Block Ape Scissors - Smart Contract Audit Report

Summary

BAS Audit Report Block Ape Scissors ($BAS) is a new token contract on the Binance Smart Chain that contains the functionality of frictionless fee redistribution and an innovative design for allocating fees.

We audited Block Ape Scissors's token contract at 0x8ddeec6b677c7c552c9f3563b99e4ff90b862ebc on the Binance Smart Chain mainnet, and the team's vesting contract that was provided to us.

Notes on the BAS Token Contract:
  • The total supply of the token is initially set to one hundred million [100,000,000] $BAS.
  • There are not any mint or burn functions present, although any of the fee addresses can be set to the burn address to act as a deflationary mechanism.
  • At the time of writing, the owner of the contract is in posession of 35% of the total $BAS supply that the team claims will be used for marketing.
  • 10.60% of the total supply is in the PancakeSwap V2 Liquidity Pool.
  • 98.68% of that liquidity is in an unverified contract.
  • There are 110 various vesting contracts that were created from a "private sale" that each contain anywhere from 0.01%-0.75% of the total token supply.
  • The largest $BAS holder that is a non-contract address holds about 0.41% of the total supply.
  • 0.23% of the total supply has been burned.

  • There is a 'Holder Fee', 'Marketing Fee' 'Liquidity Fee', “Operations Fee”, “Buyback Fee”, “Prize Pool Fee”, ”Bounties Fee”, and “DAO Treasury Fee” on all transactions for any "non-excluded" address that participates in a transfer. The owner has the ability to modify these fees to any percentage ranging from 0% to 10% at any time. The total fees incurred on any transfer cannot exceed 10%.
  • The owner can update the "Fee Allocations" to change the fee distribution for all 8 fees listed above.
  • The liquidity fee does not automatically provide liquidity, but rather goes to an address of the team's choosing.
  • The "Holder Fee" is redistributed to existing token holders instantly and automatically at the time of each transaction.
  • The owner of the contract can exclude and include accounts from transfer fees and reward distribution.
  • Ownership has not been renounced.
  • Some functions could have been declared external instead of public to save some gas.
  • The contract utilizes SafeMath libraries to prevent overflows along with following the BEP20 standard.

  • Notes on the Vesting Contract:
  • This contract is used for vesting tokens to individual addresses.
  • Upon deployment, the team will set the vesting unlock date for the tokens, and the address of the token to be used.
  • Also upon deployment, the team will set the owner of the contract, who will later be able to claim the enclosed tokens.
  • The team must manually send the tokens to be held in the contract to the contract after deployment.
  • After the timestamp set upon deployment has passed, the owner of the contract will be able to claim all of the tokens held by the contract.
  • Once the contract is deployed and the tokens are sent to the contract by the team, the team has no control over the contract or the tokens in it.
  • The changeOwner() and withdraw() functions should be declared external instead of public to save some execution cost on each call.
  • SafeMath is utilized to prevent overflow issues.
Audit Findings Summary
  • No security threats were identified.
  • Given that the owner holds more $BAS than the liquidity, this is considered an unhealthy token allocation.
  • We recommend that the team renounces ownership to prevent the fee structure from being changed.
  • Please ensure trust in the team prior to investing as they have substantial control within the ecosystem.
  • Date: June 28th, 2021
  • Updated: July 13th, 2021 to add the vesting.sol contract

Vulnerability Category Notes Result
Arbitrary Storage Write N/A PASS
Arbitrary Jump N/A PASS
Delegate Call to Untrusted Contract N/A PASS
Dependence on Predictable Variables N/A PASS
Deprecated Opcodes N/A PASS
Ether Thief N/A PASS
Exceptions N/A PASS
External Calls N/A PASS
Flash Loans N/A PASS
Integer Over/Underflow N/A PASS
Multiple Sends N/A PASS
Oracles N/A PASS
Suicide N/A PASS
State Change External Calls N/A PASS
Unchecked Retval N/A PASS
User Supplied Assertion N/A PASS
Critical Solidity Compiler N/A PASS
Overall Contract Safety   PASS

Details: BAS Contract


BEP20 Token Graph

Multi-file Token

												
($) = payable function
 # = non-constant function

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Prv] _verifyCallResult

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 +  BAS (Context, IERC20, Ownable)
    - [Pub]  #
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals
    - [Ext] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Ext] isExcludedFromRewards
    - [Ext] isExcludedFromFees
    - [Ext] totalFees
    - [Ext] totalHolderFees
    - [Ext] totalMarketingFees
    - [Ext] totalLpFees
    - [Ext] totalBuybackFees
    - [Ext] totalOperationsFees
    - [Ext] totalPrizePoolFees
    - [Ext] totalDaoTreasuryFees
    - [Ext] totalBountiesFees
    - [Pub] distribute #
    - [Pub] excludeFromFees #
       - modifiers: onlyOwner
    - [Pub] includeInFees #
       - modifiers: onlyOwner
    - [Pub] excludeFromRewards #
       - modifiers: onlyOwner
    - [Pub] includeInRewards #
       - modifiers: onlyOwner
    - [Prv] _approve #
    - [Prv] _transfer #
    - [Prv] _transferWithRewards #
    - [Prv] _transferWithRecipientRewards #
    - [Prv] _transferWithoutSenderRewards #
    - [Prv] _transferWithoutRewards #
    - [Prv] _updateHolderFee #
    - [Prv] _updateMarketingFee #
    - [Prv] _updateLpFee #
    - [Prv] _updateOperationsFee #
    - [Prv] _updateBuybackFee #
    - [Prv] _updatePrizePoolFee #
    - [Prv] _updateBountiesFee #
    - [Prv] _updateDaoTreasuryFee #
    - [Pub] rewardsFromToken
    - [Pub] tokenWithRewards
    - [Prv] _getValues
    - [Prv] _getActualValues
    - [Prv] _getRewardValues
    - [Prv] _getRewardsRate
    - [Prv] _getCurrentSupply
    - [Prv] _getFee
    - [Prv] _getHolderFee
    - [Prv] _getMarketingFee
    - [Prv] _getLpFee
    - [Prv] _getOperationsFee
    - [Prv] _getPrizePoolFee
    - [Prv] _getBountiesFee
    - [Prv] _getBuybackFee
    - [Prv] _getDaoTreasuryFee
    - [Ext] setTaxPercentage #
       - modifiers: onlyOwner
    - [Ext] setTaxAllocations #
       - modifiers: onlyOwner
    - [Ext] setMultiSigTaxAllocations #
       - modifiers: onlyOwner
    - [Ext] setMarketingAddress #
       - modifiers: onlyOwner
    - [Ext] setLpStakingAddress #
       - modifiers: onlyOwner
    - [Ext] setOperationsMultiSigAddress #
       - modifiers: onlyOwner
    - [Ext] setBuybackMultiSigAddress #
       - modifiers: onlyOwner
    - [Ext] setPrizePoolMultiSigAddress #
       - modifiers: onlyOwner
    - [Ext] setBountiesMultiSigAddress #
       - modifiers: onlyOwner
    - [Ext] setDaoTreasuryMultiSigAddress #
       - modifiers: onlyOwner
	   

Details: BAS Contract


BEP20 Token Graph

Multi-file Token

												
($) = payable function
 # = non-constant function
 
+ [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 +  VestingContract 
    - [Pub]  #
    - [Pub] changeOwner #
    - [Pub] withdraw #