OragonX - Smart Contract Audit Report
OragonX ($Orgn) is a new community-driven token on the Binance Smart Chain that pays out static rewards to holders.
Notes on the Contract:
Audit Findings Summary
- The total supply of the token is set to 1 quadrillion $Orgn [1,000,000,000,000,000].
- No minting or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
- At the time of writing this report, 47.3% of the total $Orgn token supply has been sent to the burn address.
- The top holder is in possession of 6% of the total supply.
- 1.5% of the total supply is in Pancakeswap liquidity.
- Of that liquidity, 97.35% of the LP tokens are stored in an unverified contract.
- There is a 'tax fee' and a 'liquidity fee' on all transactions for any "non-excluded" address that participates in a transfer. The owner has the ability to modify these fees to any percentage at any time.
- Users who hold tokens will automatically benefit from the frictionless fee redistribution at the time of each transaction as the tokens collected through the tax fee are removed from the circulating supply.
- On each transfer that occurs while the minimum threshold (determined by the owner) is met, the protocol will spend 1% of its BNB balance toward buying $Orgn tokens that will subsequently be burned. The owner has the ability to enable and disable the Buyback functionality at any time. The owner also has control over the threshold that will determine when the Buyback functionality is applied.
- The liquidity fee that is charged on transactions is used to buy BNB via the "swaptokens" function which will be stored in the contract address. Upon each BNB purchase made by the contract address, a percentage (determined by the owner) will be sent to the 'marketing address'. This percentage of the BNB to be transferred can be modified by the owner to any amount at any time.
- A logical issue exists within the swapping functionality. If the liquidity fee is set (by the owner) to a number that is less than or equal to the 'Marketing Divisor', the resulting BNB to be transferred to the marketing address might be more than the contract balance can support which would result in the transaction reverting. If this functionality is used in such a way, it will allow the project team to receive all of the BNB in the contract address.
- Although the swap and liquify verbiage exists in the code, there are no "automatic liquidity adds" supported by the protocol; as the buyback mechanism is used instead.
- The owner of the contract can exclude and include accounts from fees and reward distribution.
- The owner has the ability to update the marketing address at any time.
- The owner has the ability to set and update a maximum transaction amount at any time, which will impose a limit to the number of tokens that can be transferred during any given transaction. The owner can also include and exclude accounts from this transaction limit.
- This maximum transaction amount does not apply to the owner during transactions where the owner is either the sender or the recipient.
- The owner can activate the buyback functionality manually and bypass the token threshold at any time.
- The contract includes a "PrepareForPresale" function that allows the owner to set fees to 0, and set the max transaction amount to 100% of the total token supply. There is also an "afterPresale" function where the fees are restored and the maximum transaction amount is set to 0.3% of the total token supply.
- The owner has the ability to use the "lock" function in order to temporarily set ownership to address(0). Ownership is restored after the duration of time determined by the owner has passed and they use the 'unlock' function.
- The unlock function has the potential to be used after ownership is renounced, which will restore ownership to the original owner that initially created the ownership lock. This can be used in a nefarious way by the project team to restore ownership and change fee structures.
- We recommend that the unlock function is modified to set the "previous owner" = "address(0)" at the end of the unlock function to prevent it from being used more than once per lock.
- Ownership has not been renounced.
- The contract utilizes SafeMath libraries along with following the BEP20 standard.
- No external threats were identified.
- There are potential risks that exist for holders regarding the team's ability to retain control of the contract.
- We recommend that the team renounces ownership.
- Buyback functionality may be susceptible to front-running; The team must monitor and if suspicious activity is detected, the team must disable the buyback system.
- Please ensure trust in the team prior to investing as they have significant control in the ecosystem.
- Further, ensure trust in the team as they have control of the contract's BNB balance that is accumulated from fees.
