Wayfinder Pr Security Smart Contract Audit

Summary

`PromptClaim` is a token distribution contract that uses role-based access control to manage claimable token balances. Users with the `FUNDER_ROLE` can add claim allocations for multiple recipients, while eligible recipients can claim their tokens directly from the contract. However, allocated unclaimed funds cannot be reclaimed or clawed back—once assigned to a recipient’s claimable balance, they remain accessible only to that recipient. Consequently, we recommend implementing stronger input validation to help prevent erroneous allocations when adding claims. Quantstamp has audited `PromptClaim` and provided a set of suggested improvements. We recommend the client consider all issues identified. **Fix Review**: The client resolved all issues by implementing fixes or acknowledging them. We recommend adding additional tests to validate the fixes. **Fix Review 2**: The client updated the `PromptClaim` contract to allow bridging tokens across Ethereum, Base, and BNB during the claim process. The team is responsible for distributing the claim amounts per chain to avoid any double-claim situation and for correctly setting the peer addresses for OFT tokens on both source and destination chains. If the peer addresses are misconfigured, tokens can be lost when bridging (for example, a user could burn tokens on the source chain without receiving any on the destination). When claiming on the same chain as the contract, users should use `block.chainid`. If bridging tokens to another chain, they must reference the LayerZero outbound chain ID, because LayerZero uses its own chain ID system (WAY-2).

Project