ETHP - Audit Report

Summary

ETHP Audit Report ETHP ($ETHP) is a new ERC-20 token with automatic liquidity adds and a buyback system for burning supply that pays out dividends in Wrapped Ether.

For this audit, we reviewed the ETHP(v2) and ETHPSwap contracts at commit ecac7b8922800355a813e3dfd06e00e72eb901af on the team's private GitHub Repository.

Notes on the ETHP Contract:

  • The total supply of the token is set to 1 quadrillion $ETHP [1,000,000,000,000,000].
  • No mint or burn functions are present beyond deployment; though the circulating supply can be reduced by sending tokens to the 0x..dead address if desired.
  • There was no token allocation for our team to analyze as the contract has yet to be deployed to the mainnet.

  • The team must manually enable trading in order for trading to take place on the platform. Only accounts that have been authorized can trade when trading is set to disabled. Once trading is enabled, it can never be disabled.
  • There is a tax fee charged on each transaction that gets stored in the contract balance; fees can be increased during a sell to the DEX up to a value proportional to the time left in the buyback multiplier period (if any).
  • Once a threshold value of tokens in the contract balance is met, a portion of the contract balance is swapped for AVAX and distributed as dividends, and another portion is sent to the marketing wallet which is controlled by the project team.
  • Another portion is allocated to funding liquidity, unless the liquidity cap set by the team has already been met.
  • Liquidity-adds are funded by selling half of the tokens allocated to funding liquidity, pairing the received AVAX with the token, and adding it as liquidity to the AVAX pair.
  • The newly created LP tokens are sent to the Liquidity wallet controlled by the team. We recommend that the team locks these newly acquired LP tokens.
  • If the auto buyback functionality is enabled, and the amount of AVAX in the contract reaches the autobuyback threshold value determined by the owner, the AVAX will be swapped for $ETHP tokens and sent to the burn address.

  • Any user that holds any amount of $ETHP tokens is eligible to claim dividends once the amount of dividends they are due reaches a minimum threshold value determined by the team.
  • Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.
  • Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process all eligible token holders.
  • Alternatively, a user can manually claim dividends as an individual.
  • There is a wait-time between claiming dividend rewards.
  • Claimed dividends are sent to the user's wallet address.

    • Ownership Controls of the ETHP Contract:
  • The owner can assign multiple addresses to an 'authorized' role. The assigned addresses have access to specific functions in the contract.
  • Authorized addresses can set the total fees charged on transfers up to 25% at any time.
  • Authorized addresses can set the percentage of the fees allocated to any fund (liquidity, marketing, buyback, dividends) at any time.
  • Authorized addresses can exclude any address from transfer fees and dividends at any time.
  • Authorized addresses can update the minimum threshold value of rewards needed that determines when a user can claim their dividends.
  • Authorized addresses can set a maximum transaction limit which imposes a limit to the number of tokens that can be transferred via the DEX. Authorized addresses can also exclude accounts from this maximum transaction limit.
  • Authorized addresses can set a maximum wallet amount that prevents a transaction from occurring if the buyer's balance will exceed the set number of tokens after the transaction takes place. Authorized addresses can also exclude accounts from this maximum transaction limit.
  • Authorized addresses can automatically trigger a buyback at any time.
  • Authorized addresses can set or disable the buyback fee multiplier at any time.
  • Authorized addresses can disable the autobuyback system and set the threshold AVAX value to trigger a buyback.
  • Authorized addresses can disable the automatic liquidity adds at any time and set any threshold value related to it.
  • Authorized addresses can update the team's Liquidity wallet and Marketing wallet to any addresses at any time.
  • Authorized addresses can update the maximum amount of gas used for processing to a value up to 750,000 at any time.
  • Authorized addresses can update the amount of time a user must wait between claiming dividends to any value at any time.
Notes on the ETHPSwap Contract:

  • Users can call the swap() function to receive $ETHPv2 tokens equivalent to their current $ETHP token balance. The $ETHPv2 is funded by the contract address balance.
  • The token balance of the $ETHPv2 contract must hold a sufficient amount of tokens in order for token swaps to successfully occur.
  • The swap() function is designed to only be called once per user, however, the owner can allow certain accounts to call the swap() function multiple times. This would allow these accounts to own an amount of $ETHPv2 that is greater than their $ETHP token balance.
  • The owner can also disallow certain accounts from being able to call the swap() function.
  • The owner can withdraw any ERC-20 tokens and AVAX from the contract address at any time.
  • The team must properly set the $ETHPv2 token address in this contract after deployment as, in its current state, $ETHPv2 is set to the 0x00 address.
Audit Findings Summary
  • No external threats were identified.
  • Please ensure trust in the team as they have substantial control in the ecosystem.
  • Date: January 9th, 2022

Audit Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Centralization of Control
  • The team can set total fees up to 25%.
  • The token balance of the $ETHPv2 contract must be sufficient enough in order for users to successfully receive $ETHPv2 tokens equivalent to their $ETHP balance.
  • The owner can allow specified accounts to own more $ETHPv2 than their current $ETHP balance.
    		• WARNING
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Multiple SendsN/APASS
    OraclesN/APASS
    SuicideN/APASS
    State Change External CallsN/APASS
    Unbounded LoopN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Details: ETHP Contract


