Colligo - Smart Contract Audit Report

Audit Summary

Colligo Audit Report Colligo ($COTK) is a new BEP-20 token with automatic liquidity adds that allows users to stake their tokens and earn rewards in BNB.

We reviewed the Colligo and COLLIGODividendTracker contracts at commit 734ddf4aae40ff50c5aba9c9d8c3e5179eab2a53 on the team's private Github repository.

Audit Findings

Please ensure trust in the team as they have substantial control in the ecosystem and will be minted 100% of the total supply upon initialization.
Date: January 25th, 2022.

Finding #1 - Colligo - Informational

Description: Several functions are declared public, but are never called internally.
			
createPairAndAddLiquidity, updateDividendTracker, updateUniswapV2Router, excludeMultipleAccountsFromFees, setAutomatedMarketMakerPair, updateGasForProcessing, isExcludedFromFees, withdrawableDividendOf, dividendTokenBalanceOf
Recommendation: We recommend declaring these functions external for additional gas savings on each call.

Finding #2 - Colligo - Informational

Description: Although the SafeMath library is utilized, the contract is implemented with Solidity v0.8.x which has built-in overflow checks.
Recommendation: SafeMath could be safely removed to reduce contract size and deployment costs.

Contracts Overview

Colligo Contract:
  • The total supply of the token will be set upon initialization and minted to the owner.
  • No mint or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address if desired.
  • There was no token allocation for our team to analyze as the contract has yet to be deployed to the mainnet.

  • There is a tax fee on all transfers via Pancakeswap (given that the transferring address is not excluded from fees). Fees are increased by 1% when selling to Pancakeswap.
  • The fees charged on transfers are stored in the contract and once the threshold number of tokens (determined by the owner) is met, a swap will occur for the purpose of funding Pancakeswap liquidity, dividend rewards, and team wallets.
  • Liquidity-adds are funded by selling a portion of the tokens collected as fees (after the threshold value of tokens is met), then pairing the received BNB with the token, and adding it as liquidity to the BNB pair.
  • The LP tokens received through this process are sent to the 0x00 address.
  • The tokens collected from the Marketing Fee, Artist fee, and Dev fee are swapped for BNB and sent to the team's Marketing wallet, Artist wallet, and Dev wallet respectively.
  • If dividends are enabled in the contract, the remaining tokens are swapped for BNB and are used to fund rewards for stakers in the COLLIGODividendTracker contract.
  • The claim cycle is immediately executed on the DividendTracker, processing rewards for all eligible stakers.
  • Users can use this contract to manually claim accumulated rewards from the DividendTracker, and can also kick off the claim cycle for all eligible stakers.
  • The contract is upgradable, meaning the team can swap out the current contract for a new one at any time.
  • As the contract is implemented with Solidity v0.8.x it is protected from overflows/underflows along with following the BEP-20 standard.
COLLIGODividendTracker Contract:
  • Users can stake $COTK tokens into this contract and earn rewards in BNB.
  • Users must deposit at least the minimum amount set by the team in order to earn rewards; initially, the minimum is 50,000 tokens.
  • There is a wait-time (determined by the owner) between claiming rewards.
  • If a user has any pending rewards due to them, they will be automatically claimed at the time of staking.
  • Users can unstake their tokens and collect the rewards that are due to them.
  • A withdraw fee will be charged if the number of days since the user has last staked does not exceed the minimum amount of staking days set by the team. The fee percentage is calculated by deducting the number of days since a user last staked from the minimum staking days set by the team.
  • The tokens collected from the withdraw fee are sent to the owner, which is the Colligo token contract.
  • The remaining tokens are sent to the user's wallet address.
Ownership Controls:
  • The owner can set the Rewards fee, Liquidity fee, Artist fee, Dev fee, and Marketing fee to any percentages at any time.
  • The owner can exclude any address from transfer fees and dividends at any time.
  • The owner can update the threshold number of tokens that triggers the token swapping functionality to any value at any time.
  • The owner can add any address to a blacklist which will prevent them from being able to participate in transfers.
  • The owner can update the minimum number of tokens a user must hold to be eligible for rewards to any value at any time.
  • The owner can update the maximum amount of gas used for processing to a value between 200,000 and 500,000 at any time.
  • The owner can update the amount of time a user must wait between claiming dividends to a value between 1 and 24 hours (in seconds).
  • The owner can manually add liquidity to the Pancakeswap Pair address at any time.
  • The owner can update the team's Marketing wallet, Artist wallet, and Dev wallet to any addresses at any time.
  • The owner can update the Dividend Tracker, Automated Market Maker Pair, and Pancakeswap Router addresses at any time.

