CakeMonster - Smart Contract Audit Report

Summary

CakeMonster is a new token that has a unique mechanism featuring a unique transaction tax and forced sells of inactive users.

For this audit, we analyzed CakeMonster's token smart contract, provided to us by their team.

Notes on the Contract:

• The initial supply of the token is 10 billion.
• No mint functions are readily accessible, though minting occurs during some of the protocol logic.
• Only an internal burn function exists, meaning no one can burn their own tokens directly.
• There is a fee charged on transfers of the token.
• 2.5% of each transfer will be allocated towards the project's temporary Reserve Vault. Funds in the reserve vault will partially be used by the protocol to add liquidity.
• Another 2.5% of each transfer will be burned, reducing the total supply.


• Any user can initiate a forcedSell on a target user's address if they have not moved their tokens in 50 days. Whitelisted users cannot be a target.
• Callers of the forcedSell function will be rewarded with some tokens as a stipend for gas fees incurred and for helping manage the protocol.
• A forced sell results in the sale of the target user's tokens for BNB, then burning the number of tokens sold from the LP; essentially extracting some BNB from the pool.
• Any user can call the manageReserve() function, which tells the Reserve to add 10% of its balance to liquidity via selling half for BNB and adding. The function also tells the Reserve to purchase and store the Reserve asset. The caller of the function is added to a waiting list in order to mitigate abuse/spam. When cleared from the list, that user is allowed to call the manageReserve function again.


• One the total supply drops below 1 million tokens, two years have passed, or no management activity has happened in 124 days; anyone can call finish() which removes liquidity added by the Reserve, burns the resulting CakeMonster tokens, and disallows trading.
• After finish() has been called, users who hold tokens can call claim() to receive a proportional amount of the asset stored in the Reserve and a proportonal amount of the new supply.
• 35 days after finish() is called, anyone can call bigReset() which resets all values and mints the initial total supply of 10 billion to the reserve.


• The owner has the ability to whitelist addresses, allowing them to call the forcedSell function; and to create a snapshot of the state of the contract.
• Utilization of SafeMath to prevent overflows.

Audit Findings Summary

• No security issues from external attackers were identified.
• As with any presale, ensure trust in the team prior to investing.
• Date: May 27th, 2021

External Threat Results

 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public
 
 + [Int] ISwapRouter 
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
    - [Ext] WETH
    - [Ext] getAmountsOut

 + [Int] ISwapFactory 
    - [Ext] getPair

 + [Int] ISwapPair 
    - [Ext] sync #

 + [Int] ICakeMonsterReserve 
    - [Ext] buyReserveAsset #
    - [Ext] addLiquidity #
    - [Ext] resetLiquidity #
    - [Ext] removeLiquidity #
    - [Ext] transferAsset #

 +  CakeMonster (ERC20SnapshotUpgradeableCustom, OwnableUpgradeable)
    - [Ext] initialize #
       - modifiers: initializer
    - [Pub] setWhitelist #
       - modifiers: onlyOwner
    - [Ext] createSnapshot #
       - modifiers: onlyOwner
    - [Ext] resetLastActivity #
    - [Pub] transfer #
    - [Pub] transferFrom #
    - [Ext] forcedSell #
    - [Ext] manageReserve #
    - [Ext] finish #
    - [Ext] claim #
    - [Ext] claimInterim #
    - [Ext] bigReset #
    - [Prv] _transferHelper #
    - [Prv] _isWhitelisted
    - [Prv] _isLP
    - [Prv] _getLP
    - [Prv] _isInReserveManagersList
    - [Prv] _addReserveManager #
    - [Prv] _pct
    - [Prv] _swapToEth #
    - [Prv] _getEthOutputAmount
    - [Prv] _sync #