Monkey King
Smart Contract Audit Report
Audit Summary
Monkey King is a new ERC-20 token that is an automatic liquidity providing protocol.
For this audit, we reviewed the project team's MonkeyKing contract at 0xA3ec7DF93090f4DE46FaEA09F73cc40ebe7dD714 on the Ethereum Mainnet.
Audit Findings
All findings have been resolved, though some centralized aspects are present.
Date: September 1st, 2022.
Updated: September 8th, 2022 to reflect the project's newly deployed Mainnet address.Finding #1 - MonkeyKing - High (Resolved)
Description: Token transfers do not transfer delegates along with the token.
Risk/Impact: Delegatees will retain their votes even if a transfer occurs. This can result in additional votes being created through the use of transfers.
Recommendation: The _transfer() function should add the appropriate _moveDelegates() call.
Resolution: The team has implemented the above recommendation.
Finding #2 - MonkeyKing - Informational (Resolved)
Description: ThenotBlockAddrmodifier is not used in the contract.
Recommendation: This modifier should either be removed to reduce contract size and deployment costs or utilized in a way that fits the project team's intended functionality.
Resolution: The team has implemented the above recommendation.
Contract Overview
Ownership Controls:
- The total supply of the token is set to 1 billion $WUKONG [1,000,000,000].
- The Minter role can mint any number of tokens to any address at any time.
- The owner can mint any number of tokens to any address at any time. Delegates are not transferred through the use of this mint() function.
- The owner can manually delegate votes from their own tokens to their own address or another address at any time after the tokens have been minted.
- No burn functions exist, though the circulating supply can be decreased by sending tokens to the 0x..dead address.
- At the time of writing this report, 100% of the total supply belongs to the owner.
- The $WUKONG token represents votes intended to be used in a DAO where one token represents one vote.
- Users may delegate their votes to another address allowing them to vote on behalf of the user.
- Once votes are delegated, the user must explicitly delegate back to themselves to regain their votes.
- Users also have the option to delegate through the use of a signed message, allowing for a gasless delegation for the user.
- Trading must be enabled by the team in order for all transfers to take place on the platform. Only accounts that have been excluded by the team can participate in transfers when trading is disabled.
- The contract enforces a maximum transaction amount (determined by the owner) which imposes a limit to the number of tokens that can be transferred during any given transaction.
- The contract enforces a maximum wallet amount that prevents a transfer from occurring if the recipient's token balance will exceed the limit number of tokens (determined by the owner) after the transfer occurs.
- Blacklisted users are prohibited from participating in transfers.
- There is a Liquidity fee and Burn fee on all transfers where neither the sender nor the recipient is excluded from fees.
- The Liquidity fee charged during transfers is stored in the contract address. The tokens are swapped for ETH for the purpose of funding Uniswap liquidity when the following conditions are met:
- The automatic liquidity add functionality is enabled by the team.
- The threshold number of tokens (determined by the owner) in the contract address has been reached.
- The contract is not currently performing an automatic liquidity add.
- The caller is not initiating a buy transaction via Uniswap.
- The owner is not initiating the transfer.
- Liquidity-adds are automatically performed by selling the tokens collected as fees, pairing the received ETH with the token, and adding it as liquidity to the ETH pair.
- The LP tokens received through this process are sent to the Operator address. We recommend the team lock these newly acquired LP tokens.
- The tokens collected through the Burn fee are sent to the 0x..dead address.
- Any user can airdrop any number of tokens to any number of addresses at any time. A for loop is used to transfer funds for the airdrop; The team must ensure the maximum number of addresses that can be involved in a single airdrop is no more than 350 to prevent this loop from hitting the block gas limit.
- The contract utilizes the SafeMath library to protect against any possible overflows/underflows.
- The contract complies with the ERC-20 token standard.
- The deployer is automatically assigned to the Operator role. This role is used to maintain control over the various role-restricted functions within the contract.
- The Operator can update total fees to any value up to 10% at any time.
- The Operator can update the Burn rate to any value up to 100 at any time.
- The Operator can set the maximum transfer amount rate to any value up to 10,000 at any time.
- The Operator can exclude and include accounts from the maximum transfer amount restriction at any time.
- The Operator can enable/disable automatic liquidity adds at any time.
- The Operator can update the threshold number of tokens needed to trigger an automatic liquidity add to any value at any time.
