Amor - Smart Contract Audit Report
Summary
AmorSwap is building a new yield farming platform on Binance.
We reviewed Amor's MasterChef staking contract at 0x7858A180a6AAc32a2d5009d6F438393f92ba4A8d on the Binance Smart Chain mainnet.
We previously reviewed the project's original $EROS token contract here. This audit covers the staking contract that is intended to be used for the $EROS and $AMOR Tokens.
Notes on the $AMOR Token Contract:
- The initial total supply of the $AMOR token is set to 180,000 $AMOR.
- No burn functions are accessible for holders other than the contract address itself; though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
- The owner has the ability to assign and remove addresses to a Minter role.
- The assigned Minter(s) can mint tokens to any destination address at any time.
- There is a burn fee, a buyback fee, and a marketing fee on all transactions for any non-excluded address that participates in a transfer.
- The tokens collected through the burn fee and the buyback fee are used to fund the buyback functionality, which once a threshold value is met, is swapped for BNB and is stored in the contract address. Once a BNB buyback threshold is met, the BNB is used to buy tokens which are subsequently burned.
- The tokens collected through the marketing fee are stored in the contract and, once a threshold value is met, swapped for BNB and is sent to the team's marketing wallet. The Operator can update the marketing wallet to any address at any time.
- The owner has the ability to assign and remove addresses to an Operator role.
- The Operator of the contract can exclude and include accounts from all transfer fees.
- The threshold value for the burn, buyback, and marketing fees can be set by the Operator to any amount at any time.
- The contract features an Anti-Whale mechanism in which the Operator can impose a transaction limit for specified addresses. The transaction limit can be set to any value between 0.5% and 5% of the circulating supply.
- The Operator can enable/disable the AntiWhale functionality.
- The Operator can change the LP token address to any address at any time.
- The $AMOR token smart contract utilizes logic from an external "referral" contract that was not reviewed by our team as part of this audit.
- Ownership has not been renounced.
- The contract utilizes SafeMath libraries along with following the BEP20 standard.
Notes on the $AMOR Staking Contract:- There is a fee associated with making deposits and withdraws to/from the contract. These fees are set by the owner when creating pools, and they can be modified at any time by using the set function. This fee is sent directly to a wallet controlled by the team. The deposit fee is capped at 10%, while the withdraw fee is capped at 5%.
- Users can stake various tokens into the contract in order to earn $AMOR Token rewards.
- On initialization, owner is able to specify the rewards rate, and the start blocks of the staking period.
- On both deposits and withdrawals, user's rewards will be calculated and stored within the staking contract address.
- On withdrawals, the user will receive the desired amount of tokens; this amount cannot be more than the amount the user has deposited.
- Users have the potential to benefit by referring other addresses to stake their tokens with the AMOR Staking contract. Upon deployment, there is a 3% referral benefit from deposits of new users, however the owner has the ability to update this value at any time.
- The owner can set the allocation points for any existing pool at any time.
- Users will receive a reward amount proportional to the allocation percentage assigned to the pool on each block; staking rewards can be calculated and transferred to the user at any time as long as the harvest cooldown has elapsed.
- An emergencyWithdraw function exists so users can withdraw without collecting rewards if desired.
- The owner has the ability to create a cooldown time that will prevent users from harvesting rewards within a certain amount of time for any given pool. The owner can update this cooldown time to a maximum of 15 days between claims.
- The owner of the MasterChef contract can assign a different owner to the token contract at any time.
- Utilization of SafeMath (or similarily safe functions) across all contracts to prevent overflows.
- The team must be careful not to add the same token twice, and must exercise caution when adding tokens to avoid fee-on-transfer (unless the proper exemptions are made), and ERC777-compliant tokens.
Audit Findings Summary
- No external threats were identified.
- Please ensure trust in the team as they have substantial control in the ecosystem.
- We recommend the team renounces ownership.
