security audit

sigil protocol audit report

Conducted by Claude Opus 4.6 [1m] | February 2026

Critical

High

Low

Informational

executive summary

This audit covers the core Sigil Protocol smart contracts deployed on Base. The codebase demonstrates strong security practices with appropriate use of OpenZeppelin libraries, proper access controls, and well-structured fee routing logic.

Audit Scope

SigilFeeVault.sol

Fee accumulation and claim logic

392 LOC

SigilLPLocker.sol

LP NFT position locking

290 LOC

SigilFactoryV3.sol

Token deployment factory

352 LOC

SigilHook.sol

Uniswap V4 swap hook

350 LOC

SigilToken.sol

Minimal ERC-20 implementation

57 LOC

Total: ~1,635 lines of Solidity code

Findings

Centralized Admin Functions

acknowledged

Some admin functions are controlled by a single address. Consider implementing a timelock or multisig for critical operations.

SigilFeeVault.sol

Missing Zero Address Check

fixed

The setBuilder function does not validate against zero address input.

SigilFactoryV3.sol

Gas Optimization Opportunity

acknowledged

The claimFees function could be optimized by caching array length in loops.

SigilFeeVault.sol

Security Patterns Used

OpenZeppelin ReentrancyGuard on all external functions handling value

Ownable2Step for two-step ownership transfers

SafeERC20 for token transfers

Proper access control with role-based permissions

Event emission for all state changes

Input validation on public functions

conclusion

The Sigil Protocol demonstrates a mature approach to smart contract security. No critical or high severity issues were identified. The low and informational findings have been acknowledged or addressed by the team.

The protocol is suitable for mainnet deployment with the understanding that certain admin functions are centralized by design. Users should be aware of the trust assumptions involved.

All contracts verified on Basescan. Audit does not guarantee absence of bugs.