SmoltingInu
Smart Contract Audit Report
Audit Summary
SmoltingInu is a fee-on-transfer token with automatic liquidity adds and unique reward properties.
For this audit, we reviewed the project team's SmoltingInu contract at 0xaab679e21a9c73a02c9ed33bbb6bb9e59f11afa9 on the Ethereum Mainnet.
Audit Findings
Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: April 29th, 2022.Finding #1 - SmoltingInu - Low
Description: The owner can use themanualFulfillRandomWords()function to settle any user's wager with a specified random number.
Risk/Impact: The owner could use the function to manually determine the outcome of specified user wager entries.
Recommendation: The function should be removed from the contract.
Resolution: The team has not yet addressed this issue.
Contract Overview
- The total supply of the $SMOL token is currently set to 967 thousand (967,921).
- At the time of writing this report, there are 836 total token holders. The token allocation is as follows:
- 4.10% of the total supply is held by an unverified user address.
- 4.49% of the total supply is held in Uniswap liquidity.
- Of that liquidity, 50.48% of the LP tokens are stored in a Unicrypt Liquidity Locker and will vest to the team on May 31st, 2022 at 4:00:00 PM GMT.
- 49.25% of the LP tokens are held by the owner address.
- The next five holders own a cumulative 12.35% of the total supply.
- There is a maximum transfer amount of 2% of the total supply within the first 15 minutes of deployment for all users except the owner.
- Addresses that attempt to buy tokens within the first 2 blocks after launch are automatically added to the blacklist.
- There is a tax charged on all buy and sell transactions while swapping and taxes are enabled for any non-exempted users; funds collected through taxes are held by the contract address.
- The tax amount is calculated based on the total tax value and the transaction amount; the total tax value is the combination of the LP and buyer tax amounts.
- The tax amount can be increased by the sell tax multiplier if it is a sell transaction and taxes are elevated for the user address.
- Users that wager a portion of their balance gain exemption from elevated taxes on their next transaction.
- On all transfers, the user address that has purchased the most tokens in a single transaction receives a reward amount for every hour.
- The reward amount is determined based on the biggest buyer reward rate set by the owner and the contract's ETH balance; the ETH balance within the contract after the reward is transferred must be at least equal to the reward amount.
- The swap process is triggered once the contract's token balance reaches the swap threshold while swapping is enabled; the swap process threshold is checked on every transfer.
- The swap threshold is calculated based on the Uniswap pair token balance and the Liquify rate.
- During the swap process, liquidity-adds are funded by selling a calculated amount of the tokens allocated to funding liquidity, pairing the received ETH with the token, and adding it as liquidity to the ETH pair; the owner address receives the LP tokens from adding liquidity unless there is a Treasury address set.
- The amount of tokens to be sold is calculated based on the LP tax amount, the swap threshold amount, and the total tax amount.
- On sell transactions, a calculated amount is added to the LP token nuke amount; the amount is based on the transaction amount after taxes have been deducted and the nuke percent rate.
- Users can call the
_lpTokenNuke()function while the LP token nuke functionality is enabled and the LP token nuke amount has not surpassed 20% of the $SMOL token balance in the Liquidity Pair contract.- Once the
_lpTokenNuke()function is called, the nuke amount is burned or transferred from the Uniswap Pair contract to the _nukeRecipient address if one is set.- Users can wager a percentage of their $SMOL token balance in order to win a reward amount as well as gain exemption from elevated taxes on their next transaction; the reward amount is dependent on the coin flip win rate.
- The wager amount must be between the minimum coin flip percentage and 100% of their balance and is transferred to the contract address.
- Once a user submits a wager amount, Chainlink is used to calculate a verifiable random number in order to determine if the user has won the wager.
- On wins, users are transferred their initial wager amount and minted the reward amount while the wager amount is burned from the contract on losses.
- The owner may transfer ownership at any time
- The owner can add or remove addresses from the blacklist at any time.
- The owner can manually burn up to 20% of the liquidity pool balance at any time.
- The owner can manually reward the user with the biggest token purchase at any time.
- The owner can set the LP and buyer taxes to any values up to a combined 25%.
- The owner can set the sell tax multiplier to any value as long as it doesn't cause the total tax amount to exceed 49%.
- The owner can set the minimum coin flip percentage to any value up to 100% at any time.
- The owner can set the coin flip win rate to any value up to 100% at any time.
- The owner can manually settle any user coin flip wager at any time.
- The owner can set the Treasury address to any value at any time.
- The owner can set the Liquify rate to any value up to 10% at any time.
- The owner can exclude any address from taxes at any time.
- The owner can toggle taxes at any time.
- The owner can toggle the swap functionality at any time.
- The owner can set the nuke percent rate to any value up to 100% at any time.
- The owner can toggle the LP nuke functionality at any time.
- The owner can set the _nukeRecipient address at any time.
- The owner can set the biggest buyer reward rate to any value at any time.
- The owner can set the _vrfSubscriptionId to any value at any time.
- The owner can set the _vrfCallBackGasLimit to any amount at any time.
- The owner can withdraw all ETH from the contract at any time.
- As the contract is deployed with Solidity v0.8.x, it is protected from overflow/underflow attacks.
