OpenZeppelin completed a security audit of two Solidity repositories from VestingLabs: tokenops-fhe-disperse-v1 and tokenops-fhe-vesting-v2, both built on Zama's FHEVM (fully homomorphic encryption virtual machine). The audit reviewed 18 total issues (16 resolved, 1 partially resolved) with zero critical or high severity findings. Two medium-severity issues were identified and fully resolved, along with seven low-severity findings and seven informational notes. The systems implement token operations where individual amounts remain encrypted on-chain using ERC-7984 confidential tokens. DisperseConfidential enables distributing encrypted tokens to multiple recipients in a single transaction via three modes (wallet-mode with gas fee, wallet-mode with token fee, and direct mode). ConfidentialVesting manages multi-recipient, multi-schedule token vesting with encrypted allocations, using a factory pattern with EIP-1167 minimal proxies and a split architecture (main contract + extension contract via DELEGATECALL) to stay under the 24 KB EVM size limit. For wallet and key holders, the security implications center on the FHEVM's unique failure model. Encrypted computation results cannot be inspected or reverted on-chain, meaning silent transfer failures may occur (e.g., insufficient balance returns encrypted zero instead of reverting). User registration is required for the disperse system to deploy deterministic wallet clones. The FHEVM ACL is append-only, so decryption access granted to a previous recipient in vesting transfers cannot be revoked. Off-chain monitoring is a required component of the security model rather than optional. No private key leaks or critical vulnerabilities were found in the audited scope.

Key facts

• Zero critical or high severity issues found across two repositories.
• 18 total issues identified: 16 resolved, 1 partially resolved.
• Medium issues involved silent transfer failures and ACL immutability risks.
• Systems rely on FHEVM coprocessor integrity and off-chain monitoring.
• Vesting uses three-layer architecture: factory, manager, extension via DELEGATECALL.

KeyAudit data perspective