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Centralization of Control
  • The owner can set each fee percentage up to 100%.
  • The owner can blacklist any account from being able to participate in transfers.
  • The owner can swap out the contract for a new one at any time.
  • WARNING
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Logical IssuesN/APASS
    Multiple SendsN/APASS
    OraclesN/APASS
    SuicideN/APASS
    State Change External CallsN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Function Graph

    BEP20 Token Graph

    Inheritance Chart

    Multi-file Token

    Functions Overview

    												
    ($) = payable function
     # = non-constant function
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Prv] _functionCallWithValue #
    
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     + [Int] IUniswapV2Router01 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] removeLiquidity #
        - [Ext] removeLiquidityETH #
        - [Ext] removeLiquidityWithPermit #
        - [Ext] removeLiquidityETHWithPermit #
        - [Ext] swapExactTokensForTokens #
        - [Ext] swapTokensForExactTokens #
        - [Ext] swapExactETHForTokens ($)
        - [Ext] swapTokensForExactETH #
        - [Ext] swapExactTokensForETH #
        - [Ext] swapETHForExactTokens ($)
        - [Ext] quote
        - [Ext] getAmountOut
        - [Ext] getAmountIn
        - [Ext] getAmountsOut
        - [Ext] getAmountsIn
    
     + [Int] IUniswapV2Router02 (IUniswapV2Router01)
        - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
        - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
    
     + [Int] IUniswapV2Pair 
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transfer #
        - [Ext] transferFrom #
        - [Ext] DOMAIN_SEPARATOR
        - [Ext] PERMIT_TYPEHASH
        - [Ext] nonces
        - [Ext] permit #
        - [Ext] MINIMUM_LIQUIDITY
        - [Ext] factory
        - [Ext] token0
        - [Ext] token1
        - [Ext] getReserves
        - [Ext] price0CumulativeLast
        - [Ext] price1CumulativeLast
        - [Ext] kLast
        - [Ext] mint #
        - [Ext] burn #
        - [Ext] swap #
        - [Ext] skim #
        - [Ext] sync #
        - [Ext] initialize #
    
     + [Int] IUniswapV2Factory 
        - [Ext] feeTo
        - [Ext] feeToSetter
        - [Ext] getPair
        - [Ext] allPairs
        - [Ext] allPairsLength
        - [Ext] createPair #
        - [Ext] setFeeTo #
        - [Ext] setFeeToSetter #
    
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     +  Ownable (Context)
        - [Pub]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
    
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Int] IERC20Metadata (IERC20)
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
    
     +  ERC20 (Context, IERC20, IERC20Metadata)
        - [Pub]  #
        - [Pub] name
        - [Pub] symbol
        - [Pub] decimals
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Pub] transfer #
        - [Pub] allowance
        - [Pub] approve #
        - [Pub] transferFrom #
        - [Pub] increaseAllowance #
        - [Pub] decreaseAllowance #
        - [Int] _transfer #
        - [Int] _mint #
        - [Int] _burn #
        - [Int] _approve #
        - [Int] _beforeTokenTransfer #
        - [Int] _afterTokenTransfer #
    
     + [Int] DividendPayingTokenInterface 
        - [Ext] dividendOf
        - [Ext] withdrawDividend #
    
     + [Int] DividendPayingTokenOptionalInterface 
        - [Ext] withdrawableDividendOf
        - [Ext] withdrawnDividendOf
        - [Ext] accumulativeDividendOf
    
     + [Lib] SafeMathUint 
        - [Int] toInt256Safe
    
     + [Lib] SafeMathInt 
        - [Int] mul
        - [Int] div
        - [Int] sub
        - [Int] add
        - [Int] abs
        - [Int] toUint256Safe
    
     +  DividendPayingToken (ERC20, DividendPayingTokenInterface, DividendPayingTokenOptionalInterface)
        - [Ext]  ($)
        - [Pub] distributeDividends ($)
        - [Pub] withdrawDividend #
        - [Int] _withdrawDividendOfUser #
        - [Pub] dividendOf
        - [Pub] withdrawableDividendOf
        - [Pub] withdrawnDividendOf
        - [Pub] accumulativeDividendOf
        - [Int] _transfer #
        - [Int] _mint #
        - [Int] _burn #
        - [Int] _setBalance #
    
     + [Lib] IterableMapping 
        - [Pub] get
        - [Pub] getIndexOfKey
        - [Pub] getKeyAtIndex
        - [Pub] size
        - [Pub] set #
        - [Pub] remove #
    
