SCROOGE

Smart Contract Audit Report

Audit Summary

SCROOGE Audit Report SCROOGE is a new BEP-20 token on the Binance Smart Chain that is an automatic liquidity providing protocol that pays holders dividends in BUSD.

For this audit, we reviewed the project team's ScroogeToken contract and DividendTracker contract at 0xb72e9e91a4a15cf5aa37b9a8ae224ebb631ba14f on the Binance Smart Chain Mainnet.

Audit Findings

Low findings were identified and the team should consider resolving these issues. In addition, some centralized aspects are present.
Date: June 20th, 2023.
Finding #1 - ScroogeToken - Low
Description: The setTxLimit() and setMaxWalletLimit() functions both intend to enforce that the updated maximum transaction amount and maximum wallet amount cannot be set to lower than 5 million tokens (0.5% of the total supply), but the functions incorrectly divide by 1e9 in the below require statements enforcing a minimum limit of 0.005 tokens instead.
function setMaxWalletLimit(uint256 newLimit) external simpleGuard {
    require(
        newLimit >= ((totalSupply() * 5) / 1000) / 1e9,
        "Cannot set Max Wallet Amount lower than 0.5%"
    );

    _walletMax = newLimit;
}

function setTxLimit(uint256 newLimit) external simpleGuard {
    require(
        newLimit >= ((totalSupply() * 5) / 1000) / 1e9,
        "Cannot set Max Transaction Limit lower than 0.5%"
    );

    _maxTxAmount = newLimit;
}
Risk/Impact:: Both the maximum transaction amount and maximum wallet amount can be set as low as 0.005 tokens.
Recommendation: The division by 1e9 should be removed from both function's require statements to properly enforce that these values must be set to at least 5 million tokens as follows:
function setMaxWalletLimit(uint256 newLimit) external simpleGuard {
   require(
       newLimit >= ((totalSupply() * 5) / 1000),
       "Cannot set Max Wallet Amount lower than 0.5%"
   );

   _walletMax = newLimit;
}

function setTxLimit(uint256 newLimit) external simpleGuard {
   require(
       newLimit >= ((totalSupply() * 5) / 1000),
       "Cannot set Max Transaction Limit lower than 0.5%"
   );

   _maxTxAmount = newLimit;
}
Resolution: The team has not yet addressed this issue.

Finding #2 - ScroogeToken - Informational
Description: The shouldNotTakeFee() function contains redundant logic as the "else-if" and "else" branches both return false.
function shouldNotTakeFee(
    address sender,
    address recipient
) internal view returns (bool) {
    if (isExcludedFromFees[sender] || isExcludedFromFees[recipient]) {
        return true;
    } else if (isMarketPair[sender] || isMarketPair[recipient]) {
        return false;
    } else {
        return false;
    }
}
Recommendation: The shouldNotTakeFee() function could be modified as follows for additional gas savings on each transfer:
function shouldNotTakeFee(
    address sender,
    address recipient
) internal view returns (bool) {
    return isExcludedFromFees[sender] || isExcludedFromFees[recipient];
}
Finding #3 - ScroogeToken - Informational
Description: Although the SafeMath library is utilized, the contract is deployed with Solidity v0.8.18 which has built-in overflow/underflow checks.
Recommendation: SafeMath could be safely removed to reduce contract size, deployment costs, and gas costs on all transactions that utilize it.

Finding #4 - ScroogeToken - Informational
Description: The following state variables cannot be modified but are not declared constant.
_buyLiquidityFee, _buyMarketingFees, _buyRewardFee, _sellBurnFees, _sellLiquidityFee, _sellMarketingFees, _sellRewardFee, _snipingTime, feeDenominator
Recommendation: The team could declare the above state variables constant for additional gas savings on each reference.

Contracts Overview

The total supply of the token is set to 1 billion $CROOGE [1,000,000,000].

No mint or burn functions are publicly accessible; though the circulating supply can be reduced by sending tokens to the 0x..dead address if desired.

At the time of writing this report, there are 384 holders. The token allocation is as follows:

The first five EOAs own a cumulative 10% of the total supply.

3.47% of the total supply is in Pancakeswap liquidity.

Of that liquidity, 79.38% of the LP tokens belong to an unverified contract.

18.59% of the LP tokens have been sent to the 0x..dead address.

The contract enforces a maximum transaction amount which imposes a limit of 20 million tokens that can be transferred during any given transaction.

