# HATs Smart Contract Audit by Hexen ## Commit to be audited: `1272ef58df5d65fcc8d4cddbb23772cd4a6a5cf3` in https://github.com/hats-finance/hats-contracts ## Scope The scope of the audit are the following contracts in the repository ``` contracts ├── HATTimelockController.sol ├── HATVault.sol ├── HATVaultsRegistry.sol ├── RewardController.sol ├── interfaces │   ├── IHATVault.sol │   ├── IHATVaultsRegistry.sol │   ├── IRewardController.sol │   └── ISwapRouter.sol ``` With respect to the other contracts: - the `HATToken` contract have been reviewed serveral times and have not changed since, so they do not need your attention. - the `TokenLock` contracts have remained mostly unchanged, but we did add a `sweepToken` function that we would like you to look at ## Specific areas of attention "Rug-pull" vectors. We tried to design the system so that no single party can empty the vault by itself. In addition, there should be: - no way for governance (i.e. the owner of the registry) and vault.owner to collude and take all assets from the vault - no way for vault.commitee and vault.owner to collide to take all vault assets