MIND Vesting

Smart Contract Audit Report

Audit Summary

MIND Vesting Audit Report BiggerMINDS is building a new token vesting mechanism where users can deposit tokens and claim them at a later date.

For this audit, we reviewed the project team's Vesting contract at 0x5C8a5E3C89F87169DCB7a60dAFea5baAfa2Aa95f on the Avalanche Mainnet.

We previously reviewed the project team's token contract here.

Audit Findings

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: March 7th, 2022.
Updated: March 11th, 2022 to reflect the contract's mainnet address.

Finding #1 - Vesting - Informational (Resolved)

Description: The following functions are declared public, but are never called internally.
accruedBalanceOf, flipProxyState
Recommendation: These functions should be declared external for additional gas savings on each call.
Resolution: The team has declared the above functions external.

Contract Overview

  • Any user can deposit tokens into the contract and be eligible to claim them at a later date.
  • The number of tokens that a user will deposit via the deposit() function is based on their token balance. The breakdown is as follows:
    • If a user's token balance is 20,000 or more, 90% of their tokens will be deposited.
    • If a user's token balance is between 10,000 and 19,999, 80% of their tokens will be deposited.
    • If a user's token balance is between 5,000 and 9,999, 75% of their tokens will be deposited.
    • If a user's token balance is between 2,000 and 4,999, 50% of their tokens will be deposited.
    • If a user's token balance is between 1,000 and 1,999, 25% of their tokens will be deposited.
  • Users can also elect to manually enter the number of tokens they wish to deposit.
  • Users must grant the Vesting contract address an allowance for the number of tokens they are attempting to deposit in order for a deposit to be successful.
  • The owner will set a vesting interval and total vesting period of the contract upon deployment.
  • Users can claim tokens once per vesting interval until the total vesting period has passed.
  • The number of tokens a user receives is proportional to the amount of time that has passed in the total vesting period.
  • Users will not be able to deposit tokens if they currently have any tokens deposited.
  • The owner can assign addresses to an Admin role. The assigned addresses (and the owner) have restricted access to specific functionality in the contract.
  • Assigned Admins can update the deposit token to any address at any time.
  • Assigned Admins can release the full number of deposited tokens to each user at any time.
  • Assigned Admins can update the claim interval and total vesting period to any values at any time.
  • Assigned Admins can approve accounts to claim tokes on behalf of any specified address. The claimed tokens will be sent to the specified user's wallet address.

  • The team must exercise caution when assigning the deposit token to avoid using an ERC-777 compliant token or any token that contains a fallback function.
  • The team must also exercise caution when assigning a fee-on-transfer token as the deposit token. If a fee-on-transfer token is used, then the contract must be exempt from transfer fees in order to avoid exploitation from an outside attacker that could mint an extremely large number of tokens that would make it possible to drain the liquidity pool.
  • As the contract is implemented with Solidity v0.8.x, it is safe from any possible overflows/underflows.

Audit Results

Vulnerability CategoryNotesResult
Arbitrary Jump/Storage WriteN/APASS
Centralization of Control
  • The team can update the deposit token to any address at any time.
  • The team can update the claim interval and total vesting period at any time.
    Compiler IssuesN/APASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Ether/Token TheftN/APASS
    Flash LoansN/APASS
    Front RunningN/APASS
    Improper EventsN/APASS
    Improper Authorization SchemeN/APASS
    Integer Over/UnderflowN/APASS
    Logical IssuesN/APASS
    Oracle IssuesN/APASS
    Outdated Compiler VersionN/APASS
    Race ConditionsN/APASS
    Signature IssuesN/APASS
    Unbounded LoopsN/APASS
    Unused CodeN/APASS
    Overall Contract Safety PASS

    Inheritance Chart

    Smart Contract Audit - Inheritance

    Function Graph

    Smart Contract Audit - Graph

    Functions Overview

     ($) = payable function
     # = non-constant function
     Int = Internal
     Ext = External
     Pub = Public
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
     + [Int] IERC20Metadata (IERC20)
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
     +  ERC20 (Context, IERC20, IERC20Metadata)
        - [Pub]  #
        - [Pub] name
        - [Pub] symbol
        - [Pub] decimals
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Pub] transfer #
        - [Pub] allowance
        - [Pub] approve #
        - [Pub] transferFrom #
        - [Pub] increaseAllowance #
        - [Pub] decreaseAllowance #
        - [Int] _transfer #
        - [Int] _mint #
        - [Int] _burn #
        - [Int] _approve #
        - [Int] _spendAllowance #
        - [Int] _beforeTokenTransfer #
        - [Int] _afterTokenTransfer #
     +  Ownable (Context)
        - [Pub]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
     +  Vesting (Ownable)
        - [Pub]  #
        - [Ext] deposit #
        - [Ext] depositAmount #
        - [Ext] claim #
        - [Pub] accruedBalanceOf
        - [Ext] isBeneficiary
        - [Ext] getPendingInterval
        - [Ext] setVestingPeriod #
           - modifiers: onlyAdmin
        - [Ext] setClaimInterval #
           - modifiers: onlyAdmin
        - [Ext] setToken #
           - modifiers: onlyAdmin
        - [Pub] flipProxyState #
           - modifiers: onlyAdmin
        - [Ext] releaseVesting #
           - modifiers: onlyAdmin
        - [Ext] setAdmins #
           - modifiers: onlyAdmin
        - [Int] _setAdmins #
        - [Ext] getAdmins

    About SourceHat

    SourceHat (formerly Solidity Finance - founded in 2020) has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1700+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
    Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

    Contact us today to get a free quote for a smart contract audit of your project!

    What is a SourceHat Audit?

    Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

    How Do I Interpret the Findings?

    Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

    • High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
    • Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
    • Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
    • Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.