Aurum - Smart Contract Audit Report

Summary

Aurum Audit Report Aurum ($AUR) is a token on the Binance Smart Chain that provides automatic liquidity adds and pays eligible holders dividends in BNB or an alternative BEP-20 Token of their choosing.

We audited Aurum's token contract by using code that was provided to us by the team as it is not yet deployed to the Binance Smart Chain mainnet.

Overview of the Contract:
  • The total supply of the token is set to 1 billion [1,000,000,000] $AUR.
  • No mint or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.

  • There is a "Rewards Fee", "Liquidity Fee", "Operations Fee", "Team Fee", and "Buyback Fee" on all transfers (given that the transferring address is not excluded from fees). The owner has the ability to update the fee allocation to each at any time, however the sum of the fees must be less than or equal to 20%. This is the case when buying or transferring to another holder.
  • When a holder sells tokens (transfers $AUR to the exchange), the fees that are charged on the transaction are increased by a factor ranging from 0% - 50%. For Example: If total fees are set to 10%, and the sell factor is set to 20%, then the total fees (when selling) become 12%. The owner has the ability to update the sell penalty within this range at any time.
  • The fees that are charged on transactions are stored in the contract balance and once a threshold value of $AUR (determined by the owner) is met, the tokens are swapped for BNB and automatic liquidity additions.
  • The owner has the ability to pause/unpause the "Swap Tokens" functionality at any time. When swapping is paused, dividend payments cannot be added until swapping is unpaused.
  • The BNB that is received from this swap is allocated proportionally to the fee percentages. For Example: If the "Team Fee" + "Operations Fee" = 4%, and the total fees are 10%, then 40% of the BNB that is received will be sent to the team wallets.
  • The portion of BNB collected from the "Rewards Fee" is applied toward funding the dividend rewards for those who are eligible.
  • The portion of BNB collected from the "Operations Fee" and "Team Fee" is sent directly to the "Operations" and "Team" wallets which are controlled by the team.
  • The portion of BNB (and tokens) collected from the "Liquidity Fee" is used to automatically provide liquidity.
  • Liquidity-adds are automatically done by selling half of the tokens collected as liquidity fees, pairing the received BNB with the token, and adding it as liquidity to the pair. The LP tokens received through this process are sent to the "Liquidity Wallet" which is controlled by the team. We recommend locking or burning these LP Tokens.
  • The portion of BNB collected from the "Buyback Fee" will remain in the contract address until the owner manually calls the Buyback and Burn function, which enables the owner to use any BNB in the contract address to buy $AUR tokens from the exchange which are subsequently sent to the 0x...Dead address.
  • The contract includes a an airdrop feature, which allows the owner to send tokens to specified addresses for a desired amount, any time after deployment.

  • A user must hold 100 $AUR tokens to be eligible for dividends. However the owner may update this value at any time.
  • Users have the option to specify any whitelisted BEP-20 token that they wish to be used when receiving their dividends. The default is set to BNB and the user can revert to BNB at any time.
  • Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.
  • Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process for all eligible token holders.
  • Alternatively, a user can manually claim dividends as an individual.
  • There is a wait-time of 3600 seconds (1 hour) between claiming dividend rewards.
  • Claimed dividends are sent to the user's wallet address.
  • The contract has features that allow the current holders to purchase additional $AUR by using BNB that they have accumulated as dividend rewards, without being charged any fees for the transaction.

  • We worked with the Aurum Finance team to optimize their contract for gas efficiency.
  • The contract utilizes the SafeMath library to prevent overflows along with following the BEP20 standard.

  • Ownership Controls:
  • Ownership has not been renounced.
  • The owner is able to update the fee percentages at any time.
  • The owner is able to exclude any address from fees at any time.
  • The owner is able to exclude/include any address from dividends at any time.
  • The owner is able to enable/disable the "Swap Tokens" functionality at any time.
  • The owner is able to update the minimum threshold of tokens that must be in the contract address in order to activate the "Swap Tokens" functionality at any time.
  • The owner is able to update the minimum required amount of tokens to be eligible to receive dividends at any time.
  • The owner is able to update the Dividend Tracker and UniswapV2Router contract addresses at any time.
  • The owner is able to update the Automated Market Maker Pair at any time.
  • The owner is able to update the Liquidity Wallet, Operations Wallet, and Team Wallet addresses at any time.
  • The owner is able to update the whitelisted AMM contract addresses for reward tokens at any time.
  • The owner is able to blacklist the addresses of specified reward tokens so they cannot be used as rewards.
  • The owner is able to add or remove dividend reward tokens at any time.
  • The owner is able to update the maximum amount of gas used for processing to a value between 200,000 and 500,000 at any time.
  • The owner is able to update the amount of time a user must wait between claiming dividends to a value between 20 minutes and 24 hours (in seconds).

