SAFU

Audit

KYC

No contract address

Audit Scope
Source Code
Contract Owner
Blockchain
Language
Compiler
Verified
Audit Method
Audit Date

Note that we only audited the code available to us on this URL at the time of the audit. If the URL is not from any block explorer (main net), it may be subject to change. Always check the contract address on this audit report and compare it to the token you are doing research for.

Audit Result
Latest update: Tue, 08 Nov 2022 14:29:28 +0100
Informational
Low-Risk
Medium-Risk
High-Risk

Contract Information

Total Supply
Decimals
Holders
License
Code
Ability to mint
Ability to blacklist
Max Transaction
Fee Limitation
Exclude from Fees
Contract Pausability

Audit Results

Informational (2)
Low-Risk (18)
Medium-Risk (7)
High-Risk (0)
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

CNS-014

No way to withdraw contract balance

Tokens and ether can be collected by smart contracts from external addresses. Some exchange and liquidity-add operations could result in the accumulation of leftover ether and tokens.

Recommendation

To remove tokens and ether from the contract, add a withdraw function.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

CNS-015

Reliance on third-parties

Interaction between smart contracts with third-party protocols like Uniswap and Pancakeswap. The audit’s scope presupposes that third party entities will perform as intended and treats them as if they were black boxes. In the real world, third parties can be hacked and used against you. Additionally, improvements made by third parties may have negative effects, such as higher transaction costs or the deprecation of older routers.

Recommendation

Regularly check third-party dependencies, and when required, reduce severe effects.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

CNS-016

Initial supply

When the contract is deployed, the contract deployer receives all of the initially created assets. Since the deployer and/or contract owner can distribute tokens without consulting the community, this could be a problem.

Recommendation

Private keys belonging to the employer and/or contract owner should be stored properly. The initial asset allocation procedure should involve consultation with the community.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Contract does not use a ReEntrancyGuard 

One of the major dangers of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack), a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways.

1

Exploit scenario

function withdrawBalance(){
    // send userBalance[msg.sender] Ether to msg.sender
    // if mgs.sender is a contract, it will call its fallback function
    if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){
        throw;
    }
    userBalance[msg.sender] = 0;
}
Bob uses the re-entrancy bug to call withdrawBalance two times, and withdraw more than its initial deposit to the contract.

Recommendation

The best practices to avoid Reentrancy weaknesses are: Make sure all internal state changes are performed before the call is executed. This is known as the Checks-Effects-Interactions pattern, or use a reentrancy lock (ie. OpenZeppelin’s ReentrancyGuard.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Outdated Compiler Version

Using an outdated compiler version can be problematic especially if there are publicly disclosed bugs and issues that affect the current compiler version.

Recommendation

It is recommended to use a recent version of the Solidity compiler.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Unchecked Call Return Value

The return value of a message call is not checked. Execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behaviour in the subsequent program logic.

1

Example

pragma solidity 0.4.25;

contract ReturnValue {

  function callchecked(address callee) public {
    require(callee.call());
  }

  function callnotchecked(address callee) public {
    callee.call();
  }
}

Recommendation

If you choose to use low-level call methods, make sure to handle the possibility that the call will fail by checking the return value.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Floating Pragma

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.

1

Example

pragma solidity ^0.4.0;

contract PragmaNotLocked {
    uint public x = 1;
}

Recommendation

Lock the pragma version and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.

Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile locally.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Function Default Visibility

Functions that do not have a function visibility type specified are public by default. This can lead to a vulnerability if a developer forgot to set the visibility and a malicious user is able to make unauthorized or unintended state changes.

1

Example

pragma solidity ^0.4.24;

contract HashForEther {

    function withdrawWinnings() {
        // Winner if the last 8 hex characters of the address are 0.
        require(uint32(msg.sender) == 0);
        _sendWinnings();
     }

     function _sendWinnings() {
         msg.sender.transfer(this.balance);
     }
}

Recommendation

Functions can be specified as being externalpublicinternal or private. It is recommended to make a conscious decision on which visibility type is appropriate for a function. This can dramatically reduce the attack surface of a contract system.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Tautology or contradiction

Expressions that are tautologies or contradictions.

1

Example

contract A {
	function f(uint x) public {
        if (x >= 0) { // bad -- always true
        }
	}

	function g(uint8 y) public returns (bool) {
        return (y < 512); // bad!
	}
}

x is a uint256, so x >= 0 will be always true. y is a uint8, so y <512 will be always true.

