Read the smart-contract review covering ABI scope, wallet flows, findings, and remediation notes.
Trust Documents
AI Virtual Contract Audit Report
Updated June 11, 2026
This AI Virtual Audit reviews the CryptoStone smart-contract surface from the currently connected ABI set, Sepolia contract registry, frontend transaction flows, wallet batch process, and protocol documentation. It is an AI-assisted security review, not a signed external audit certificate.
Audit type: AI Virtual Smart Contract Audit.
Scope includes STONX V6, GEMS NFT V6, Garnet Mining Pool V6, Claim, Refinery, Marketplace, Private Sale, Arena DAO Treasury, and wallet batch flows.
Current AI result: no critical issue is identified from ABI and integration review alone, but source-level external audit remains required before mainnet claims.
A final independent audit should replace or supplement this AI Virtual Audit after Solidity source, deployment scripts, and admin keys are reviewed.
Section
1. Audit status and limitation
This report is generated as an AI Virtual Audit for CryptoStone. It reviews the contract integration surface visible to the application, including ABI files, active Sepolia addresses, transaction flow design, and user-facing protocol behavior.
Because Solidity source files and deployment scripts are not part of the current application repository, this report should not be treated as source-level formal assurance. It is a practical audit-style review for launch preparation and public transparency.
Section
2. AI audit basis
Reviewer: CryptoStone AI Virtual Audit.
Review basis: active application source, ABI imports, Sepolia contract registry, wallet transaction modules, claim/refinery/mining/marketplace/Arena flows, and production UI disclosures.
Recommended final audit basis: verified Solidity source, compiler settings, deployment scripts, constructor arguments, admin wallet inventory, signer policy, test coverage, and final mainnet addresses.
CryptoStonePrivateSaleV1: direct STONX top-up flow, ETH payment handling, transaction confirmation, and completion modal behavior.
CryptoStoneArenaDaoTreasuryV6: Arena Credit top-up, entry settlement, winner entitlement, user withdrawal, and treasury allocation display.
Section
4. Security controls reviewed
Access control boundaries for owner, operator, watcher, relayer, treasury, pool, and user-only functions.
Reentrancy exposure for payment, withdrawal, marketplace settlement, and reward withdrawal functions.
Allowance, approval, and batch transaction behavior for one-confirmation user flows.
Token and NFT burn correctness, including prevention of double burn, missing burn, or unintended transfer.
Arithmetic precision, token decimal handling, fee distribution, and rounding behavior.
Event completeness for indexers, marketplace history, mining activity, and wallet activity displays.
Failure handling when metadata generation, IPFS upload, RPC reads, or wallet callbacks are delayed.
Section
5. AI virtual findings
The current engineering target is to keep all user wallet flows at one confirmation where the contract design permits it, while keeping watcher or indexer finalization outside the user's wallet confirmation path.
The AI Virtual Audit did not identify a critical integration blocker from the visible ABI and frontend flow review. The items below should still be validated against Solidity source before mainnet.
Critical: none identified from ABI/integration review. Source-level review is still required to confirm no hidden mint, drain, upgrade, or owner-only emergency path creates critical risk.
High: Arena DAO reward withdrawal must be verified at source level so each user can withdraw only their own recorded entitlement and cannot withdraw another player's reward.
High: Claim and Refinery burn-and-mint functions must be atomic or safely ordered so STONX/NFT burns cannot occur without a deterministic mint or recoverable failure state.
Medium: Metadata authority should be disclosed and constrained because HTTPS metadata and watcher finalization can affect user trust and external marketplace rendering.
Medium: Batch transaction composition should approve only the required amount and should avoid stale approvals where exact approval is supported by the token contract.
Medium: Marketplace event indexing should distinguish listing, cancel, purchase, transfer, and burn events so historical activity cannot misrepresent actual ownership flow.
Low: User-facing network labels, testnet/mainnet environment labels, and Etherscan links should remain consistent to avoid accidental user confusion.
Section
6. Recommended remediation and verification
Verify source code for every active production contract on the relevant block explorer.
Publish final contract addresses, ABI versions, deployment chain, and Etherscan links in the Contract Address Registry.
Document all owner, operator, watcher, treasury, metadata, mint, burn, and emergency permissions.
Add source-level tests for Claim, Refinery, Marketplace purchase/cancel, Arena reward withdrawal, and Private Sale top-up.
Freeze metadata where possible, or disclose remaining metadata authority clearly on the GEMS and Trust Documents pages.
Run a formal external audit before mainnet and publish the final report hash, report date, reviewed commit, findings, and remediation status.
Section
7. AI virtual conclusion
CryptoStone's current contract integration appears organized for launch testing, with one-confirmation wallet flows and separated watcher/indexer finalization where appropriate.
The remaining major risk is not visible from ABI review alone: Solidity source permissions, admin key control, upgrade authority, treasury withdrawal restrictions, and exact burn/mint failure behavior must be verified before this AI Virtual Audit can be treated as production-grade assurance.
Contact
Audit contact
For audit questions, responsible disclosure, or security review coordination, contact CryptoStone support.