- Date: August 24th, 2021
|Arbitrary Storage Write||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Overall Contract Safety||PASS|
($) = payable function # = non-constant function + Context - [Int] _msgSender - [Int] _msgData + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod + [Lib] Address - [Int] isContract - [Int] sendValue # - [Int] functionCall # - [Int] functionCall # - [Int] functionCallWithValue # - [Int] functionCallWithValue # - [Prv] _functionCallWithValue # + Ownable (Context) - [Pub]
# - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner - [Pub] getUnlockTime - [Pub] getTime - [Pub] lock # - modifiers: onlyOwner - [Pub] unlock # + [Int] IUniswapV2Factory - [Ext] feeTo - [Ext] feeToSetter - [Ext] getPair - [Ext] allPairs - [Ext] allPairsLength - [Ext] createPair # - [Ext] setFeeTo # - [Ext] setFeeToSetter # + [Int] IUniswapV2Pair - [Ext] name - [Ext] symbol - [Ext] decimals - [Ext] totalSupply - [Ext] balanceOf - [Ext] allowance - [Ext] approve # - [Ext] transfer # - [Ext] transferFrom # - [Ext] DOMAIN_SEPARATOR - [Ext] PERMIT_TYPEHASH - [Ext] nonces - [Ext] permit # - [Ext] MINIMUM_LIQUIDITY - [Ext] factory - [Ext] token0 - [Ext] token1 - [Ext] getReserves - [Ext] price0CumulativeLast - [Ext] price1CumulativeLast - [Ext] kLast - [Ext] burn # - [Ext] swap # - [Ext] skim # - [Ext] sync # - [Ext] initialize # + [Int] IUniswapV2Router01 - [Ext] factory - [Ext] WETH - [Ext] addLiquidity # - [Ext] addLiquidityETH ($) - [Ext] removeLiquidity # - [Ext] removeLiquidityETH # - [Ext] removeLiquidityWithPermit # - [Ext] removeLiquidityETHWithPermit # - [Ext] swapExactTokensForTokens # - [Ext] swapTokensForExactTokens # - [Ext] swapExactETHForTokens ($) - [Ext] swapTokensForExactETH # - [Ext] swapExactTokensForETH # - [Ext] swapETHForExactTokens ($) - [Ext] quote - [Ext] getAmountOut - [Ext] getAmountIn - [Ext] getAmountsOut - [Ext] getAmountsIn + [Int] IUniswapV2Router02 (IUniswapV2Router01) - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens # - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens # - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens # - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($) - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens # + OragonX (Context, IERC20, Ownable) - [Pub] # - [Pub] name - [Pub] symbol - [Pub] decimals - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Pub] isExcludedFromReward - [Pub] totalFees - [Pub] minimumTokensBeforeSwapAmount - [Pub] buyBackUpperLimitAmount - [Pub] deliver # - [Pub] reflectionFromToken - [Pub] tokenFromReflection - [Pub] excludeFromReward # - modifiers: onlyOwner - [Ext] includeInReward # - modifiers: onlyOwner - [Prv] _approve # - [Prv] _transfer # - [Prv] swapTokens # - modifiers: lockTheSwap - [Prv] buyBackTokens # - modifiers: lockTheSwap - [Prv] swapTokensForEth # - [Prv] swapETHForTokens # - [Prv] addLiquidity # - [Prv] _tokenTransfer # - [Prv] _transferStandard # - [Prv] _transferToExcluded # - [Prv] _transferFromExcluded # - [Prv] _transferBothExcluded # - [Prv] _reflectFee # - [Prv] _getValues - [Prv] _getTValues - [Prv] _getRValues - [Prv] _getRate - [Prv] _getCurrentSupply - [Prv] _takeLiquidity # - [Prv] calculateTaxFee - [Prv] calculateLiquidityFee - [Prv] removeAllFee # - [Prv] restoreAllFee # - [Pub] isExcludedFromFee - [Pub] excludeFromFee # - modifiers: onlyOwner - [Pub] includeInFee # - modifiers: onlyOwner - [Ext] setTaxFeePercent # - modifiers: onlyOwner - [Ext] setLiquidityFeePercent # - modifiers: onlyOwner - [Ext] setMaxTxAmount # - modifiers: onlyOwner - [Ext] setMarketingDivisor # - modifiers: onlyOwner - [Ext] setNumTokensSellToAddToLiquidity # - modifiers: onlyOwner - [Ext] setBuybackUpperLimit # - modifiers: onlyOwner - [Ext] setMarketingAddress # - modifiers: onlyOwner - [Pub] setSwapAndLiquifyEnabled # - modifiers: onlyOwner - [Pub] setBuyBackEnabled # - modifiers: onlyOwner - [Ext] prepareForPreSale # - modifiers: onlyOwner - [Ext] afterPreSale # - modifiers: onlyOwner - [Prv] transferToAddressETH # - [Ext] ($)