Recommendation

Fix the incorrect comparison by changing the value type or the comparison.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Write after write

Variables that are written but never read and written again.

1

Example

contract Buggy{
    function my_func() external initializer{
        // ...
        a = b;
        a = c;
        // ..
    }
}

`a` is first asigned to `b`, and then to `c`. As a result the first write does nothing.

Recommendation

Fix or remove the writes.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Divide before multiply

Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision.

1

Example

contract A {
	function f(uint n) public {
        coins = (oldSupply / n) * interest;
    }
}

If n is greater than oldSupplycoins will be zero. For example, with oldSupply = 5; n = 10, interest = 2, coins will be zero.

If (oldSupply * interest / n) was used, coins would have been 1.
In general, it’s usually a good idea to re-arrange arithmetic to perform multiplication before division, unless the limit of a smaller type makes this dangerous.

Recommendation

Consider ordering multiplication before division.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Calls inside a loop

Calls inside a loop might lead to a denial-of-service attack.

1

Example

contract CallsInLoop{

    address[] destinations;

    constructor(address[] newDestinations) public{
        destinations = newDestinations;
    }

    function bad() external{
        for (uint i=0; i < destinations.length; i++){
            destinations[i].transfer(i);
        }
    }

}

If one of the destinations has a fallback function that reverts, bad will always revert.

Recommendation

Favor pull over push strategy for external calls.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Missing events arithmetic

Missing events for critical arithmetic parameters.

1

Example

contract C {

    modifier onlyOwner {
        if (msg.sender != owner) throw;
        _;
    }

    function setBuyPrice(uint256 newBuyPrice) onlyOwner public {
        buyPrice = newBuyPrice;
    }

    function buy() external {
     ... // buyPrice is used to determine the number of tokens purchased
    }
}

updateOwner() has no event, so it is difficult to track off-chain changes in the buy price.

Recommendation

Emit an event for critical parameter changes.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Boolean equality

Detected the comparison to boolean constants.

1

Example

contract A {
	function f(bool x) public {
		// ...
        if (x == true) { // bad!
           // ...
        }
		// ...
	}
}

Boolean constants can be used directly and do not need to be compare to true or false.

Recommendation

Remove the equality to the boolean constant.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Conformance to Solidity naming conventions

Solidity defines a naming convention that should be followed.

1

Recommendation

Follow the Solidity naming convention.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Costly operations inside a loop

Costly operations inside a loop might waste gas, so optimizations are justified.

1

Recommendation

Use a local variable to hold the loop computation result.

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Too many digits

Literals with many digits are difficult to read and review.

1

Example

contract MyContract{
    uint 1_ether = 10000000000000000000;
}

While 1_ether looks like 1 ether, it is 10 ether. As a result, it’s likely to be used incorrectly.

Recommendation

Update notes

No notes.
Low-Risk

Could be fixed, will not bring problems.

Error Code

Description

Missing zero address validation

1

Example

contract C {

  modifier onlyAdmin {
    if (msg.sender != owner) throw;
    _;
  }

  function updateOwner(address newOwner) onlyAdmin external {
    owner = newOwner;
  }
}

Bob calls updateOwner without specifying the newOwner, so Bob loses ownership of the contract.

Recommendation

Check that the address is not zero.

Update notes

No notes.
Buy fee 2%
Sell fee 2%
Transfer fee 2%
Disclaimer
Latest update: Tue, 08 Nov 2022 14:29:28 +0100

This audit report has been prepared by Coinsult’s experts at the request of the client. In this audit, the results of the static analysis and the manual code review will be presented. The purpose of the audit is to see if the functions work as intended, and to identify potential security issues within the smart contract.

The information in this report should be used to understand the risks associated with the smart contract. This report can be used as a guide for the development team on how the contract could possibly be improved by remediating the issues that were identified.

Coinsult is not responsible if a project turns out to be a scam, rug-pull or honeypot. We only provide a detailed analysis for your own research.

Coinsult is not responsible for any financial losses. Nothing in this contract audit is financial advice, please do your own research.

The information provided in this audit is for informational purposes only and should not be considered investment advice. Coinsult does not endorse, recommend, support or suggest to invest in any project. 

Coinsult can not be held responsible for when a project turns out to be a rug-pull, honeypot or scam.

Share this audit report