MIND Vesting
Smart Contract Audit Report
Audit Summary
BiggerMINDS is building a new token vesting mechanism where users can deposit tokens and claim them at a later date.
For this audit, we reviewed the project team's Vesting contract at 0x5C8a5E3C89F87169DCB7a60dAFea5baAfa2Aa95f on the Avalanche Mainnet.
We previously reviewed the project team's token contract here.
Audit Findings
Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: March 7th, 2022.
Updated: March 11th, 2022 to reflect the contract's mainnet address.Finding #1 - Vesting - Informational (Resolved)
Description: The following functions are declared public, but are never called internally.Recommendation: These functions should be declared external for additional gas savings on each call.accruedBalanceOf, flipProxyState
Resolution: The team has declared the above functions external.
Contract Overview
- Any user can deposit tokens into the contract and be eligible to claim them at a later date.
- The number of tokens that a user will deposit via the deposit() function is based on their token balance. The breakdown is as follows:
- If a user's token balance is 20,000 or more, 90% of their tokens will be deposited.
- If a user's token balance is between 10,000 and 19,999, 80% of their tokens will be deposited.
- If a user's token balance is between 5,000 and 9,999, 75% of their tokens will be deposited.
- If a user's token balance is between 2,000 and 4,999, 50% of their tokens will be deposited.
- If a user's token balance is between 1,000 and 1,999, 25% of their tokens will be deposited.
- Users can also elect to manually enter the number of tokens they wish to deposit.
- Users must grant the Vesting contract address an allowance for the number of tokens they are attempting to deposit in order for a deposit to be successful.
- The owner will set a vesting interval and total vesting period of the contract upon deployment.
- Users can claim tokens once per vesting interval until the total vesting period has passed.
- The number of tokens a user receives is proportional to the amount of time that has passed in the total vesting period.
- Users will not be able to deposit tokens if they currently have any tokens deposited.
- The owner can assign addresses to an Admin role. The assigned addresses (and the owner) have restricted access to specific functionality in the contract.
- Assigned Admins can update the deposit token to any address at any time.
- Assigned Admins can release the full number of deposited tokens to each user at any time.
- Assigned Admins can update the claim interval and total vesting period to any values at any time.
- Assigned Admins can approve accounts to claim tokes on behalf of any specified address. The claimed tokens will be sent to the specified user's wallet address.
- The team must exercise caution when assigning the deposit token to avoid using an ERC-777 compliant token or any token that contains a fallback function.
- The team must also exercise caution when assigning a fee-on-transfer token as the deposit token. If a fee-on-transfer token is used, then the contract must be exempt from transfer fees in order to avoid exploitation from an outside attacker that could mint an extremely large number of tokens that would make it possible to drain the liquidity pool.
- As the contract is implemented with Solidity v0.8.x, it is safe from any possible overflows/underflows.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control | WARNING | |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running | N/A | PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | N/A | PASS |
| Signature Issues | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | N/A | PASS |
| Overall Contract Safety | PASS |
Inheritance Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20Metadata (IERC20)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ ERC20 (Context, IERC20, IERC20Metadata)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _spendAllowance #
- [Int] _beforeTokenTransfer #
- [Int] _afterTokenTransfer #
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ Vesting (Ownable)
- [Pub] #
- [Ext] deposit #
- [Ext] depositAmount #
- [Ext] claim #
- [Pub] accruedBalanceOf
- [Ext] isBeneficiary
- [Ext] getPendingInterval
- [Ext] setVestingPeriod #
- modifiers: onlyAdmin
- [Ext] setClaimInterval #
- modifiers: onlyAdmin
- [Ext] setToken #
- modifiers: onlyAdmin
- [Pub] flipProxyState #
- modifiers: onlyAdmin
- [Ext] releaseVesting #
- modifiers: onlyAdmin
- [Ext] setAdmins #
- modifiers: onlyAdmin
- [Int] _setAdmins #
- [Ext] getAdmins About SourceHat
SourceHat (formerly Solidity Finance - founded in 2020) has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1700+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.