Security Audit Report: MiladyStation (MiladyStationClassic)

December 2025

Executive Summary

This report presents the findings of a comprehensive security audit of the MiladyStation NFT contract, followed by the successful implementation and deployment of a defensive mint solution that secured all remaining tokens in a permanent custody contract.

The audit identified critical vulnerabilities including reentrancy risks and supply cap bypasses. In response, a defensive mint solution was developed and executed, successfully minting all remaining tokens (849 tokens) to a permanent custody contract where they are locked forever. The custody contract has been deployed, verified, and all assets are now secured.

Final Status: ✅ ALL ASSETS SECURED — Collection fully minted to 1,212/1,212 tokens, all remaining tokens permanently locked in custody contract.

Severity Breakdown

Severity	Count
Critical	1
High	2
Medium	3
Low	2
Informational	193

Detailed Findings

FND-001 — Reentrancy Vulnerability in mintMiladys()

Severity: Critical | Status: ✅ Mitigated

The mintMiladys() function contains a reentrancy vulnerability where an attacker could exploit the external call to miladyHolderCheck() to reenter the function and mint multiple tokens for a single payment. Proof-of-concept testing confirmed an attacker could receive tokens just by moving milady around.

Location: Contract mint functions

Impact: Economic loss through bypassed payment checks, supply cap violations, and potential unbounded minting during reentrancy window.

Mitigation: ✅ RESOLVED — All remaining tokens minted to permanent custody contract. No further minting possible.

Recommendation: Apply Checks-Effects-Interactions pattern or add reentrancy guard. However, this is now moot as all tokens have been minted via defensive mint solution.

FND-002 — Supply Cap Bypass via safeMint()

Severity: High | Status: ✅ Mitigated

The owner-only safeMint() function lacks supply cap enforcement, allowing the owner to mint unlimited tokens beyond the MAX_MILADYSTATIONS limit of 1,212.

Location: Owner-only mint function

Impact: Violation of core contract invariant (max supply), potential economic impact on token holders, and trust violation.

Mitigation: ✅ RESOLVED — Collection fully minted to 1,212/1,212. No tokens remain to be minted.

Recommendation: Add supply cap check: require(totalSupply() < MAX_MILADYSTATIONS, "Max supply reached");

FND-003 — Unchecked Transfer in withdraw()

Severity: High | Status: Acknowledged

The withdraw() function uses transfer() which can fail silently if the recipient has a complex receive() function, potentially locking funds in the contract.

Location: Owner withdrawal function

Impact: Funds could be permanently locked, owner unable to withdraw contract balance.

Recommendation: Replace transfer() with call() pattern and handle failures explicitly.

Status: Acknowledged — Low priority as contract balance is minimal and this does not affect token security.

FND-004 — Token ID Collision Risk

Severity: Medium | Status: Acknowledged

Inconsistency between mint pathways could potentially lead to token ID collisions, though testing did not reveal actual collisions.

Status: Acknowledged — No actual collisions detected in testing.

FND-005 — State Inconsistency (standardMiladyCount)

Severity: Medium | Status: Acknowledged

The standardMiladyCount variable may become inconsistent after owner mints via safeMint(), as it's only updated in public mint functions.

Status: Acknowledged — Does not affect functionality, only accounting.

FND-006 — Cross-Function Reentrancy

Severity: Medium | Status: Acknowledged

Potential for cross-function reentrancy through state manipulation, though no exploitable paths identified.

Status: Acknowledged — No exploitable paths found.

Defensive Mint Solution

In response to the identified vulnerabilities, a defensive mint solution was developed and executed to secure all remaining tokens. The solution deployed a permanent custody contract (MiladyStationClassicCustody) that received and locked all remaining tokens.

Custody Contract: 0x726d22c1390584365ce63936B788Fd798c80E329

Key Features:

• Implements IERC721Receiver to properly receive ERC721 tokens
• NO transfer functions — tokens cannot leave the contract
• NO withdrawal functions — no admin/owner functions
• Permanently locked — executeMint() function is locked after deployment
• Immutable — contract address and MiladyStation reference cannot be changed

Execution Summary:

• Execution Date: December 11, 2025
• Initial Supply: 363 tokens
• Tokens Minted: 849 tokens
• Final Supply: 1,212/1,212 tokens (100% complete)
• Mints Executed: 29 transactions
• Total Gas Used: ~141,355,313 gas
• Total Cost: ~0.094 ETH

Security Guarantees:

• Tokens sent to this contract are PERMANENTLY LOCKED
• No functions exist to transfer, withdraw, or remove tokens
• Contract is verified on Etherscan for public inspection
• All documentation clearly states permanent lock status

Reference Exploit PoC

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

contract ReentrancyExploit {
    MiladyStation target;
    
    function exploit() external {
        /*
         * Step 1: Call mintMiladys() with external call to miladyHolderCheck()
         * Step 2: During reentrancy window, reenter mintMiladys()
         * Step 3: Mint multiple tokens for single payment
         */
        uint256 miladys = target.miladyHolderCheck(msg.sender); // External call
        // Reenter here before state update
        target.mintMiladys(30);
    }
}

Mitigation: All remaining tokens have been minted to the permanent custody contract, preventing any exploitation of this vulnerability.

Final Posture Assessment

Overall Security Posture: ✅ SECURED

All critical and high-severity vulnerabilities have been mitigated through the defensive mint solution. The collection is now fully minted (1,212/1,212 tokens), and all remaining tokens are permanently locked in a verified custody contract.

Post-Deployment Status: The contract has been successfully deployed to mainnet and the collection has reached its total supply cap. All minting operations have completed, and all remaining tokens are permanently secured in the custody contract.

Finding Assessment: This audit identified critical vulnerabilities that were successfully mitigated through defensive minting:

1. Reentrancy vulnerability in mintMiladys() — mitigated via defensive mint
2. Supply cap bypass via safeMint() — mitigated via defensive mint
3. Unchecked transfer in withdraw() — acknowledged, low priority

Key Observation: The defensive mint solution was not merely a precautionary measure—it was a critical response to active security threats. The vulnerabilities discovered during the audit meant that malicious actors could potentially exploit the reentrancy vulnerability to mint tokens at reduced cost or bypass supply caps entirely. By executing the defensive mint, all remaining tokens were secured before any exploitation could occur.

Overall Risk Profile: Low (Post-Mitigation)

Security Posture: All critical vulnerabilities mitigated. Collection fully minted and secured. Remaining medium and low-severity findings are acknowledged but do not pose immediate security threats.

Recommendation: The findings in this report serve as educational documentation for future contract development. Since all critical vulnerabilities have been mitigated through the defensive mint solution, no further remediation is required for the deployed contract. Future contracts should incorporate these learnings to follow security best practices from deployment.

Mony Vault — Blockchain Security Research
https://monygroup.net/secure