In DeFi, "audited" is a word that gets thrown around loosely. Some projects get a cursory review. Some get a review months before launch and never update. Catapult's relationship with Hashlock is different — and the implications for traders are significant.
Who is Hashlock?
Hashlock is a professional blockchain security firm that has audited some of the most high-profile protocols in the space, including Gala Games and PancakeSwap. They specialize in smart contract audits, economic model analysis, and on-chain mechanism verification. Their reports are technical, detailed, and publicly available.
What was audited?
The Hashlock audit of Catapult covered three layers:
- Smart contracts — all on-chain logic for token launches, fee distribution, and graduation mechanics was reviewed for known vulnerability classes (reentrancy, integer overflow, access control issues, etc.)
- The GBM pricing algorithm — the mathematical model and its on-chain commitment mechanism (the Keccak-256 hash commitment before trading opens) was verified to work as described
- LP burn mechanics — the mechanism that burns liquidity at token graduation was verified to make rug pulls impossible at the contract level
The rug-proof architecture
Traditional meme token platforms have a fundamental vulnerability: creators can dump their liquidity at any time. Catapult's architecture removes this option. When a token session ends and graduates, the LP is burned automatically by the smart contract. There is no function call that allows anyone — including the Catapult team — to drain the pool. The audit confirmed this.
On-chain price commitment
The GBM chart seed is committed to the blockchain via Keccak-256 hash before any trading session opens. After the session closes, the seed is revealed. The audit confirmed that this mechanism is cryptographically sound — it's computationally infeasible to find a different seed that produces the same hash, meaning the chart truly cannot be manipulated after the commitment is made.
What the audit doesn't cover
The audit covers the smart contract and mechanism layer. It doesn't guarantee platform solvency, future team decisions, or off-chain operations. Traders should understand this distinction. The on-chain guarantees are strong. The overall platform investment still carries platform risk like any early-stage product.
