Baby Lambo Inu - Smart Contract Audit Report

Audit Summary

Baby Lambo Inu ($BLINU) is a new BEP-20 token that features automatic liquidity adds and pays holders dividends in BUSD.

We reviewed the BabyLamboInu and DividendDistributor contracts at 0x41F831c60c7051CffA756ab5F9fEE81a670ECde0 on the Binance Smart Chain mainnet.

Audit Findings

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: February 11th, 2022.

Finding #1 - BabyLamboInu - Informational

Description: Several functions are declared public, but are never called internally.
tradingStatus, cooldownEnabled, enable_blacklist, manage_blacklist
Recommendation: We recommend declaring these functions external for additional gas savings on each call.

Finding #2 - BabyLamboInu - Informational

Description: Several state variables can never be modified, but are not declared constant.
DEAD, WBNB, ZERO, _totalSupply
Recommendation: These state variables should be declared constant for additional gas savings on each call.

Contracts Overview

  • The total supply of the token is set to 600 million $BLINU [600,000,000].
  • No mint or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address if desired.
  • At the time of writing this report, 13% of the total supply belongs to the 0x..dead address.
  • 10.99% of the total supply is in Pancakeswap liquidity.
  • Of that liquidity, 99.63% of the LP tokens belong to an unverified contract.
  • The next five holders own a cumulative 7.43% of the total supply.

  • There is a Reflection fee, Liquidity Fee, Marketing Fee, Ecosystem Fee, and Burn fee, on all transfers where neither the sender nor the recipient is excluded from fees.
  • The fees charged on transfers are stored in the contract and once the threshold number of tokens (determined by the owner) is met, a swap will occur for the purpose of funding Pancakeswap liquidity.
  • Liquidity-adds are funded by selling a portion of the tokens collected as fees (after the threshold value of tokens is met), then pairing the received BNB with the token, and adding it as liquidity to the BNB pair.
  • The LP tokens received through this process are sent to the team's Liquidity wallet. We recommend that the team lock these newly acquired LP tokens.
  • The tokens collected from the Marketing Fee and Ecosystem Fee are swapped for BNB and sent to the team's Marketing Wallet and Ecosystem Wallet respectively.
  • The tokens collected from the Reflection Fee are swapped for BNB and sent to the DividendDistributor contract where they are swapped for BSC-USD and distributed as rewards.
  • The tokens collected from the Burn fee are sent to the Burn Fee Receiver address set by the team. This address is currently set to the 0x..dead address but can be updated by the team at any time.
  • The contract includes functionality to interact with an external antibot contract. This antibot contract was out of scope for the purpose of this audit.
  • The contract features a cooldown mechanism that prevents a user from buying tokens from Pancakeswap if the cooldown time (set by the team) since their last buy has not yet elapsed.
  • The contract utilizes the SafeMath library to prevent overflows along with following the BEP-20 standard.

  • Any user that holds any amount of $BLINU tokens is eligible to claim dividends once the amount of dividends they are due reaches a minimum threshold value determined by the team.
  • Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.
  • Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process all eligible token holders.
  • Alternatively, a user can manually claim dividends as an individual.
  • There is a wait-time (set by the team) between claiming dividend rewards.
  • Claimed dividends are sent to the user's wallet address.
Ownership Controls:
  • The owner can assign addresses to an Authorized role which can be used to maintain control over various role-restricted functions within the contract.
  • The owner can enable or disable trading at any time. This will prevent all transfers unless the sender or recipient is an Authorized address.
  • The owner can enable/disable the use of a blacklist, as well as add/remove addresses from it at any time. Addresses that are added to the blacklist will not be able to participate in transfers.
  • The owner can update the cooldown period to any value at any time.
  • The owner can set and update a maximum wallet amount that will prevent transfers from occurring if the recipient's token balance will exceed the value set by the team.
  • The owner can set and update a maximum transaction amount at any time, which will impose a limit to the number of tokens that can be transferred during any given transaction.
  • The owner can update the sell multiplier value, which increases fees on selling transactions, to any value at any time.
  • The owner can airdrop $BLINU tokens to up to 800 accounts at any time.

  • Authorized addresses can set each fee percentage to any values at any time as long as the total fee percentages combined does not exceed 50%.
  • Authorized addresses can withdraw any BNB or BEP-20 tokens from the contract address at any time.
  • Authorized addresses can exclude accounts from fees, cooldowns, and the maximum transaction amount at any time.
  • Authorized addresses can exclude accounts from dividends at any time.
  • Authorized addresses can update the threshold number of tokens that triggers the automatic swapping functionality to any value at any time.
  • Authorized addresses can disable the automatic swapping functionality at any time.
  • Authorized addresses can update the Ecosystem, Marketing, Liquidity, and Burn wallets to any addresses at any time.
  • Authorized addresses can update the maximum amount of gas used for processing to any value up to 750,000 at any time.
  • Authorized addresses can update the amount of time that must elapse between claiming dividends to any amount of time. Authorized addresses can also update the minimum rewards payout that a holder must have in order to be able to claim.
  • Authorized addresses can transfer any BNB that is held in the contract address balance to their own wallet or the team's Marketing wallet at any time.