The contract enforces a maximum wallet amount that prevents a transfer from occurring if the recipient's token balance will exceed 20 million tokens after the transfer occurs.

Blacklisted accounts are prohibited from initiating transfers.

The contract previously featured an anti-sniper mechanism on buys and sells that added accounts to the transfer blacklist if 2 minutes had not yet passed since trading was enabled by the team.

There is a 1% Reward fee, 2% Liquidity fee, and 2% Marketing fee on all buys via Pancakeswap where neither the sender nor the recipient is excluded from fees.

There is a 4% Reward fee, 3% Liquidity fee, 2% Marketing fee, and 1% Burn fee on all sells via Pancakeswap where neither the sender nor the recipient is excluded from fees.

The tokens collected through fees are stored in the contract address. A portion of the tokens are swapped for BNB for the purpose of funding Pancakeswap liquidity and the Marketig wallet, and a portion of the tokens are allocated to dividend rewards when the following conditions are met:

The automatic liquidity add functionality is enabled by the team.

The threshold number of 2 million tokens in the contract address has been reached.

The contract is not currently performing an automatic liquidity add.

The caller is not initiating a buy transaction via Pancakeswap.

Liquidity-adds are automatically performed by selling the tokens collected as fees, pairing the received BNB with the token, and adding it as liquidity to the BNB pair.

The LP tokens received through this process are sent to the 0x..dead address.

The tokens collected through the Marketing Fee are swapped for BNB and sent to the team's Marketing Wallet.

The tokens collected from the Reward Fee are swapped for BUSD and sent to the DividendTracker contract where they are distributed as rewards.

The tokens collected from the Burn fee are burned to reduce the total supply.

As the contract is implemented with Solidity v0.8.x, it is safe from any possible overflows/underflows.

The contract complies with the BEP-20 token standard.

A user must own at least 100 tokens to be eligible for dividends.

Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.

Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process all eligible token holders.

Alternatively, a user can manually claim dividends as an individual.

There is a 10-hour cool-down time between claiming dividend rewards.

Claimed dividends are sent to the user's wallet address.

Ownership Controls:

The deployer can exclude accounts from transfer fees and dividend rewards at any time.

The deployer can exclude accounts from the maximum transaction amount and maximum wallet amount restrictions at any time.

The deployer can set the maximum transaction amount and maximum wallet amount to 0.005 tokens or greater at any time.

The deployer can send the contract's BUSD and BNB balance to the team's Marketing wallet at any time.

Ownership has been renounced by the team.

The owner was previously able to enable trading for all users one time.

The owner was previously able to create a Pair address using a specified Router address at any time.

The owner was previously able to update the maximum amount of gas used for dividend processing to any value between 200,000 and 1 million at any time.

The owner was previously able to update the dividend claiming cool-down time to any value between 1 minute and 7 days at any time.

Audit Results

Vulnerability Category	Notes	Result
Arbitrary Jump/Storage Write	N/A	PASS
Centralization of Control	The deployer can set the maximum transaction amount and maximum wallet amount to 0.005 tokens or greater.	WARNING
Compiler Issues	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Ether/Token Theft	N/A	PASS
Flash Loans	N/A	PASS
Front Running	The automatic token swapping functionality may be susceptible to front-running.	PASS
Improper Events	N/A	PASS
Improper Authorization Scheme	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	The setTxLimit() and setMaxWalletLimit() functions both intend to enforce that the updated maximum transaction amount and maximum wallet amount cannot be set to lower than 5 million tokens (0.5% of the total supply), but the functions incorrectly divide by `1e9` causing the functions to enforce a minimum limit of 0.005 tokens instead.	PASS
Oracle Issues	N/A	PASS
Outdated Compiler Version	N/A	PASS
Race Conditions	N/A	PASS
Reentrancy	N/A	PASS
Signature Issues	N/A	PASS
Sybil Attack	N/A	PASS
Unbounded Loops	N/A	PASS
Unused Code	N/A	PASS
Overall Contract Safety		PASS

Inheritance Chart

Smart Contract Audit - Inheritance

Function Graph

Smart Contract Audit - Graph

Functions Overview


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Int] _checkOwner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Int] setAllowance #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _spendAllowance #
    - [Int] _beforeTokenTransfer #
    - [Int] _afterTokenTransfer #