- Date: September 20th, 2021
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Amor MasterChef Contract - Details
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IReferral
- [Ext] addReferrer #
- [Ext] addRewards #
- [Ext] getRewards
- [Ext] getReferrer
- [Ext] getReferralsCount
+ OwnerRole
- [Pub] #
- [Ext] transferOwnership #
- modifiers: onlyOwner
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
- [Int] min
- [Int] sqrt
+ [Int] IUniswapV2Router01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] IUniswapV2Router02 (IUniswapV2Router01)
- [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
- [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ [Int] IUniswapV2Factory
- [Ext] feeTo
- [Ext] feeToSetter
- [Ext] getPair
- [Ext] allPairs
- [Ext] allPairsLength
- [Ext] createPair #
- [Ext] setFeeTo #
- [Ext] setFeeToSetter #
+ MinterRole
- [Pub] #
- [Ext] isMinter
- [Pub] addMinter #
- [Pub] removeMinter #
+ OperatorRole
- [Pub] #
- [Ext] isOperator
- [Pub] addOperator #
- [Pub] removeOperator #
+ BEP20e (OwnerRole, MinterRole, OperatorRole)
- [Pub] #
- [Pub] balanceOf
- [Ext] allowance
- [Ext] mint #
- modifiers: onlyMinter
- [Ext] burn #
- [Ext] approve #
- [Ext] addBuybackBalance #
- [Ext] transfer #
- [Ext] transferFrom #
- [Ext] increaseAllowance #
- [Ext] decreaseAllowance #
- [Pub] calcFee
- [Pub] totalSupplyWithoutDeadBalance
- [Pub] maxAntiWhaleTxAmount
- [Pub] buyback #
- modifiers: onlyOperator
- [Pub] swapMarketing #
- modifiers: onlyOperator
- [Pub] swapBuyback #
- modifiers: onlyOperator
- [Ext] setMarketingAddress #
- modifiers: onlyOperator
- [Ext] setMarketingSwapEnabled #
- modifiers: onlyOperator
- [Ext] setMinMarketingSwapAmount #
- modifiers: onlyOperator
- [Ext] setMaxMarketingSwapAmount #
- modifiers: onlyOperator
- [Ext] setSwapEnabled #
- modifiers: onlyOperator
- [Ext] setMinSwapAmount #
- modifiers: onlyOperator
- [Ext] setMaxSwapAmount #
- modifiers: onlyOperator
- [Ext] setBuybackEnabled #
- modifiers: onlyOperator
- [Ext] setMinBalanceRequired #
- modifiers: onlyOperator
- [Ext] setMinBuybackSellAmount #
- modifiers: onlyOperator
- [Ext] setMaxBuybackAmount #
- modifiers: onlyOperator
- [Pub] isLpToken
- [Ext] setLpToken #
- modifiers: onlyOperator
- [Pub] isExcludedFromFee
- [Pub] setExcludedFromFee #
- modifiers: onlyOperator
- [Pub] isExcludedFromAntiWhale
- [Pub] setExcludedFromAntiWhale #
- modifiers: onlyOperator
- [Ext] setAntiWhaleTxAmountRate #
- modifiers: onlyOperator
- [Ext] setAntiWhaleEnabled #
- modifiers: onlyOperator
- [Pub] addMinter #
- modifiers: onlyOwner
- [Pub] removeMinter #
- modifiers: onlyOwner
- [Pub] addOperator #
- modifiers: onlyOwner
- [Pub] removeOperator #
- modifiers: onlyOwner
- [Ext] setReferral #
- modifiers: onlyOwner
- [Ext] ($)
- [Int] _buyback #
- [Int] _swapMarketing #
- [Int] _swapBuyback #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _transfer #
- [Int] _transferAmount #
- [Int] _swapTokensForEth #
- modifiers: lockTheSwap
- [Int] _swapETHForTokens #
- modifiers: lockTheSwap
+ AmorMasterChef (OwnerRole)
- [Pub] #
- [Ext] poolLength
- [Pub] getMultiplier
- [Pub] calcFee
- [Pub] massUpdatePools #
- [Pub] updatePool #
- [Ext] pending
- [Pub] canHarvest
- [Int] _send #
- [Int] harvest #
- [Ext] deposit #
- [Ext] withdraw #
- [Ext] emergencyWithdraw #
- [Int] tokenBalanceOf
- [Int] safeTokenTransfer #
- [Pub] add #
- modifiers: onlyOwner
- [Ext] set #
- modifiers: onlyOwner
- [Ext] setReferralRate #
- modifiers: onlyOwner
- [Ext] setBonusMultiplier #
- modifiers: onlyOwner
- [Ext] updateMarketingAddress #
- modifiers: onlyOwner
- [Ext] updateTokensPerBlock #
- modifiers: onlyOwner
- [Ext] setReferral #
- modifiers: onlyOwner