Axia Protocol - Smart Contract Audit Report
Summary
The Axia Protocol is releasing a new series of NFTs that grant early access to owners as well as allowing staking to earn rewards in AXIA tokens.
For this audit, we reviewed the AxiaNFT Contract at 0xdec36edd4100f9b1b36f28f9f1ae36b174d11dd8 and the AXIATOKEN contract at 0x49690541e3f6e933a9aa3cffee6010a7bb5b72d7 on the Polygon Smart Chain.
Notes on the Contracts:
AxiaNFT Contract:AXIATOKEN contract:
- Any address that pays the minting cost is able to mint an Axia NFT once minting has been enabled.
- There are 3 separate tiers of NFTs with a cost associated with each.
- The minting cost is 0.3 ETH for Gold Card NFTs, 0.5 ETH for Platinum Card NFTs, and 1 ETH for Diamond Card NFTs.
- There is a total limit of 2300 Gold Card NFTs, 200 Platinum Card NFTs, and 50 Diamond NFTs.
- Users are able to stake NFTs for rewards. NFTs will be transferred to this contract while staked.
- Users are able to unstake their NFTs at anytime. This will transfer the NFT back to the user.
- The AXIATOKEN contract is used to track and distribute rewards as AXIA tokens.
- The owner is able to mint themselves any NFT, up to the total limit allowed, at any time.
- The owner is able to send themselves any Matic retained in the contract at any time.
- The owner is able to set the price for each tier of NFT to any value at any time.
- The owner has the ability to renounce ownership at any time. We recommend that the team do so.
Audit Findings Summary
- This contract is used to reward AxiaNFT stakers with rewards in AXIA tokens.
- The initial supply of 1.5 million AXIA tokens are minted to the owner upon deployment.
- The contract is ERC-20 compliant, all standard functionality is present.
- There is a maximum total supply of 4.1 million AXIA tokens, but as this is never enforced there is effectively no cap on potential token supply.
- Users are able to burn their tokens, reducing the total supply. They may also transfer to the 0x...dead address, if desired.
- Each NFT tier will receive a different proportion of dividends when staked.
- Users will receive their pending rewards when staking and unstaking NFTs as well as giving approval and transferring AXIA tokens.
- Tokens are emitted by the contract once per epoch, with the emitted tokens being split among various pools as well as NFT stakers.
- The user who triggered the emission that epoch will receive additional AXIA tokens as a reward.
- Emissions are constant for the first 10 epochs, and then will be reduced by half each subsequent epoch. Additionally, a small percentage of emitted tokens is retained by the contract and included in subsequent emissions.
- Users on the emissions whitelist are unable to trigger an emission.
- The owner may update the address for all of the pools and the NFT contract at any time.
- The owner may update the length of an epoch and set the time for the next epoch at any time.
- The owner may add and remove any address from the emissions whitelist at any time.
- The owner may reduce the total supply of the token at any time. The team must ensure caution when doing so as this functionality is not protected from underflow.
- The owner may update the percentage of emissions rewarded to each pool and the user that triggers an emission at any time.
- The owner may update the reward for each NFT type at any time.
- No external threats were identified.
- Ensure trust in the team as they have significant control within the ecosystem.
- Date: December 14th, 2021.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Centralization of Control | The team will be minted the total supply upon deployment and has the ability to update the contract addresses of various pools in addition to other owner specific functions outlined above. | WARNING |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
AxiaNFT Contract
($) = payable function
# = non-constant function
+ [Lib] SafeMath
- [Int] mul
- [Int] div
- [Int] sub
- [Int] add
