Need an audit or want to learn more about Macro’s services?
Reach out for an audit or to learn more about Macro
Security Audit
July 25, 2025
Version 1.0.0
Presented by 0xMacro
This document includes the results of the security audit for towns's smart contract code as found in the section titled ‘Source Code’. The security audit was performed by the Macro security team from June 24, 2025 to June 26, 2025.
The purpose of this audit is to review the source code of certain towns Solidity contracts, and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.
Disclaimer: While Macro’s review is comprehensive and has surfaced some changes that should be made to the source code, this audit should not solely be relied upon for security, as no single audit is guaranteed to catch all possible bugs.
The following is an aggregation of issues found by the Macro Audit team:
| Severity | Count | Acknowledged | Won't Do | Addressed |
|---|---|---|---|---|
| Medium | 1 | - | - | 1 |
| Low | 2 | - | - | 2 |
| Code Quality | 4 | - | - | 4 |
| Informational | 1 | - | - | - |
towns was quick to respond to these issues.
Our understanding of the specification was based on the following sources:
Considered untrusted and potentially malicious. The system is designed defensively against potential malicious actors. These can be Space’s members executing a swap through their Space or EOA executing swaps directly through the Router.
router, approvedTarget, and recipient) are validated, and execution flow is strictly controlled.Highly trusted. The protocol owner entity that manages the core protocol rules through the PlatformRequirements contract. It is trusted to:
Trusted within the scope of their own space. A Space Owner configures fee parameters (posterFeeBps, forwardPosterFee) only for swaps initiated through their space's SwapFacet.
MAX_FEE_BPS (2% fee).SwapRouter behavior.Highly trusted. The security model of the SwapRouter relies on the integrity of the external contracts on the router whitelist. These routers are trusted to:
swapData call. While approvals and balances are cleared after the swap, the system trusts the router not to misuse them during the transaction itself.nonReentrant guard prevents direct re-entry but does not control the router's interactions with the external contracts.SwapRouter after the swap.Trusted infrastructure. The SwapRouter relies on the canonical PERMIT2 contract at its hardcoded address (0x000000000022D473030F116dDEE9F6B43aC78BA3).
PERMIT2 would be directly inherited.Trusted core infrastructure. The SwapRouter and SwapFacet trust these contracts to perform their functions correctly and non-maliciously.
Architect is trusted to accurately identify which callers are valid Spaces.TownsPoints is trusted to implement a secure and economically sound points calculation and minting system.SpaceFactory is trusted to get a valid and secure SwapRouter address implementation.The following source code was reviewed during the audit:
5356aa3d56ee92c078be75b2762d348428807957
Specifically, we audited the following contracts within packages/contracts/ repository directory:
| Source Code | SHA256 |
|---|---|
| src/router/SwapRouter.sol |
|
| src/router/SwapRouterStorage.sol |
|
| src/spaces/facets/swap/SwapFacet.sol |
|
| src/spaces/facets/swap/SwapFacetStorage.sol |
|
| src/spaces/facets/membership/MembershipStorage.sol |
|
| src/spaces/facets/points/PointsBase.sol |
|
Note: This document contains an audit solely of the Solidity contracts listed above. Specifically, the audit pertains only to the contracts themselves, and does not pertain to any other programs or scripts, including deployment scripts.
Click on an issue to jump to it, or scroll down to see them all.