Audit Findings Summary
  • No security issue from outside attackers were identified during our analysis.
  • We recommend that the team either locks or burns the LP tokens they receive from the automatic liquidity additions.
  • Please ensure trust in the team as they have substantial control in the ecosystem.
  • Date: September 24th, 2021

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
OraclesN/APASS
SuicideN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS

BEP20 Token Graph

Multi-file Token

												
($) = payable function
 # = non-constant function

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 + [Int] DividendPayingTokenOptionalInterface 
    - [Ext] withdrawableDividendOf
    - [Ext] withdrawnDividendOf
    - [Ext] accumulativeDividendOf

 + [Int] DividendPayingTokenInterface 
    - [Ext] dividendOf
    - [Ext] distributeDividends ($)
    - [Ext] withdrawDividend #

 + [Lib] SafeMathInt 
    - [Int] mul
    - [Int] div
    - [Int] sub
    - [Int] add
    - [Int] abs
    - [Int] toUint256Safe

 + [Lib] SafeMathUint 
    - [Int] toInt256Safe

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _beforeTokenTransfer #

 +  DividendPayingToken (DividendPayingTokenInterface, DividendPayingTokenOptionalInterface, Ownable)
    - [Ext] updateDividendUniswapV2Router #
       - modifiers: onlyOwner
    - [Pub]  #
    - [Ext]  ($)
    - [Prv] swapETHForTokens #
    - [Ext] setBlacklistToken #
       - modifiers: onlyOwner
    - [Pub] isBlacklistedToken
    - [Ext] getBNBDividends
    - [Ext] setWhiteListAMM #
       - modifiers: onlyOwner
    - [Ext] setRewardToken #
       - modifiers: onlyOwner
    - [Ext] unsetRewardToken #
       - modifiers: onlyOwner
    - [Pub] distributeDividends ($)
    - [Ext] withdrawDividend #
    - [Int] _withdrawDividendOfUser #
    - [Ext] dividendOf
    - [Pub] withdrawableDividendOf
    - [Ext] withdrawnDividendOf
    - [Pub] accumulativeDividendOf
    - [Int] _increase #
    - [Int] _reduce #
    - [Int] _setBalance #

 + [Int] IUniswapV2Router01 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidity #
    - [Ext] addLiquidityETH ($)
    - [Ext] removeLiquidity #
    - [Ext] removeLiquidityETH #
    - [Ext] removeLiquidityWithPermit #
    - [Ext] removeLiquidityETHWithPermit #
    - [Ext] swapExactTokensForTokens #
    - [Ext] swapTokensForExactTokens #
    - [Ext] swapExactETHForTokens ($)
    - [Ext] swapTokensForExactETH #
    - [Ext] swapExactTokensForETH #
    - [Ext] swapETHForExactTokens ($)
    - [Ext] quote
    - [Ext] getAmountOut
    - [Ext] getAmountIn
    - [Ext] getAmountsOut
    - [Ext] getAmountsIn

 + [Int] IUniswapV2Router02 (IUniswapV2Router01)
    - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
    - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 + [Int] IUniswapV2Factory 
    - [Ext] feeTo
    - [Ext] feeToSetter
    - [Ext] getPair
    - [Ext] allPairs
    - [Ext] allPairsLength
    - [Ext] createPair #
    - [Ext] setFeeTo #
    - [Ext] setFeeToSetter #

 + [Int] IUniswapV2Pair 
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transfer #
    - [Ext] transferFrom #
    - [Ext] DOMAIN_SEPARATOR
    - [Ext] PERMIT_TYPEHASH
    - [Ext] nonces
    - [Ext] permit #
    - [Ext] MINIMUM_LIQUIDITY
    - [Ext] factory
    - [Ext] token0
    - [Ext] token1
    - [Ext] getReserves
    - [Ext] price0CumulativeLast
    - [Ext] price1CumulativeLast
    - [Ext] kLast
    - [Ext] mint #
    - [Ext] burn #
    - [Ext] swap #
    - [Ext] skim #
    - [Ext] sync #
    - [Ext] initialize #

