Othentic – Security Review of Rewards V2

Composable Security partnered with Othentic to conduct a thorough security review of the Rewards V2 smart contract module. The project aimed to verify the robustness of a new rewards distribution mechanism integrated with EigenLayer and ensure secure cross-chain operations across multiple Layer 2 networks.

Basic information

Project type: Web3 infrastructure protocol that allows building Actively Validated Services (AVS).

Service: Smart contract security review, including retest and advisory support.

Results: All identified vulnerabilities – spanning high, medium, and low severity – were fixed. The review provided actionable insights for strengthening the cross-chain reward logic and improving resilience against real-world threat scenarios. Composable Security remained engaged post-review to support long-term improvements.

About the Othentic

Othentic Stack is a library of production-ready components to build distributed services, infrastructures, and applications. Their flexible architecture supports deep customization, cross-chain communication, and token-based coordination.

The Rewards V2 update introduced a new flow that allows AVS managers to direct rewards through EigenLayer. This release was critical to enhancing the protocol’s usability and scalability across multiple chains.

Visit website: https://www.othentic.xyz/

About the service scope

The security review focused on Othentic’s new reward distribution logic, particularly how it interfaces with LayerZero and EigenLayer. The assessment included both an initial review and a full retest to verify fixes.

The subjects of the test were selected contracts from the Othentic repository.

GitHub repository: https://github.com/Othentic-Labs/contracts

CommitID: 9a405548df489a489d6344242577f7ac50ff4bc3

Initial challenges and constraints:

• The module introduced complex cross-chain reward flows with strict execution requirements.
• Interactions with external systems like LayerZero and EigenLayer increased the attack surface.
• The review was conducted under a tight timeline with multiple components to analyze.

Defined objectives:

• Identify vulnerabilities across the updated smart contracts.

• Validate security assumptions in the rewards submission process.

• Ensure robust handling of cross-chain messages and edge cases.

• Provide recommendations aligned with smart contract security best practices.

Identified threats

As before every smart contract audit, thorough threat modeling was performed. The results were made available to the client for joint analysis.

Key assets that require protection:

• Reward tokens.

Potential attackers goals:

• Theft of rewards.
• Lock rewards in the contract.
• Block the contract, so that others cannot use it.

Potential scenarios to achieve the indicated attacker’s goals:

• Invalid parameters sent to EigenLayer.
• Invalid operator sorting.
• No update of fee to claim for claimed reward do multiple chains (clearance sent to one chain).
• Subtracting fee to claim for non-claimed reward.
• Submitting invalid strategies to EigenLayer.
• Spamming the operators list.
• Excluding some operators in rewards distribution.
• Permanent revert on lzReceive.
• Invalid rewards calculation.
• Influence or bypass the business logic of the system.
• Take advantage of arithmetic errors.
• Privilege escalation through incorrect access control to functions or badly written modifiers.
• Existence of known vulnerabilities (e.g., front-running, re-entrancy).
• Design issues.

More can be found in the report.

Smart contract audit results

A comprehensive security review outlined six vulnerabilities (1 high, 2 medium, 3 low) and one additional recommendation.

Key findings:

• [High Severity] Uncleared Claims: Cross-chain confirmations were misrouted to the default Layer 2, risking reward loss and process blockage.

• [Medium Severity] Permanent Revert on Rewards Submission: Token approval flows could become irreversibly stuck due to non-zero approval limitations.

• [Medium Severity] Invalid Reward Submission: Improper operator list handling resulted in reverts when forwarding data to EigenLayer.

• Other findings included unsafe type casting, duplicate operator entries, and endpoint ID mismanagement—each fixed in follow-up commits.

The team started improving the codebase immediately during the audit and we verified during the retest that all identified vulnerabilities had been properly remediated.

Security enhancements:

• Improved validation of reward-related data structures.
• Refined operator tracking to prevent duplication or invalid submissions.
• Safer interaction patterns with ERC-20 tokens using the SafeERC20 library.

Knowledge transfer:

Othentic’s team received guidance not only through written reports but also through ongoing discussions that clarified implementation strategies, explored edge cases, and ensured long-term security maturity.

Client rating