 + [Lib] SafeMath 
    - [Int] tryAdd
    - [Int] trySub
    - [Int] tryMul
    - [Int] tryDiv
    - [Int] tryMod
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod
    - [Int] sub
    - [Int] div
    - [Int] mod

 + [Lib] SafeMathUint 
    - [Int] toInt256Safe

 + [Lib] SafeMathInt 
    - [Int] toUint256Safe

 + [Int] DividendPayingTokenInterface 
    - [Ext] dividendOf

 + [Int] DividendPayingTokenOptionalInterface 
    - [Ext] withdrawableDividendOf
    - [Ext] withdrawnDividendOf
    - [Ext] accumulativeDividendOf

 +  DividendPayingToken (ERC20, DividendPayingTokenInterface, DividendPayingTokenOptionalInterface)
    - [Pub] decimals
    - [Pub]  #
       - modifiers: ERC20
    - [Pub] distributeDividends #
    - [Int] _withdrawDividend #
    - [Pub] dividendOf
    - [Pub] withdrawableDividendOf
    - [Pub] withdrawnDividendOf
    - [Pub] accumulativeDividendOf
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _setBalance #

 + [Lib] IterableMapping 
    - [Pub] get
    - [Pub] getIndexOfKey
    - [Pub] getKeyAtIndex
    - [Pub] size
    - [Pub] set #
    - [Pub] remove #

 +  DividendTracker (Ownable, DividendPayingToken)
    - [Pub]  #
       - modifiers: DividendPayingToken
    - [Ext] excludeFromDividends #
       - modifiers: onlyOwner
    - [Pub] claimWaitSetup #
       - modifiers: onlyOwner
    - [Ext] getNumberOfTokenHolders
    - [Pub] getAccountData
    - [Pub] getAccountDataAtIndex
    - [Pub] claim #
       - modifiers: onlyOwner
    - [Prv] _canAutoClaim
    - [Pub] setBalance #
       - modifiers: onlyOwner
    - [Ext] process #
       - modifiers: onlyOwner

 +  DividendTrackerFunctions (Ownable)
    - [Int] _deployDividendTracker #
    - [Pub] gasForProcessingSetup #
       - modifiers: onlyOwner
    - [Ext] claimWaitSetup #
       - modifiers: onlyOwner
    - [Pub] excludeFromDividends #
    - [Pub] isExcludedFromDividends
    - [Ext] claim #
    - [Ext] getClaimWait
    - [Ext] getTotalDividendsDistributed
    - [Pub] withdrawableDividendOf
    - [Pub] dividendTokenBalanceOf
    - [Pub] dividendTokenTotalSupply
    - [Ext] getAccountDividendsInfo
    - [Ext] getAccountDividendsInfoAtIndex
    - [Ext] getLastProcessedIndex
    - [Pub] getNumberOfDividendTokenHolders
    - [Ext] process #

 + [Int] IPancakeSwapFactory 
    - [Ext] createPair #

 + [Int] IPancakeSwapRouter 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidityETH ($)
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 +  ScroogeToken (ERC20, Ownable, DividendTrackerFunctions)
    - [Pub]  #
       - modifiers: ERC20
    - [Ext]  ($)
    - [Pub] decimals
    - [Pub] totalSupply
    - [Ext] enableTrading #
       - modifiers: onlyOwner
    - [Prv] swapTokens #
    - [Prv] _sendDividends #
    - [Int] _burn #
    - [Int] _mint #
    - [Int] swapBack #
       - modifiers: swapping
    - [Int] _transfer #
    - [Int] shouldNotTakeFee
    - [Ext] setupPair #
       - modifiers: onlyOwner
    - [Int] takeFee #
    - [Prv] addLiquidity #
    - [Pub] excludeFromDividends #
       - modifiers: simpleGuard
    - [Pub] excludeFromFees #
       - modifiers: simpleGuard
    - [Pub] excludeFromMaxWalletSize #
       - modifiers: simpleGuard
    - [Pub] excludeFromMaxTxAmount #
       - modifiers: simpleGuard
    - [Ext] setMaxWalletLimit #
       - modifiers: simpleGuard
    - [Ext] setTxLimit #
       - modifiers: simpleGuard
    - [Ext] rescueStuckDividends #
       - modifiers: simpleGuard
    - [Ext] rescueStuckBNB #
       - modifiers: simpleGuard

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

Go Home