Monster Valley Token - Smart Contract Audit Report
Monster Valley ($MONSTER) is a new game on the Binance Smart Chain that was inspired by 'Monster Story'. The team aims to bring a new experience to players by combining aspects of gamification and Blockchain with Monster Digital. For this audit report, our team did not review the entire protocol. Only the Monster Valley Token contract was provided for the purpose of this audit.
Notes on the Contract:
Audit Findings Summary
- At the time of writing this report, there is a maximum total supply of one billion $MONSTER [1,000,000,000] and there is currently a circulating supply of 465,000,000 $MONSTER.
- 89.25% of the $MONSTER supply is in possession of the owner.
- 10.72% of the $MONSTER supply is in possession of the Unicrypt Token Vesting Contract.
- Minting functionality is present in the contract beyond deployment. A specified address will be assigned the "Tokenomics" role, which will allow the project team to mint as many tokens desired for the protocol.
- Tokens may also be minted up to a specified limit of 280 million $MONSTER by the "Evolver" role.
- Holders have the ability to burn a specified amount of their tokens if desired by using the burn function.
- At the time of writing this report, there is no information available regarding the $MONSTER token distribution as it has not yet been offered to the public; and it is not deployed on the BSC Mainnet.
- There is a fee that is applied on all transfers for holders that are either buying from or selling to PancakeSwap. The owner has the ability to modify the "Buy Fee" to any percentage ranging from 0% to 5% at any time. The owner may also modify the "Sell Fee" to any percentage ranging from 0% to 10% at any time.
- The contract address will receive the value collected from these fees; and the recipient will receive the transfer amount minus the fee that was applied.
- Once a threshold value (determined by the owner) is met for the contract address' $MONSTER balance, the tokens are swapped for BNB and sent to the 'BOSS WALLET' that is controlled by the team (defaulted to the owner's wallet).
- 'Evolver' roles can use the "win" function to mint any amount of $MONSTER to any address as long as the 'play to earn' limit has not been exceeded. If the amount that is passed in exceeds the 'play to earn' limit, the excess value will be minted to the designated recipient.
- Once the play to earn limit is met, the Evolver role will not be able to use the "Win" function anymore.
- The contract features anti-bot mechanisms that will blacklist certain accounts that the owner specifies. If an account that is identified as a bot attempts to transfer an amount of $MONSTER that is greater than the limit (determined by the owner), they will be blocked from participating in transfers for 10 minutes.
- The owner has the ability to modify this threshold of tokens to swap (for BNB) to a new value at any time.
- The owner has the ability to modify the "manager" contract address at any time.
- Ownership has not been renounced.
- The team has worked with us to optimize these contracts for gas efficiency.
- The contract utilizes SafeMath libraries along with following the ERC20 standard.
- The Monster Valley Token contract is intended to interact with additional contracts which were not provided to our team; Thus, that functionality is not in scope for this audit.
- No external vulnerabilities were identified within the smart contract's code.
- We recommend that the team limits their role assignments, and renounces ownership.
- Please ensure trust in the team prior to investing as they have substantial control within the ecosystem (specifically minting).
- Further, ensure trust in the team prior to investing as they receive the BNB from the 'swap tokens' functionality.
- Additional functionality is advertised on the project's website than what is currently present in the smart contracts that we audited.
- Date: August 18th, 2021
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|
($) = payable function # = non-constant function + ReentrancyGuard - [Int]
# + [Int] IUniswapV2Factory - [Ext] feeTo - [Ext] feeToSetter - [Ext] getPair - [Ext] allPairs - [Ext] allPairsLength - [Ext] createPair # - [Ext] setFeeTo # - [Ext] setFeeToSetter # + [Int] IUniswapV2Pair - [Ext] name - [Ext] symbol - [Ext] decimals - [Ext] totalSupply - [Ext] balanceOf - [Ext] allowance - [Ext] approve # - [Ext] transfer # - [Ext] transferFrom # - [Ext] DOMAIN_SEPARATOR - [Ext] PERMIT_TYPEHASH - [Ext] nonces - [Ext] permit # - [Ext] MINIMUM_LIQUIDITY - [Ext] factory - [Ext] token0 - [Ext] token1 - [Ext] getReserves - [Ext] price0CumulativeLast - [Ext] price1CumulativeLast - [Ext] kLast - [Ext] burn # - [Ext] swap # - [Ext] skim # - [Ext] sync # - [Ext] initialize # + [Int] IUniswapV2Router01 - [Ext] factory - [Ext] WETH - [Ext] addLiquidity # - [Ext] addLiquidityETH ($) - [Ext] removeLiquidity # - [Ext] removeLiquidityETH # - [Ext] removeLiquidityWithPermit # - [Ext] removeLiquidityETHWithPermit # - [Ext] swapExactTokensForTokens # - [Ext] swapTokensForExactTokens # - [Ext] swapExactETHForTokens ($) - [Ext] swapTokensForExactETH # - [Ext] swapExactTokensForETH # - [Ext] swapETHForExactTokens ($) - [Ext] quote - [Ext] getAmountOut - [Ext] getAmountIn - [Ext] getAmountsOut - [Ext] getAmountsIn + [Int] IUniswapV2Router02 (IUniswapV2Router01) - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens # - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens # - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens # - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($) - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens # + [Lib] SafeMath - [Int] tryAdd - [Int] trySub - [Int] tryMul - [Int] tryDiv - [Int] tryMod - [Int] add - [Int] sub - [Int] mul - [Int] div - [Int] mod - [Int] sub - [Int] div - [Int] mod + Context - [Int] _msgSender - [Int] _msgData + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + ERC20 (Context, IERC20) - [Pub] # - [Pub] name - [Pub] symbol - [Pub] decimals - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Int] _transfer # - [Int] _mint # - [Int] _burn # - [Int] _approve # - [Int] _setupDecimals # - [Int] _beforeTokenTransfer # + Ownable (Context) - [Int] # - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner + [Int] ManagerInterface - [Ext] battlefields - [Ext] evolvers - [Ext] markets - [Ext] farmOwners - [Ext] timesBattle - [Ext] timeLimitBattle - [Ext] generation - [Ext] xBattle - [Ext] priceEgg - [Ext] divPercent - [Ext] feeChangeTribe - [Ext] feeMarketRate - [Ext] loseRate - [Ext] feeEvolve - [Ext] feeUpgradeGeneration - [Ext] feeAddress + MonsterERC20 (Ownable, ERC20) - [Pub] # - modifiers: ERC20 - [Pub] setManager # - modifiers: onlyOwner - [Pub] setTransferFeeRate # - modifiers: onlyOwner - [Pub] setMinTokensBeforeSwap # - modifiers: onlyOwner - [Ext] win # - modifiers: onlyEvolver + MonsterToken (MonsterERC20, ReentrancyGuard) - [Pub] # - modifiers: MonsterERC20 - [Pub] burn # - [Ext] mintNomics # - modifiers: onlyTokenomics - [Ext] setBots # - modifiers: onlyOwner - [Int] _transfer # - [Pub] swapToBoss # - modifiers: nonReentrant - [Prv] swapTokensForEth # - [Ext] setAddressForBosses # - modifiers: onlyOwner - [Ext] antiBot # - modifiers: onlyOwner