Devour Token - Smart Contract Audit Report
Audit Summary
Devour Token ($RESTAURANTS) is a new ERC-20 token on Ethereum that features automatic liquidity adds and pays out static rewards to holders.
We reviewed the DevourToken contract at 0xDffC63f92c939deB112D88735ade3B4D21B6D491 on the Ethereum mainnet.
Audit Findings
Date: February 4th, 2022.
Finding #1 - DevourToken - Low
Description: In the _transfer() function, the maxSellAmount is enforced when buying (rather than selling) from Uniswap, despite already enforcing the maxBuyAmount earlier in the function when buying from Uniswap.if ( from != owner() && to != owner() && to != address(0) && to != address(0xdead) && from == pair ) { require( amount <= maxSellAmount, "Amount is exceeding maxSellAmount" ); }
Risk/Impact: Users can sell any amount of tokens to Uniswap at any time.
Recommendation: The if-statement above should be modified to enforce the maxSellAmount when selling to the pair address.Finding #2 - DevourToken - Informational
Description: Several functions are declared public, but are never called internally.Recommendation: We recommend declaring these functions external for additional gas savings on each call.name, symbol, decimals, totalSupply, transfer, allowance, approve, transferFrom, increaseAllowance, decreaseAllowance, isExcludedFromReward, deliver, reflectionFromToken, excludeFromReward, excludeFromFee, includeInFee, isExcludedFromFeeFinding #3 - DevourToken - Informational
Description: Although the SafeMath library is utilized, the contract is deployed with Solidity v0.8.0 which has built-in overflow checks.
Recommendation: SafeMath could be safely removed to reduce contract size and deployment costs.
Contracts Overview
Ownership Controls:
- The total supply of the token is set to 1 quadrillion $RESTAURANTS [1,000,000,000,000,000].
- No mint or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address if desired.
- At the time of writing this report, 44.54% of the total supply has been sent to the 0x..dead address.
- 2.26% of the total supply is in Uniswap liquidity.
- Of that liquidity, 96.86% of the LP tokens are stored in a UniCrypt token locking contract and will fully vest to the team on December 31st, 2022.
- The next five holders own a cumulative 10.09% of the total supply.
- There is a 3% RFI fee, 1% Liquidity fee, 4% Operations fee, and 2% Burn fee on all transfers where neither the sender nor the recipient is excluded from fees.
- The tokens collected from the RFI fee are removed from the circulating supply; This serves as a frictionless fee redistribution which automatically benefits all token holders at the time of each transaction.
- The tokens collected from the Liquidity fee during transfers are stored in the contract address balance. Once the threshold number of 5 trillion tokens is met, a swap will occur for the purpose of funding Uniswap liquidity.
- Liquidity-adds are funded by selling a portion of the tokens collected as fees (after the threshold number of tokens is met), then pairing the received ETH with the token, and adding it as liquidity to the ETH pair.
- The recipient of the newly created LP tokens is the 0x00 address.
- The tokens collected from the Operations fee are swapped for ETH and sent to the team's Operations wallet.
- The tokens collected from the Burn fee are sent to the 0x..dead address.
- A maximum buy amount of 20 trillion tokens is enforced on all buying transactions via Uniswap.
- A maximum wallet amount is enforced on all buying transactions via Uniswap which ensures that the recipient's token balance does not exceed 20 trillion tokens after the transfer takes place.
- As the contract is deployed with Solidity v0.8.0, it is protected from overflows/underflows.
- The contract complies with the ERC-20 token standard.
- Ownership has been renounced.
- The owner was previously able to exclude and include accounts from transfer fees and reward distribution.
- The owner was previously able to update the maximum wallet amount to any amount at any time.
- The owner was previously able to enable/disable automatic liquidity adds at any time.
- The owner was previously able to withdraw any ETH or tokens from the contract address at any time.
- The owner was previously able to update the Uniswap Router address at any time.
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Centralization of Control | Ownership has been renounced. | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Function Graph
Inheritance Chart
Functions Overview
($) = payable function
# = non-constant function
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Prv] _setOwner #
+ [Int] IFactory
- [Ext] createPair #
- [Ext] getPair
+ [Int] IRouter
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidityETH ($)
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ DevourToken (Context, IERC20, Ownable)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Pub] isExcludedFromReward
- [Pub] deliver #
- [Pub] reflectionFromToken
- [Ext] startTrading #
- modifiers: onlyOwner
- [Pub] tokenFromReflection
- [Pub] excludeFromReward #
- modifiers: onlyOwner
- [Ext] includeInReward #
- modifiers: onlyOwner
- [Pub] excludeFromFee #
- modifiers: onlyOwner
- [Pub] includeInFee #
- modifiers: onlyOwner
- [Pub] isExcludedFromFee
- [Ext] setMaxWalletPercent #
- modifiers: onlyOwner
- [Prv] _reflectRfi #
- [Prv] _takeOperations #
- [Prv] _takeLiquidity #
- [Prv] _takeBurn #
- [Prv] _getValues
- [Prv] _getTValues
- [Prv] _getRValues
- [Prv] _getRate
- [Prv] _getCurrentSupply
- [Prv] _approve #
- [Prv] _transfer #
- [Prv] _tokenTransfer #
- [Prv] swapETHForTokens #
- [Prv] swapAndLiquify #
- modifiers: lockTheSwap
- [Prv] addLiquidity #
- [Prv] swapTokensForETH #
- [Ext] updateSwapEnabled #
- modifiers: onlyOwner
- [Ext] rescueLock #
- modifiers: onlyOwner
- [Ext] rescueETH #
- modifiers: onlyOwner
- [Ext] rescueERC20Tokens #
- modifiers: onlyOwner
- [Ext] setRouterAddress #
- modifiers: onlyOwner
- [Ext] ($)