With the rapid development of memecoin, Virtuals Protocol and Clanker are at the forefront of innovation, incorporating AI agents to attract a large number of users. However, with AI + Memecoin exploded, security incidents of similar platforms once again emphasized the importance of smart contract security.

With the recent security incidents of Spectral and previous security audits of memecoin launchpads such as Tokr.fun, Pumpup, and Pump404, Beosin will provide an in-depth analysis of Virtuals protocol and Clanker’s core mechanisms and a detailed interpretation of its functional design, including token minting, fee models, liquidity and other key features, while helping users understand their security points.

Spectral Security Incident

On December 1, Spectral said that the Bonding Curve contract of its Syntax platform had a loophole, and about $200,000 of liquidity had been removed and access to the Syntax platform had been temporarily suspended.

According to the analysis, the vulnerability is due to the existence of an unlimited authorization in AgentToken.sol. When the AutonomousAgentDeployer calls the transferFrom function in AgentToken, the Syntax platform takes a tax. There is an unlimited authorization in the transferFrom function (line 90), causing AgentBalances to spend/transfer Agenttokens from AutonomousAgentDeployer without limit.

The attacker transfers AgentTokens by invoking AgentBalances, and the number of Agenttokens in the AutonomousAgentDeployer decreases, resulting in errors in the price calculation of the Bonding Curve: The price of AgentToken falsely increased, and then the hackers used a portion of AgentToken to exchange a large amount of $SPEC tokens, resulting in the loss of Spectral protocol.

In this security incident, due to a flaw in the logical design of the contract, hackers manipulated the price by exploiting the flaw and Bonding Curve. Spectral has now fixed the vulnerability and the protocol will resume operations after an audit.

Virtuals Protocol

Virtuals Protocol is built on the Base chain and provides a protocol for creating, owning, using, and tokenizing AI agents. An Initial Agent Offering (IAO) allows users to easily create or purchase tokens for related AI agents and interact with them.

When creating an AI Agent, Virtuals Protocol generates a corresponding Bonding Curve. Before the AI Agent can interact with users, its corresponding token (FERC20 format) must have a market value of $420,000. And the Bonding Curve only accepts $VIRTUAL tokens for payment.

FERC20 is Virtuals Protocol’s custom ERC20 token format, which primarily limits the number of tokens that can be transferred per transaction:

After the token market value has reached the required level, token holders of FERC20 can exchange them for corresponding AI Agent tokens via “unwrap” for trading on Uniswap V2’s liquidity pool.

Currently, Virtuals Protocol has upgraded its core contract to AgentFactoryV4, which consists of 3 key components: Agent Token, NFT for AI Agent, Governance (veToken and DAO) :

1. Agent Token

The AgentToken is a standard ERC-20 Token that can be created by calling executeApplication() and then _createNewAgentToken().

There is a transaction tax on Agent tokens. Virtuals Protocol will convert the earned taxes into $VIRTUAL and repurchase and destroy the corresponding Agent tokens.

2. NFT

NFT serves as an anchor for AI agents in Virtuals Protocol, storing key information related to their functions:

In addition, there is a special class of NFT in Virtuals Protocol, the Contribution NFT, which is used to record the user’s contribution: whether there is an enhanced model, whether there is an increase in the data set, etc., and then reward the corresponding user by voting through the DAO. Any user can earn the transaction/token income of the AI Agent through the Contribution NFT, and it should be noted that the Admin address can directly create a reward proposal without voting.

3. veToken and DAO

Users can pledge Agent Token/ $VIRTUAL LP token to receive Agent veToken. These Vetokens represent the user’s voting rights in the DAO. When a proposal to update the AI Agent is made, the DAO evaluates a score through interaction to decide whether to update the AI Agent:

Virtuals Protocol protocol is complex, and when AI Agent tokens are ready to be traded, liquidity injection and transaction taxes are involved, and developers need to pay attention to address verification, permission checks, whether there is reentry, and the correctness of code implementation.

Clanker World

Clanker World is a Farcaster based token issuance protocol that allows a Farcaster client, such as Warpcast, to @Clanker by telling it about the token and Clanker will deploy the token on the Base.

Due to the combination of the AI Agent, meme platform and Web3 social hotspots, Clanker attracted a lot of attention, with more than 3,500 tokens issued and approximately $9.7 million in negotiated revenue.

Clanker’s core contract, Clanker. Sol, (0x9B84fcE5Dcd9a38d2D01d5D72373F6b6b067c3e1) is responsible for tokens deployment:

1. Create tokens

Mint new ERC-20 tokens into the deployer contract:

2. Create a Uniswap V3 liquidity pool

Create and complete the initialization of the liquidity pool:

Create new liquidity positions for newly deployed tokens and WETH, with a 1% fee default for liquidity positions.

3. Lock in liquidity

Create a liquidity locker address:

Transfer the authority of the liquidity pool to the locker address and complete initialization:

The contract of Clanker is clear and simple, and does not use Bonding Curve to price tokens. Instead, Clanker taxes token transactions to reduce complexity. Users need to be aware of the access controll issue of Clanker’s contract. The contract owners can upgrade or deprecate the contract. Currently, Clanker contract uses 3-3 multi-sig to reduce this risk to some extent.

Summary

In this article, we have analyzed the contract codes for the Virtuals Protocol and the Clanker Protocol, including their token minting, liquidity pool creation, and other important functions. Developers still need to pay attention to the security of the project operation level and the contract business logic level, especially in terms of rights management, and beware of asset losses due to incorrect upgrades or improper design in the code.

Disclaimer:

1. This article is reprinted from [beosin]. All copyrights belong to the original author [beosin]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.