Token contracts look simple and fail in specific, well-documented ways. Most token exploits aren't exotic — they're a missing access check on a mint function, an unchecked return value on a transfer, or a supply-cap bypass nobody tested for. Firepan's audit checks specifically for the patterns that have drained real token contracts.
transfer/transferFrom return values are notoriously easy to leave unchecked, silently failing transfers (see unchecked return value)Firepan's deterministic surface scan checks token-contract anti-patterns, access-control boundaries, call sites, and other high-signal structures. A deep audit maps mint, burn, and transfer paths, forms and tests security hypotheses, and can use Slither findings as corroborating evidence. HOUND curates that evidence against Firepan's vulnerability database rather than presenting every raw warning as confirmed.
A free surface scan on a standard ERC-20 typically returns results in minutes. Deeper review — multi-token systems, custom tokenomics, rebasing or elastic-supply mechanics — runs as a full deep audit.
Q: What's the most common vulnerability in token contracts?
A: Mint and burn authorization, transfer restrictions, upgrade permissions, supply invariants, and external-call handling are recurring review surfaces. Their importance depends on the token's implementation rather than a universal ranking.
Q: Does Firepan audit non-standard tokens (rebasing, fee-on-transfer, elastic supply)?
A: Non-standard token mechanics need explicitly scoped invariants and tests beyond a standard ERC-20 scan. Firepan's deep audit can reason about repository-specific supply and authorization paths, but teams should also maintain Foundry or another property-testing harness for invariants they need continuously enforced.
Q: How long does a token contract audit take?
A: A free surface scan usually returns in seconds or minutes. Deep-audit timing varies with repository size, compilation, scope, and the hypotheses that need investigation; confirm timing for the specific engagement.
Q: Do I need continuous monitoring for a token contract after launch?
A: Upgradeable tokens, mutable roles, and new integrations need post-launch monitoring. Firepan can repeat repository checks on configured events, while Sentinel provides a separate point-in-time contract-address scorecard; teams must monitor live ownership, liquidity, and transaction behavior separately.
Run a free surface scan on your token contract now.
Firepan
Run a free surface scan — results in minutes, no credit card required.
Run Free Scan →