- The contract complies with the ERC-20 token standard.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control |
| WARNING |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running | N/A | PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | The _checkAndPayBiggestBuyer() function does not follow Checks-Effects-Interactions standards. The team should restructure the logic to avoid reentrancy issues. | WARNING |
| Signature Issues | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | N/A | PASS |
| Overall Contract Safety | PASS |
Inheritance Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
+ [Int] LinkTokenInterface
- [Ext] allowance
- [Ext] approve #
- [Ext] balanceOf
- [Ext] decimals
- [Ext] decreaseApproval #
- [Ext] increaseApproval #
- [Ext] name
- [Ext] symbol
- [Ext] totalSupply
- [Ext] transfer #
- [Ext] transferAndCall #
- [Ext] transferFrom #
+ [Int] VRFCoordinatorV2Interface
- [Ext] getRequestConfig
- [Ext] requestRandomWords #
- [Ext] createSubscription #
- [Ext] getSubscription
- [Ext] requestSubscriptionOwnerTransfer #
- [Ext] acceptSubscriptionOwnerTransfer #
- [Ext] addConsumer #
- [Ext] removeConsumer #
- [Ext] cancelSubscription #
+ VRFConsumerBaseV2
- [Pub] #
- [Int] fulfillRandomWords #
- [Ext] rawFulfillRandomWords #
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20Metadata (IERC20)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ Context
- [Int] _msgSender
- [Int] _msgData
+ ERC20 (Context, IERC20, IERC20Metadata)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _spendAllowance #
- [Int] _beforeTokenTransfer #
- [Int] _afterTokenTransfer #
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ [Int] IUniswapV2Factory
- [Ext] feeTo
- [Ext] feeToSetter
- [Ext] getPair
- [Ext] allPairs
- [Ext] allPairsLength
- [Ext] createPair #
- [Ext] setFeeTo #
- [Ext] setFeeToSetter #
+ [Int] IUniswapV2Pair
- [Ext] name
- [Ext] symbol
- [Ext] decimals
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] allowance
- [Ext] approve #
- [Ext] transfer #
- [Ext] transferFrom #
- [Ext] DOMAIN_SEPARATOR
- [Ext] PERMIT_TYPEHASH
- [Ext] nonces
- [Ext] permit #
- [Ext] MINIMUM_LIQUIDITY
- [Ext] factory
- [Ext] token0
- [Ext] token1
- [Ext] getReserves
- [Ext] price0CumulativeLast
- [Ext] price1CumulativeLast
- [Ext] kLast
- [Ext] mint #
- [Ext] burn #
- [Ext] swap #
- [Ext] skim #
- [Ext] sync #
- [Ext] initialize #
+ [Int] IUniswapV2Router01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] IUniswapV2Router02 (IUniswapV2Router01)
- [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
- [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ SmoltingInu (ERC20, Ownable, VRFConsumerBaseV2)
- [Pub] #
- modifiers: ERC20,VRFConsumerBaseV2
- [Ext] launch ($)
- modifiers: onlyOwner
- [Ext] flipCoin #
- [Int] fulfillRandomWords #
- [Ext] manualFulfillRandomWords #
- modifiers: onlyOwner
- [Prv] _settleCoinFlip #
- [Int] _transfer #
- [Prv] _maxTx
- [Prv] _swap #
- modifiers: swapLock
- [Prv] _addLp #
- [Prv] _processFees #
- [Prv] _lpTokenNuke #
- [Prv] _checkAndPayBiggestBuyer #
- [Ext] nukeLpTokenFromBuildup #
- [Ext] manualNukeLpTokens #
- modifiers: onlyOwner
- [Ext] payBiggestBuyer #
- modifiers: onlyOwner
- [Pub] getHour
- [Ext] isBotBlacklisted
- [Ext] blacklistBot #
- modifiers: onlyOwner
- [Ext] forgiveBot #
- modifiers: onlyOwner
- [Prv] _setTotalTax #
- [Ext] setTaxLp #
- modifiers: onlyOwner
- [Ext] setTaxBuyer #
- modifiers: onlyOwner
- [Ext] setSellTaxUnwageredMultiplier #
- modifiers: onlyOwner
- [Ext] setCoinFlipMinBalancePerc #
- modifiers: onlyOwner
- [Ext] setCoinFlipWinPercentage #
- modifiers: onlyOwner
- [Ext] setTreasury #
- modifiers: onlyOwner
- [Ext] setLiquifyRate #
- modifiers: onlyOwner
- [Ext] setIsTaxExcluded #
- modifiers: onlyOwner
- [Ext] setTaxesOff #
- modifiers: onlyOwner
- [Ext] setSwapEnabled #
- modifiers: onlyOwner
- [Ext] setNukePercentPerSell #
- modifiers: onlyOwner
- [Ext] setLpNukeEnabled #
- modifiers: onlyOwner
- [Ext] setBiggestBuyRewardPercentage #
- modifiers: onlyOwner
- [Ext] setNukeRecipient #
- modifiers: onlyOwner
- [Ext] setVrfSubscriptionId #
- modifiers: onlyOwner
- [Ext] setVrfCallbackGasLimit #
- modifiers: onlyOwner
- [Ext] withdrawETH #
- modifiers: onlyOwner
- [Ext] ($) About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.