Gagarin

Smart Contract Audit Report

Audit Summary

Gagarin Audit Report Gagarin is building multiple new token contracts, a staking contract, and an IDO platform.

For this audit, we reviewed the Admin, ALP, BaseALP, GGR, PoolMaster, ProjectToken, Root, and Stable contracts provided to us by the project team.

Audit Findings

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: April 26th, 2022.

Contracts Overview

GGR Contract:
  • The initial total supply of the $GGR token is 100 million [100,000,000].
  • Initially, 100% of the total supply will be held by the owner.
  • There is no mint function so there is no way for the team to increase the total supply after the initial amount.
  • There is no burn function, but the tokens can be sent to the 0x..dead address to reduce the circulating supply at any time.
  • As the contract is implemented using Solidity v0.8.x, it is safe from any possible overflow/underflow attacks.
  • The contract complies with the ERC-20 token standard.
ProjectToken Contract:
  • The initial total supply of the $PJT token is 50 billion [50,000,000,000].
  • Initially, 100% of the total supply will be held by the owner.
  • There is no mint function so there is no way for the team to increase the total supply after the initial amount.
  • There is no burn function, but the tokens can be sent to the 0x..dead address to reduce the circulating supply at any time.
  • As the contract is implemented using Solidity v0.8.x, it is safe from any possible overflow/underflow attacks.
  • The contract complies with the ERC-20 token standard.
Stable Contract:
  • The initial total supply of the $STB token is 50 billion [50,000,000,000].
  • Initially, 100% of the total supply will be held by the owner.
  • There is no mint function so there is no way for the team to increase the total supply after the initial amount.
  • There is no burn function, but the tokens can be sent to the 0x..dead address to reduce the circulating supply at any time.
  • As the contract is implemented using Solidity v0.8.x, it is safe from any possible overflow/underflow attacks.
  • The contract complies with the ERC-20 token standard.
ALP Contract:
  • At the time of writing this report, there is no information available regarding the $ALP token distribution as it has not yet been deployed.
  • A mint function is present in the contract and can be utilized only by the owner to mint any amount of any token ID to specified addresses, increasing the total supply at any time.
  • A burn function is present in the contract and can be utilized only by the owner to mint any amount of any token ID to specified addresses, increasing the total supply at any time.
  • The owner address is intended to be the PoolMaster contract.
  • The owner can transfer ownership at any time.
PoolMaster Contract:
  • The contract allows users to stake a variety of assets determined by the team in order to earn rewards in the form of a team-designated reward token until the reward token supply is depleted.
  • The $GGR token is intended to be the reward token.
  • Staked tokens are locked within the staking contract until the pool's lock time has elapsed. Users are minted an amount of $ALP based on the pool's $ALP per $GGR rate.
  • On deposits and withdrawals, any pending rewards are calculated and transferred to the user unless the total reward supply has been depleted.
  • Users' rewards are dependent on their amount staked, the pool's reward per share amount, and the time since rewards were last calculated.
  • The reward per share amount is calculated using the contract's reward per block rate and the pool's allocation point percentage.
  • Each time rewards are calculated, the required amount of reward tokens are transferred from the faucet address to the contract for rewards; the faucet contract was not provided in the scope of this audit, so we are unable to provide an assessment of the contract with regards to security.
  • On withdrawals, an amount of the user's $ALP are burned equal to that of the withdrawal amount.
  • The team should not add a staking pool for the $GGR reward token itself.

  • The owner can transfer ownership at any time.
  • The owner can add and remove addresses from the Admin list at any time.
  • The owner can set the faucet address at any time.
  • Admin addresses can add new staking pools at any time; however, the team should use caution as to not add the same staking token twice.
  • Admin addresses can update pool properties at any time.
  • Admin addresses can set the reward per block to any rate at any time.
  • Admin addresses can update any pool's lock time to any duration at any time.
  • Admin addresses can disable all pools at any time; once disabled they cannot be re-enabled.
  • The team must exercise caution when setting the staking/reward token and must avoid using any fee-on-transfer or ERC-777 tokens; if a fee-on-transfer token is used as the staking token then this contract should be excluded from the staking/reward token's fee mechanism.
Root Contract:
  • This contract provides functionality for users to participate in various IDOs by providing a team-designated token as a contribution.
  • Admin addresses can add new IDO projects at any time, specifying an investing token, claim token, price, claim percentage, available supply, investors, investor contribution amounts, and claim dates.
  • While the IDO project state is active, user addresses on the project investor list can contribute specified amounts of the investing token up to the contribution amount set for the caller.
  • While the IDO project state is set to FCFS, the contribution amount must be more than 0 and below the available balance for the project.
  • User addresses not allocated a contribution amount are added as an investor with their contribution amount only claimable during the FCFS state.
  • In order for users to claim their tokens for a specific IDO, the project state must be set to the Claiming Period or Ended State, and the project must still be active.
  • The amount of the claim token transferred to the user is dependent on the amount of tokens already redeemed, the project's price, and the claiming percentage of the claim date.
  • An IDO project's claiming period may be initiated during the redeeming or FCFS state by the Admin address; all contribution tokens are then transferred to an address specified by the Admin address.
  • The owner can transfer ownership at any time.
  • The owner can withdraw all tokens from the contract at any time.
  • The owner can distribute any token type to multiple investor addresses at any time.
  • The owner can add and remove addresses from the Admin list at any time.
  • The owner can set the faucet address at any time.
  • Admin addresses can create a new project at any time.
  • Admin addresses can change project properties at any time.
  • Admin addresses may increase or decrease the available balance during an IDO project's FCFS state.
  • Admin addresses can start, pause, or continue any IDO project at any time.
  • Admin addresses can initiate all projects claiming period at any time.
  • Admin addresses can add a specified amount to the IDO's available balance at any time.
  • Admin addresses can update pool properties at any time.
  • Admin addresses can set the reward rate at any time.

Audit Results

Vulnerability CategoryNotesResult
Arbitrary Jump/Storage WriteN/APASS
Centralization of Control
  • The owner may add/remove addresses from the Admin list at any time.
  • Admin addresses may change any pool's properties and the reward per block rate to any value at any time.
  • Admin addresses may change IDO project properties at any time.
  • Admin addresses can pause IDO projects at any time.
  • Admin addresses may start the redeeming, FCFS, or claiming period at any time.
WARNING
Compiler IssuesN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Ether/Token TheftN/APASS
Flash LoansN/APASS
Front RunningN/APASS
Improper EventsN/APASS
Improper Authorization SchemeN/APASS
Integer Over/UnderflowN/APASS
Logical IssuesN/APASS
Oracle IssuesN/APASS
Outdated Compiler VersionN/APASS
Race ConditionsN/APASS
ReentrancyN/APASS
Signature IssuesN/APASS
Unbounded LoopsN/APASS
Unused CodeN/APASS
Overall Contract Safety PASS

Contract Source Summary and Visualizations

Name

Address/Source Code

Visualized
(Hover-Zoom Recommended)

GGR

Not yet deployed

Function Graph.  Inheritance Chart.

ProjectToken

Not yet deployed

Function Graph.  Inheritance Chart.

Stable

Not yet deployed

Function Graph.  Inheritance Chart.

PoolMaster

Not yet deployed

Function Graph.  Inheritance Chart.

Root

Not yet deployed

Function Graph.  Inheritance Chart.

Admin

Not yet deployed

Function Graph.  Inheritance Chart.

BaseALP

Not yet deployed

Function Graph.  Inheritance Chart.

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

Contact us today to get a free quote for a smart contract audit of your project!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

  • High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
  • Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
  • Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
  • Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.