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Centralization of Control
  • The LP tokens generated from automatic liquidity adds are sent to the team's Liquidity wallet.
  • The owner can set total fee percentages when buying up to 50%, and total fee percentages when selling up to 100% (by use of the unrestricted sell multiplier).
  • The owner can blacklist any account from being able to participate in transfers.
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Logical IssuesN/APASS
    Multiple SendsN/APASS
    State Change External CallsN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Function Graph

    BEP20 Token Graph

    Inheritance Chart

    Multi-file Token

    Functions Overview

    ($) = payable function
     # = non-constant function
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
     + [Int] IBEP20 
        - [Ext] totalSupply
        - [Ext] decimals
        - [Ext] symbol
        - [Ext] name
        - [Ext] getOwner
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
     +  Auth 
        - [Pub]  #
        - [Pub] authorize #
           - modifiers: onlyOwner
        - [Pub] unauthorize #
           - modifiers: onlyOwner
        - [Pub] isOwner
        - [Pub] isAuthorized
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
     + [Int] IDEXFactory 
        - [Ext] createPair #
     + [Int] IDEXRouter 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
     + [Int] IDividendDistributor 
        - [Ext] setDistributionCriteria #
        - [Ext] setShare #
        - [Ext] deposit ($)
        - [Ext] process #
     +  DividendDistributor (IDividendDistributor)
        - [Pub]  #
        - [Ext] setDistributionCriteria #
           - modifiers: onlyToken
        - [Ext] setShare #
           - modifiers: onlyToken
        - [Ext] deposit ($)
           - modifiers: onlyToken
        - [Ext] process #
           - modifiers: onlyToken
        - [Int] shouldDistribute
        - [Int] distributeDividend #
        - [Ext] claimDividend #
        - [Pub] getUnpaidEarnings
        - [Int] getCumulativeDividends
        - [Int] addShareholder #
        - [Int] removeShareholder #
     +  BPContract 
        - [Ext] protect #
     +  BabyLamboInu (IBEP20, Auth)
        - [Pub]  #
           - modifiers: Auth
        - [Ext]  ($)
        - [Ext] totalSupply
        - [Ext] decimals
        - [Ext] symbol
        - [Ext] name
        - [Ext] getOwner
        - [Pub] balanceOf
        - [Ext] allowance
        - [Pub] approve #
        - [Ext] approveMax #
        - [Ext] transfer #
        - [Ext] transferFrom #
        - [Ext] setMaxWalletPercent_base1000 #
           - modifiers: onlyOwner
        - [Ext] setMaxTxPercent_base1000 #
           - modifiers: onlyOwner
        - [Ext] setTxLimit #
           - modifiers: authorized
        - [Int] _transferFrom #
        - [Int] _basicTransfer #
        - [Int] checkTxLimit
        - [Int] shouldTakeFee
        - [Int] takeFee #
        - [Int] shouldSwapBack
        - [Ext] clearStuckBalance #
           - modifiers: authorized
        - [Ext] clearStuckBalance_sender #
           - modifiers: authorized
        - [Ext] set_sell_multiplier #
           - modifiers: onlyOwner
        - [Pub] tradingStatus #
           - modifiers: onlyOwner
        - [Pub] cooldownEnabled #
           - modifiers: onlyOwner
        - [Int] swapBack #
           - modifiers: swapping
        - [Ext] setIsDividendExempt #
           - modifiers: authorized
        - [Pub] enable_blacklist #
           - modifiers: onlyOwner
        - [Pub] manage_blacklist #
           - modifiers: onlyOwner
        - [Ext] setIsFeeExempt #
           - modifiers: authorized
        - [Ext] setIsTxLimitExempt #
           - modifiers: authorized
        - [Ext] setIsTimelockExempt #
           - modifiers: authorized
        - [Ext] setFees #
           - modifiers: authorized
        - [Ext] setFeeReceivers #
           - modifiers: authorized
        - [Ext] setSwapBackSettings #
           - modifiers: authorized
        - [Ext] setTargetLiquidity #
           - modifiers: authorized
        - [Ext] setDistributionCriteria #
           - modifiers: authorized
        - [Ext] setDistributorSettings #
           - modifiers: authorized
        - [Pub] getCirculatingSupply
        - [Pub] getLiquidityBacking
        - [Pub] isOverLiquified
        - [Ext] multiTransfer #
           - modifiers: onlyOwner
        - [Ext] multiTransfer_fixed #
           - modifiers: onlyOwner
        - [Ext] setBPAddress #
           - modifiers: onlyOwner
        - [Ext] setBpEnabled #
           - modifiers: onlyOwner
        - [Ext] setBotProtectionDisableForever #
           - modifiers: onlyOwner