+ ReentrancyGuard
+ [Int] ERC165
- [Ext] supportsInterface
+ ERC721Receiver
- [Pub] onERC721Received #
+ [Lib] AddressUtils
- [Int] isContract
+ Ownable
- [Pub] Constructor #
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ SupportsInterfaceWithLookup (ERC165)
- [Pub] Constructor #
- [Ext] supportsInterface
- [Int] _registerInterface #
+ ERC721Basic (ERC165)
- [Pub] balanceOf
- [Pub] ownerOf
- [Pub] exists
- [Pub] approve #
- [Pub] getApproved
- [Pub] setApprovalForAll #
- [Pub] isApprovedForAll
- [Pub] transferFrom #
- [Pub] safeTransferFrom #
- [Pub] safeTransferFrom #
+ ERC721Enumerable (ERC721Basic)
- [Pub] totalSupply
- [Pub] tokenOfOwnerByIndex
- [Pub] tokenByIndex
+ ERC721Metadata (ERC721Basic)
- [Ext] name
- [Ext] symbol
- [Pub] tokenURI
+ ERC721 (ERC721Basic, ERC721Enumerable, ERC721Metadata)
+ ERC721BasicToken (SupportsInterfaceWithLookup, ERC721Basic)
- [Pub] Constructor #
- [Pub] balanceOf
- [Pub] ownerOf
- [Pub] exists
- [Pub] approve #
- [Pub] getApproved
- [Pub] setApprovalForAll #
- [Pub] isApprovedForAll
- [Pub] transferFrom #
- modifiers: canTransfer
- [Pub] safeTransferFrom #
- modifiers: canTransfer
- [Pub] safeTransferFrom #
- modifiers: canTransfer
- [Int] isApprovedOrOwner
- [Int] _mint #
- [Int] _burn #
- [Int] clearApproval #
- [Int] addTokenTo #
- [Int] removeTokenFrom #
- [Int] checkAndCallSafeTransfer #
+ ERC721Token (SupportsInterfaceWithLookup, ERC721BasicToken, ERC721)
- [Pub] Constructor #
- [Ext] name
- [Ext] symbol
- [Pub] tokenURI
- [Pub] tokenOfOwnerByIndex
- [Pub] totalSupply
- [Pub] tokenByIndex
- [Int] _setTokenURI #
- [Int] addTokenTo #
- [Int] removeTokenFrom #
- [Int] _mint #
- [Int] _burn #
+ [Int] Axiacontract
- [Ext] ActivateNFT #
- [Ext] DeactivateNFT #
+ AxiaNFT (ERC721Token, Ownable)
- [Pub] Constructor #
- modifiers: ERC721Token
- [Pub] toggleTokenAddress #
- modifiers: onlyOwner
- [Pub] salesStatus #
- modifiers: onlyOwner
- [Pub] CardURI #
- modifiers: onlyOwner
- [Pub] CardMaxSupply #
- modifiers: onlyOwner
- [Pub] setCurrentPrice #
- modifiers: onlyOwner
- [Pub] NFTsale ($)
- [Pub] MintCard #
- modifiers: onlyOwner
- [Prv] PurchaseCard #
- [Pub] stakeNFT #
- [Pub] unstakeNFT #
- [Ext] myTokens
- [Ext] viewToken
- [Ext] getCurrentPrice
- [Int] PaymentSender #
- [Pub] clear #
- modifiers: onlyOwner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
AXIATOKEN Contract
($) = payable function
# = non-constant function
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ [Int] ERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] ASP
- [Ext] scaledToken #
- [Ext] totalFrozen
+ [Int] OSP
- [Ext] scaledToken #
- [Ext] totalFrozen
+ [Int] DSP
- [Ext] scaledToken #
- [Ext] totalFrozen
+ [Int] USP
- [Ext] scaledToken #
- [Ext] totalFrozen
+ [Int] NFT
- [Ext] ActivateNFT #
- [Ext] DeactivateNFT #
+ AXIATOKEN (ERC20)
- [Pub] Constructor #
- [Pub] poolconfigs #
- modifiers: onlyAdministrator
- [Pub] burningPoolconfigs #
- modifiers: onlyAdministrator
- [Pub] secondAndDay #
- modifiers: onlyAdministrator
- [Pub] nextEpoch #
- modifiers: onlyAdministrator
- [Pub] whitelistOnEmission #
- modifiers: onlyAdministrator
- [Pub] unwhitelistOnEmission #
- modifiers: onlyAdministrator
- [Pub] supplyeffect #
- modifiers: onlyBurningPool
- [Pub] poolpercentages #
- modifiers: onlyAdministrator
- [Pub] Burn #
- [Pub] balanceOf
- [Pub] NFTCardsRewardPercentages #
- modifiers: onlyAdministrator
- [Pub] toggleNFTAddress #
- modifiers: onlyAdministrator
- [Int] dividendsOf
- [Pub] totalFrozenA
- [Pub] frozenOfA
- [Pub] totalFrozenB
- [Pub] frozenOfB
- [Pub] totalFrozenC
- [Pub] frozenOfC
- [Pub] userDataA
- [Pub] userDataB
- [Pub] userDataC
- [Prv] scaledNFTToken #
- [Pub] ActivateNFT #
- modifiers: onlyNFT
- [Int] TakeDividends #
- [Pub] DeactivateNFT #
- modifiers: onlyNFT
- [Pub] transfer #
- [Pub] approve #
- [Pub] transferFrom #
- [Prv] _transfer #
- [Int] emittingAmount #
- [Pub] ospfrozen
- [Pub] dspfrozen
- [Pub] uspfrozen
- [Pub] aspfrozen
- [Pub] mulDiv
- [Prv] fullMul