minAmountOut
We quantify issues in three parts:
This third part – the severity level – is a summary of how much consideration the client should give to fixing the issue. We assign severity according to the table of guidelines below:
| Severity | Description |
|---|---|
|
(C-x) Critical |
We recommend the client must fix the issue, no matter what, because not fixing would mean significant funds/assets WILL be lost. |
|
(H-x) High |
We recommend the client must address the issue, no matter what, because not fixing would be very bad, or some funds/assets will be lost, or the code’s behavior is against the provided spec. |
|
(M-x) Medium |
We recommend the client to seriously consider fixing the issue, as the implications of not fixing the issue are severe enough to impact the project significantly, albiet not in an existential manner. |
|
(L-x) Low |
The risk is small, unlikely, or may not relevant to the project in a meaningful way. Whether or not the project wants to develop a fix is up to the goals and needs of the project. |
|
(Q-x) Code Quality |
The issue identified does not pose any obvious risk, but fixing could improve overall code quality, on-chain composability, developer ergonomics, or even certain aspects of protocol design. |
|
(I-x) Informational |
Warnings and things to keep in mind when operating the protocol. No immediate action required. |
|
(G-x) Gas Optimizations |
The presented optimization suggestion would save an amount of gas significant enough, in our opinion, to be worth the development cost of implementing it. |
In SwapFacet, users are incentivized to execute swaps through the Space by accruing airdrop points depending on their swap volume and the protocol fees.
if (
params.tokenIn == CurrencyTransfer.NATIVE_TOKEN
params.tokenOut == CurrencyTransfer.NATIVE_TOKEN
) {
address airdropDiamond = _getAirdropDiamond();
uint256 points = _getPoints(
airdropDiamond,
ITownsPointsBase.Action.Swap,
abi.encode(protocolFee)
);
_mintPoints(airdropDiamond, msg.sender, points);
}
Reference: SwapFacet.sol#L193-204
However, the current implementation mints the point to the msg.sender. For executeSwapWithPermit(), any other member can submit the swap intent with the proper data and signature for another user and get their points, indirectly creating an incentive to relay others’ swaps and farm points.
Remediations to Consider
permit.owner as the target address for points or,In SwapRouter, the poster fees are calculated based on the msg.sender. If a user permit swap is executed through a different space than the user intended, with the same input payload, the fee will be calculated based on the caller.
function _collectFees(
address token,
uint256 amount,
address poster
) internal returns (uint256 amountAfterFees, uint256 protocolFee, uint256 posterFee) {
address spaceFactory = _getSpaceFactory();
(uint16 protocolBps, uint16 posterBps) = _getSwapFees(spaceFactory, msg.sender);
...
Reference: SwapRouter.sol#L349-355
Consider the following scenario:
This scenario results in inconsistent charging of poster fees, contrary to the user's intent.
Remediations to Consider
_getSwapFees(). If it’s a space, it will use the proper space’s BPS, abstracting it from the caller context.posterBps in the parameter inputs and witness data as the expected fee to get charged.The L-1 finding has a more severe attack vector. An attacker can create a "bait-and-switch" scheme where they own two spaces: Space X with attractive 0.5% poster fees and Space Y with 2% poster fees (Y has forwardPosterFee = true). Users are attracted to Space X's low fees and sign permits with poster = attacker. However, the attacker executes these permits through Space Y instead, collecting 4x higher fees while users pay far more than expected.
This attack is profitable, scalable, and exploitable because the permit signature binds to the poster address but not the fee rate. Since fees are calculated based on msg.sender (the calling space), the same permit can execute through any space accepting that poster configuration.
In SwapFacet the space owner can configure the forwardPosterFee to allow members of the space to execute swaps and forward poster fees to an arbitrary address. By default, this value is set to false and resolves to the Space’s address, meaning the Space gets the poster fee.
function _resolveSwapPoster(address poster) internal view returns (address) {
// default behavior: fees go to space, return the space address
if (!SwapFacetStorage.layout().forwardPosterFee) {
return address(this);
}
// if fees should be forwarded to poster, return the poster as-is
// (including address(0) which will skip poster fee)
return poster;
}
Reference: SwapFacet.sol#L260-268
Specifically for native tokens as tokenIn, the logic checks the forwardPosterFee and subtracts the poster fee from the unused tokens for refunds.