- The Operator can update the Router address at any time.
- The owner can set the maximum wallet amount to any value at any time.
- The owner can enable/disable trading at any time.
- The owner can add/remove addresses from the Minter role at any time.
- The owner can add/remove addresses from the transfer blacklist at any time.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control |
|
WARNING |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running |
The automatic token swapping functionality may be susceptible to front-running. The team must monitor, and if any suspicious activity is detected, should lower the minAmountToLiquify threshold value.
|
PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | N/A | PASS |
| Signature Issues | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | The notBlockAddr modifier is not used in the contract.
|
PASS |
| Overall Contract Safety | PASS |
Inheritance Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ BEP20 (Context, IBEP20, Ownable)
- [Pub] #
- [Ext] getOwner
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Pub] mint #
- modifiers: onlyOwner
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _burnFrom #
+ [Int] IUniswapV2Router01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] IUniswapV2Router02 (IUniswapV2Router01)
- [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
- [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ [Int] IUniswapV2Pair
- [Ext] name
- [Ext] symbol
- [Ext] decimals
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] allowance
- [Ext] approve #
- [Ext] transfer #
- [Ext] transferFrom #
- [Ext] DOMAIN_SEPARATOR
- [Ext] PERMIT_TYPEHASH
- [Ext] nonces
- [Ext] permit #
- [Ext] MINIMUM_LIQUIDITY
- [Ext] factory
- [Ext] token0
- [Ext] token1
- [Ext] getReserves
- [Ext] price0CumulativeLast
- [Ext] price1CumulativeLast
- [Ext] kLast
- [Ext] mint #
- [Ext] burn #
- [Ext] swap #
- [Ext] skim #
- [Ext] sync #
- [Ext] initialize #
+ [Int] IUniswapV2Factory
- [Ext] feeTo
- [Ext] feeToSetter
- [Ext] getPair
- [Ext] allPairs
- [Ext] allPairsLength
- [Ext] createPair #
- [Ext] setFeeTo #
- [Ext] setFeeToSetter #
+ [Lib] EnumerableSet
- [Prv] _add #
- [Prv] _remove #
- [Prv] _contains
- [Prv] _length
- [Prv] _at
- [Int] add #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
- [Int] add #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
+ MonkeyKing (BEP20)
- [Pub] #
- modifiers: BEP20
- [Pub] mint #
- modifiers: onlyMinter
- [Int] _transfer #
- modifiers: antiWhale
- [Prv] swapAndLiquify #
- modifiers: lockTheSwap,transferTaxFree
- [Prv] swapTokensForEth #
- [Prv] addLiquidity #
- [Pub] maxTransferAmount
- [Pub] isExcludedFromAntiWhale
- [Ext] ($)
- [Pub] updateTransferTaxRate #
- modifiers: onlyOperator
- [Pub] updateBurnRate #
- modifiers: onlyOperator
- [Pub] updateMaxTransferAmountRate #
- modifiers: onlyOperator
- [Pub] updateMinAmountToLiquify #
- modifiers: onlyOperator
- [Pub] setExcludedFromAntiWhale #
- modifiers: onlyOperator
- [Pub] updateSwapAndLiquifyEnabled #
- modifiers: onlyOperator
- [Pub] updateWukongRouter #
- modifiers: onlyOperator
- [Pub] operator
- [Pub] transferOperator #
- modifiers: onlyOperator
- [Ext] delegates
- [Ext] delegate #
- [Ext] delegateBySig #
- [Ext] getCurrentVotes
- [Ext] getPriorVotes
- [Int] _delegate #
- [Int] _moveDelegates #
- [Int] _writeCheckpoint #
- [Int] safe32
- [Int] getChainId
- [Pub] addMinter #
- modifiers: onlyOwner
- [Pub] delMinter #
- modifiers: onlyOwner
- [Pub] getMinterLength
- [Pub] isMinter
- [Pub] getMinter
- modifiers: onlyOwner
- [Pub] addBlockAddr #
- modifiers: onlyOwner
- [Pub] delBlockAddr #
- modifiers: onlyOwner
- [Pub] getBlockAddrLength
- [Pub] isBlockAddr
- [Pub] getBlockAddr
- modifiers: onlyOwner
About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1300+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value across 1500 projects!.
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.