    BEP20 Token Graph

    Multi-file Token

    												
($) = payable function
 # = non-constant function

 + [Int] IDEXFactory 
    - [Ext] createPair #

 +  Auth 
    - [Pub]  #
    - [Pub] authorize #
       - modifiers: onlyOwner
    - [Pub] unauthorize #
       - modifiers: onlyOwner
    - [Pub] isOwner
    - [Pub] isAuthorized
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 + [Lib] SafeMath 
    - [Int] tryAdd
    - [Int] trySub
    - [Int] tryMul
    - [Int] tryDiv
    - [Int] tryMod
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod
    - [Int] sub
    - [Int] div
    - [Int] mod

 + [Int] IBEP20 
    - [Ext] totalSupply
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] getOwner
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IDEXRouter 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidityETH ($)
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 + [Int] IDividendDistributor 
    - [Ext] setDistributionCriteria #
    - [Ext] setShare #
    - [Ext] deposit ($)
    - [Ext] process #

 +  DividendDistributor (IDividendDistributor)
    - [Pub]  #
    - [Ext] setDistributionCriteria #
       - modifiers: onlyToken
    - [Ext] setShare #
       - modifiers: onlyToken
    - [Ext] deposit ($)
       - modifiers: onlyToken
    - [Ext] process #
       - modifiers: onlyToken
    - [Int] shouldDistribute
    - [Int] distributeDividend #
    - [Ext] claimDividend #
    - [Pub] getUnpaidEarnings
    - [Int] getCumulativeDividends
    - [Int] addShareholder #
    - [Int] removeShareholder #

 + [Int] IDEXAVAXRouter 
    - [Ext] factory
    - [Ext] WAVAX
    - [Ext] addLiquidity #
    - [Ext] addLiquidityAVAX ($)
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactAVAXForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForAVAXSupportingFeeOnTransferTokens #

 +  DEXAVAXRouter (IDEXRouter)
    - [Pub]  #
    - [Ext] getRouter
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidityETH ($)
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 +  ETHP (IBEP20, Auth)
    - [Pub]  #
       - modifiers: Auth
    - [Ext]  ($)
    - [Ext] totalSupply
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] getOwner
    - [Pub] balanceOf
    - [Ext] allowance
    - [Pub] approve #
    - [Ext] approveMax #
    - [Ext] transfer #
    - [Ext] transferFrom #
    - [Int] _transferFrom #
    - [Int] _basicTransfer #
    - [Int] checkTxLimit
    - [Int] shouldTakeFee
    - [Int] takeFee #
    - [Pub] getSwapAmount
    - [Int] shouldSwapBack
    - [Int] swapBack #
       - modifiers: swapping
    - [Int] shouldAutoBuyback
    - [Ext] triggerZeusBuyback #
       - modifiers: authorized
    - [Ext] clearBuybackMultiplier #
       - modifiers: authorized
    - [Ext] enableTransfer #
       - modifiers: authorized
    - [Int] triggerAutoBuyback #
    - [Int] buyTokens #
       - modifiers: swapping
    - [Ext] Sweep #
       - modifiers: authorized
    - [Ext] setAutoBuybackSettings #
       - modifiers: authorized
    - [Ext] setBuybackMultiplierSettings #
       - modifiers: authorized
    - [Int] launched
    - [Pub] launch #
       - modifiers: authorized
    - [Ext] setMaxWallet #
       - modifiers: authorized
    - [Ext] setTxLimit #
       - modifiers: authorized
    - [Ext] setIsDividendExempt #
       - modifiers: authorized
    - [Ext] setIsFeeExempt #
       - modifiers: authorized
    - [Ext] setIsTxLimitExempt #
       - modifiers: authorized
    - [Pub] setFree #
       - modifiers: authorized
    - [Pub] unSetFree #
       - modifiers: authorized
    - [Pub] checkFree
       - modifiers: authorized
    - [Ext] setFees #
       - modifiers: authorized
    - [Ext] setFeeReceivers #
       - modifiers: authorized
    - [Ext] setSwapBackSettings #
       - modifiers: authorized
    - [Ext] setTargetLiquidity #
       - modifiers: authorized
    - [Ext] setDistributionCriteria #
       - modifiers: authorized
    - [Ext] setDistributorSettings #
       - modifiers: authorized
    - [Pub] getCirculatingSupply
    - [Pub] getLiquidityBacking
    - [Pub] isOverLiquified
    - [Prv] _checkAndApproveTokensForRouter #

    Details: ETHPSwap Contract


    BEP20 Token Graph

    Multi-file Token

    												
($) = payable function
 # = non-constant function

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 +  ETHPSwap (Ownable)
    - [Ext] swap #
    - [Ext] setSwapped #
       - modifiers: onlyOwner
    - [Ext] withdrawTokens #
       - modifiers: onlyOwner
    - [Ext] withdrawETH #
       - modifiers: onlyOwner
    - [Ext]  ($)