All Reports
Typhoon

Typhoon

2025-05-25
Download PDF
Critical1
High3
Medium3
Low0
Info1

About the Protocol

Privacy-preserving fund transfer protocol using modular mixer contracts on Starknet.

Findings (8)

C-01CriticalFixed

Encrypted notes can be arbitrarily altered and signatures can be replayed

Notes lack integrity protection allowing tampering and signature replay attacks.

H-01HighFixed

Merkle tree overwrite issue after max depth reached

Merkle tree entries can be overwritten once maximum depth is exceeded.

H-02HighFixed

withdraw_fee remains stuck in contract with no withdrawal mechanism

Collected withdrawal fees are permanently locked in the contract.

H-03HighFixed

newRootIndex should not use modulo with ROOT_HISTORY_SIZE

Modulo operation on root index causes incorrect root history tracking.

M-01MediumFixed

Inconsistent notesCount handling results in inconsistent results

Notes counter inconsistency affects multiple view functions.

Ready to Secure Your Project?

Get a free 30-minute security assessment. We will review your codebase scope and flag the top 3 risk areas.

No commitment required. Typical audits start within 1–2 weeks.

audits@codespect.xyz