     + [Int] ICOLLIGO 
        - [Ext] transferStakeTokens #
    
     +  COLLIGODividendTracker (Ownable, DividendPayingToken)
        - [Pub]  #
           - modifiers: ERC20
        - [Int] _transfer #
        - [Pub] withdrawDividend #
        - [Ext] excludeFromDividends #
           - modifiers: onlyOwner
        - [Ext] updateClaimWait #
           - modifiers: onlyOwner
        - [Ext] getLastProcessedIndex
        - [Ext] getNumberOfTokenHolders
        - [Ext] getTotalDistributedDividends
        - [Pub] getAccount
        - [Pub] getAccountAtIndex
        - [Prv] canAutoClaim
        - [Int] setBalance #
        - [Pub] process #
        - [Ext] processAccountEx #
           - modifiers: onlyOwner
        - [Int] processAccount #
        - [Ext] setStakeParameters #
           - modifiers: onlyOwner
        - [Pub] stakeTokens #
        - [Pub] stakingDays
        - [Int] _unStakeTokens #
        - [Pub] unStakeTokens #
        - [Pub] unstakeIfExpired #
    
     + [Lib] AddressUpgradeable 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Int] functionStaticCall
        - [Int] functionStaticCall
        - [Int] verifyCallResult
    
     +  Initializable 
        - [Prv] _isConstructor
    
     +  ContextUpgradeable (Initializable)
        - [Int] __Context_init #
           - modifiers: onlyInitializing
        - [Int] __Context_init_unchained #
           - modifiers: onlyInitializing
        - [Int] _msgSender
        - [Int] _msgData
    
     +  OwnableUpgradeable (Initializable, ContextUpgradeable)
        - [Int] __Ownable_init #
           - modifiers: onlyInitializing
        - [Int] __Ownable_init_unchained #
           - modifiers: onlyInitializing
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
    
     + [Int] IERC20Upgradeable 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Int] IERC20MetadataUpgradeable (IERC20Upgradeable)
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
    
     +  ERC20Upgradeable (Initializable, ContextUpgradeable, IERC20Upgradeable, IERC20MetadataUpgradeable)
        - [Int] __ERC20_init #
           - modifiers: onlyInitializing
        - [Int] __ERC20_init_unchained #
           - modifiers: onlyInitializing
        - [Pub] name
        - [Pub] symbol
        - [Pub] decimals
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Pub] transfer #
        - [Pub] allowance
        - [Pub] approve #
        - [Pub] transferFrom #
        - [Pub] increaseAllowance #
        - [Pub] decreaseAllowance #
        - [Int] _transfer #
        - [Int] _mint #
        - [Int] _burn #
        - [Int] _approve #
        - [Int] _beforeTokenTransfer #
        - [Int] _afterTokenTransfer #
    
     +  Colligo (ERC20Upgradeable, OwnableUpgradeable)
        - [Ext] initialize #
           - modifiers: initializer
        - [Ext]  ($)
        - [Pub] createPairAndAddLiquidity ($)
           - modifiers: onlyOwner
        - [Pub] updateDividendTracker #
           - modifiers: onlyOwner
        - [Pub] updateUniswapV2Router #
           - modifiers: onlyOwner
        - [Ext] updateSwapAmount #
           - modifiers: onlyOwner
        - [Pub] excludeFromFees #
           - modifiers: onlyOwner
        - [Pub] excludeMultipleAccountsFromFees #
           - modifiers: onlyOwner
        - [Ext] setWallets #
           - modifiers: onlyOwner
        - [Ext] setFees #
           - modifiers: onlyOwner
        - [Pub] setAutomatedMarketMakerPair #
           - modifiers: onlyOwner
        - [Ext] blacklistAddress #
           - modifiers: onlyOwner
        - [Prv] _setAutomatedMarketMakerPair #
        - [Pub] updateGasForProcessing #
           - modifiers: onlyOwner
        - [Ext] updateClaimWait #
           - modifiers: onlyOwner
        - [Ext] getClaimWait
        - [Pub] isExcludedFromFees
        - [Pub] withdrawableDividendOf
        - [Pub] dividendTokenBalanceOf
        - [Ext] excludeFromDividends #
           - modifiers: onlyOwner
        - [Ext] updateStakeParameters #
           - modifiers: onlyOwner
        - [Ext] getAccountDividendsInfo
        - [Ext] getAccountDividendsInfoAtIndex
        - [Ext] processDividendTracker #
        - [Ext] claim #
        - [Ext] getLastProcessedIndex
        - [Ext] getNumberOfDividendTokenHolders
        - [Int] _transfer #
        - [Prv] swapAndSendToFee #
        - [Prv] swapAndLiquify #
        - [Prv] swapTokensForEth #
        - [Prv] addLiquidity #
        - [Prv] swapAndSendDividends #
        - [Ext] transferStakeTokens #
        - [Ext] setStakeParameters #
           - modifiers: onlyOwner
        - [Ext] setDividendsEnabled #
           - modifiers: onlyOwner
        - [Ext] setFeeOnBuys #
           - modifiers: onlyOwner