// for ETH, subtract poster fee if it was collected to space
if (
tokenIn == CurrencyTransfer.NATIVE_TOKEN && !SwapFacetStorage.layout().forwardPosterFee
) {
// get the poster fee that was collected to space
(, uint16 posterBps, ) = getSwapFees();
uint256 posterFee = BasisPoints.calculate(msg.value, posterBps);
// subtract poster fee from refund since it should stay in space
refundAmount = FixedPointMathLib.zeroFloorSub(refundAmount, posterFee);
}
Reference: SwapFacet.sol#L225-235
However, if the poster is the Space's address and the forwardPosterFee is set to true, the logic will skip the subtraction and refund the entire fee to the caller with the unused tokens, effectively bypassing the poster fee altogether.
Remediations to Consider:
Consider checking if the poster address is the Space in the refund logic, in case the forwardPosterFee Space configuration is set to true.
In SwapFacet, the executeSwapWithPermit() handles refunds for swaps that didn’t use the entirety of the amountTokenIn, this sends the remaining tokens to the caller instead of the permit owner. However, since the SwapRouter already calculates and sends the remaining tokens to the permit.owner, the facet’s logic becomes a no-op as the refunded amount to the Space will always be zero. Consider removing the _handleRefund() internal function or updating it to refund the permit.owner and keeping it as a redundant sanity logic.
In the SwapFacet contract, the executeSwapWithPermit() function takes the poster address as an input parameter. This parameter is used in the SwapRouter to verify and charge poster fees and is bound with the permit2 signature witness data through the user's signature. Since the poster address is directly signed and passed by the user, the SwapFacet logic to resolve this address will trigger an InvalidSigner() error if it mismatches the SwapFacet configuration. This breaks the user's expectation of a transparent and controllable fee mechanism. To improve error accuracy and user intent transparency, consider enforcing a check in the SwapFacet for the poster address input instead of resolving it, and relay the revert to the SwapRouter:
if (!SwapFacetStorage.layout().forwardPosterFee) {
require(poster == address(this), InvalidPosterInput());
}
SwapRouter and SwapFacet: Consider using the _getBalance() function consistently for all token balance fetch operations.
params.tokenIn **==** CurrencyTransfer.NATIVE_TOKEN **condition, which is computed again in the _executeSwap function. Consider caching and passing this bool to the _executeSwap function.SwapRouter the value check is performed twice for the same logic flow.
Although known external routers will revert by using the same tokenIn as tokenOut, and the SwapRouter correctly handles fee accounting even if both inputs are equal, consider enforcing a sanity check to disallow tokenIn == tokenOut to narrow the assumptions on the external whitelisted routers.
minAmountOut
The SwapRouter implementation includes logic to account for fee-on-transfer tokens. While the slippage check occurs after the swap to verify that the user's minAmountOut requirement was met, any subsequent transfer could result in the user receiving fewer tokens than this minimum amount. This could occur since the fee-on-transfer mechanism applies after the verification check has already been completed.
Macro makes no warranties, either express, implied, statutory, or otherwise, with respect to the services or deliverables provided in this report, and Macro specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, noninfringement and those arising from a course of dealing, usage or trade with respect thereto, and all such warranties are hereby excluded to the fullest extent permitted by law.
Macro will not be liable for any lost profits, business, contracts, revenue, goodwill, production, anticipated savings, loss of data, or costs of procurement of substitute goods or services or for any claim or demand by any other party. In no event will Macro be liable for consequential, incidental, special, indirect, or exemplary damages arising out of this agreement or any work statement, however caused and (to the fullest extent permitted by law) under any theory of liability (including negligence), even if Macro has been advised of the possibility of such damages.
The scope of this report and review is limited to a review of only the code presented by the towns team and only the source code Macro notes as being within the scope of Macro’s review within this report. This report does not include an audit of the deployment scripts used to deploy the Solidity contracts in the repository corresponding to this audit. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. In this report you may through hypertext or other computer links, gain access to websites operated by persons other than Macro. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such websites’ owners. You agree that Macro is not responsible for the content or operation of such websites, and that Macro shall have no liability to your or any other person or entity for the use of third party websites. Macro assumes no responsibility for the use of third party software and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.