens when converting to the proper decimals.
This is not necessarily a issue for the protocol currently as both the creator token and the sell token (Fleek) have 18 decimals. However, this may change, or this contract may be used in other protocols where this could come up.
Remediations to Consider
Check if the properly converted value is zero.
When buying creator tokens and immediately selling them back, it can result in gaining a small amount of creator tokens for free, provided there are no fees set. Currently the protocol expects to always use 4% fees which offsets the small amount of tokens gained, leading to this not being a worry. It is important, however, that this is considered if this protocol or other protocols use the code and do not charge fees.
Macro makes no warranties, either express, implied, statutory, or otherwise, with respect to the services or deliverables provided in this report, and Macro specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, noninfringement and those arising from a course of dealing, usage or trade with respect thereto, and all such warranties are hereby excluded to the fullest extent permitted by law.
Macro will not be liable for any lost profits, business, contracts, revenue, goodwill, production, anticipated savings, loss of data, or costs of procurement of substitute goods or services or for any claim or demand by any other party. In no event will Macro be liable for consequential, incidental, special, indirect, or exemplary damages arising out of this agreement or any work statement, however caused and (to the fullest extent permitted by law) under any theory of liability (including negligence), even if Macro has been advised of the possibility of such damages.
The scope of this report and review is limited to a review of only the code presented by the Fleek team and only the source code Macro notes as being within the scope of Macro’s review within this report. This report does not include an audit of the deployment scripts used to deploy the Solidity contracts in the repository corresponding to this audit. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. In this report you may through hypertext or other computer links, gain access to websites operated by persons other than Macro. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such websites’ owners. You agree that Macro is not responsible for the content or operation of such websites, and that Macro shall have no liability to your or any other person or entity for the use of third party websites. Macro assumes no responsibility for the use of third party software and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.