 +  AURUMFinance (ERC20, Ownable)
    - [Pub]  #
       - modifiers: ERC20
    - [Ext]  ($)
    - [Ext] setWhiteListAMM #
       - modifiers: onlyOwner
    - [Ext] enableTrading #
       - modifiers: onlyOwner
    - [Ext] updateSwapEnabled #
       - modifiers: onlyOwner
    - [Ext] updateSwapTokensAtAmount #
       - modifiers: onlyOwner
    - [Ext] updateDividendTracker #
       - modifiers: onlyOwner
    - [Ext] updateDividendTokensMinimum #
       - modifiers: onlyOwner
    - [Ext] updateUniswapV2Router #
       - modifiers: onlyOwner
    - [Ext] updateDividendUniswapV2Router #
       - modifiers: onlyOwner
    - [Pub] excludeFromFees #
       - modifiers: onlyOwner
    - [Ext] excludeMultipleAccountsFromFees #
       - modifiers: onlyOwner
    - [Ext] excludeFromDividends #
       - modifiers: onlyOwner
    - [Ext] includeInDividends #
       - modifiers: onlyOwner
    - [Ext] setAutomatedMarketMakerPair #
       - modifiers: onlyOwner
    - [Ext] airdropToWallets #
       - modifiers: onlyOwner
    - [Ext] updateLiquidityWallet #
       - modifiers: onlyOwner
    - [Ext] updateOperationsWallet #
       - modifiers: onlyOwner
    - [Ext] updateTeamWallet #
       - modifiers: onlyOwner
    - [Ext] updateFees #
       - modifiers: onlyOwner
    - [Ext] updateGasForProcessing #
       - modifiers: onlyOwner
    - [Ext] updateClaimWait #
       - modifiers: onlyOwner
    - [Ext] setBlacklistToken #
       - modifiers: onlyOwner
    - [Pub] isAMMWhitelisted
    - [Int] isContract
    - [Ext] getUserCurrentRewardToken
    - [Ext] getUserHasCustomRewardToken
    - [Ext] getRewardTokenSelectionCount
    - [Ext] getLastProcessedIndex
    - [Ext] getNumberOfDividendTokenHolders
    - [Ext] getDividendTokensMinimum
    - [Ext] getClaimWait
    - [Ext] getTotalDividendsDistributed
    - [Ext] isExcludedFromFees
    - [Ext] withdrawableDividendOf
    - [Ext] dividendTokenBalanceOf
    - [Ext] getAccountDividendsInfo
    - [Ext] getAccountDividendsInfoAtIndex
    - [Pub] getBNBDividends
    - [Ext] getBNBAvailableForHolderBuyBack
    - [Pub] isBlacklistedToken
    - [Ext] setRewardToken #
    - [Ext] setRewardTokenWithCustomAMM #
    - [Ext] unsetRewardToken #
    - [Ext] buyBackTokensWithNoFees ($)
    - [Ext] claim #
    - [Ext] processDividendTracker #
    - [Prv] _setAutomatedMarketMakerPair #
    - [Int] _transfer #
    - [Int] swapBack #
    - [Prv] swapTokensForEth #
    - [Prv] addLiquidity #
    - [Ext] buyBackTokens #
       - modifiers: onlyOwner

 + [Lib] IterableMapping 
    - [Pub] get
    - [Pub] getIndexOfKey
    - [Pub] getKeyAtIndex
    - [Pub] size
    - [Pub] set #
    - [Pub] remove #

 +  DividendTracker (DividendPayingToken)
    - [Pub]  #
       - modifiers: DividendPayingToken
    - [Ext] withdrawDividend
    - [Ext] excludeFromDividends #
       - modifiers: onlyOwner
    - [Ext] includeInDividends #
       - modifiers: onlyOwner
    - [Ext] updateDividendMinimum #
       - modifiers: onlyOwner
    - [Ext] updateClaimWait #
       - modifiers: onlyOwner
    - [Ext] getLastProcessedIndex
    - [Ext] getNumberOfTokenHolders
    - [Pub] getAccount
    - [Ext] getAccountAtIndex
    - [Prv] canAutoClaim
    - [Ext] setBalance #
       - modifiers: onlyOwner
    - [Ext] process #
    - [Pub] processAccount #
       - modifiers: onlyOwner