Orbeon Protocol

Smart Contract Audit Report

Audit Summary

Orbeon Protocol Audit Report Orbeon Protocol is a new ERC-20 token on Ethereum that is an automatic liquidity providing protocol that pays holders dividends in ETH.

For this audit, we reviewed the project team's ORBN contract at 0xa7fbd9254f10f8e20a31a593c9e8bc0d041e15f6 on the Ethereum Mainnet.

Audit Findings

Low findings were identified and the team should consider resolving these issues. In addition, centralized aspects are present.
Date: November 30th, 2022.
Finding #1 - ORBN - Low
Description: In the swapAndLiquify() function, the amount of ETH allocated to automatic liquidity adds, the team's Marketing wallet, and dividend rewards do not correspond with the fee percentages of the contract.
function swapAndLiquify(uint256 contractTokenBalance) private lockTheSwap {
...
    uint256 deltaBalance = address(this).balance-initialBalance;

    uint256 bnbToAddLiquidityWith = deltaBalance.mul(onSellliquidityFee).div(onSelltotalFees.mul(2).sub(onSellliquidityFee));
    
    addLiquidity(tokensToAddLiquidityWith, bnbToAddLiquidityWith);
    uint256 marketingAmount = deltaBalance.sub(bnbToAddLiquidityWith).div(onSelltotalFees.sub(onSellliquidityFee)).mul(onSellmarketingFee);
    marketingWallet.transfer(marketingAmount);

    uint256 dividends = address(this).balance;
    (bool success,) = address(dividendTracker).call{value: dividends}("");
Risk/Impact: The percentages of ETH allocated to each of the above funds may be more or less than what the project team intends.
Recommendation: The team should modify the above calculations to correspond with each fund's fee percentage in relation to the total fee percentages of the contract.
Resolution: The team has not yet addressed this issue.

Finding #2 - ORBN - Informational
Description: Although the SafeMath library is utilized, the contract is deployed with Solidity v0.8.17 which has built-in overflow checks.
Recommendation: SafeMath could safely be removed to reduce contract size, deployment costs, and gas costs on all transactions that utilize it.

Finding #3 - ORBN - Informational
Description: The deadWallet state variable cannot be modified but is not declared constant.
Recommendation: The above state variable could be declared constant for additional gas savings on each reference.

Contract Overview

The total supply of the token is set to 888 million [888,000,000] $ORBN.

No public mint or burn functions are present, though the circulating supply can be decreased by sending tokens to the 0x..dead address.

At the time of writing this report, 100% of the total supply belongs to the owner.

The contract enforces a maximum sell amount (determined by the owner) which imposes a limit to the number of tokens that can be sold via Uniswap per transaction.

There is an ETH Reward fee, Liquidity fee, Marketing fee, and Burn fee on all transfers where neither the sender nor the recipient is excluded from fees. A separate fee structure can be set by the team to apply different fee percentages depending on whether or not the user is selling tokens via Uniswap.

The fees charged during transfers are stored in the contract address. The tokens are swapped for ETH for the purpose of funding Uniswap liquidity, dividend rewards, and the team's Marketing wallet when the following conditions are met:

The threshold number of tokens in the contract address (determined by the owner) has been reached.

The automatic token swapping functionality is enabled by the team.

The contract is not currently swapping tokens.

The caller is not initiating a buy transaction via Uniswap.

Liquidity-adds are automatically performed by selling the tokens collected as fees, pairing the received ETH with the token, and adding it as liquidity to the ETH pair.

The LP tokens received through this process are sent to the owner. We recommend the team lock these newly acquired LP tokens.

The tokens collected through the Marketing Fee are swapped for ETH and sent to the team's Marketing wallet.

Any remaining ETH in the contract is sent to the ORBNDividendTracker contract where it is distributed as rewards.

The tokens collected through the Burn fee are sent to the 0x..dead address.

As the contract is deployed with Solidity v0.8.17, it is protected from overflows/underflows.

The contract complies with the ERC-20 token standard.

Any user that holds at least 10,000 $ORBN tokens is eligible to claim dividends.

Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.

Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process all eligible token holders.

Alternatively, a user can manually claim dividends as an individual.

There is a wait-time (determined by the owner) between claiming dividend rewards.

Claimed dividends are sent to the user's wallet address.

Ownership Controls:

The owner can set the ETH Reward fee, Liquidity fee, Marketing fee, and Burn fee for both fee structures to any percentages at any time.

The owner can set the maximum sell amount to any value at any time.

The owner can exclude any address from transfer fees, dividends, and the maximum sell amount restriction at any time.

The owner can update the threshold number of tokens needed to trigger the automatic token swapping functionality to any value at any time.

The owner can enable/disable the automatic token swapping functionality at any time.

The owner can update the maximum amount of gas used for processing to any value between 200,000 and 500,000 at any time.

The owner can update the amount of time a user must wait between claiming dividends to any value between 1 hour and 24 hours (in seconds).

The owner can add/remove addresses from the Automated Market Maker Pair list at any time.

The owner can update the Uniswap Router address at any time.

The owner can update the team's Marketing address at any time.

The owner can assign any address to the Safe Manager role.

The Safe Manager can withdraw any tokens or ETH from the ORBN contract at any time.

Audit Results

Vulnerability Category	Notes	Result
Arbitrary Jump/Storage Write	N/A	PASS
Centralization of Control	The owner can set each fee percentage up to 100%. The LP tokens generated through automatic liquidity adds are sent to the owner. The team can withdraw any tokens from the ORBN contract at any time.	WARNING
Compiler Issues	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Ether/Token Theft	N/A	PASS
Flash Loans	N/A	PASS
Front Running	The automatic token swapping functionality may be susceptible to front running. The team should monitor, and if any suspicious activity is detected, should either lower the `swapTokensAtAmount` threshold or disable this system altogether.	PASS
Improper Events	N/A	PASS
Improper Authorization Scheme	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	In the swapAndLiquify() function, the amount of ETH allocated to automatic liquidity adds, the team's Marketing wallet, and dividend rewards do not correspond with the fee percentages of the contract.	WARNING
Oracle Issues	N/A	PASS
Outdated Compiler Version	N/A	PASS
Race Conditions	N/A	PASS
Reentrancy	N/A	PASS
Signature Issues	N/A	PASS
Sybil Attack	N/A	PASS
Unbounded Loops	N/A	PASS
Unused Code	N/A	PASS
Overall Contract Safety		PASS

Inheritance Chart

Smart Contract Audit - Inheritance

Function Graph

Smart Contract Audit - Graph

Functions Overview


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 + [Int] IUniswapV2Router01 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidity #
    - [Ext] addLiquidityETH ($)
    - [Ext] removeLiquidity #
    - [Ext] removeLiquidityETH #
    - [Ext] removeLiquidityWithPermit #
    - [Ext] removeLiquidityETHWithPermit #
    - [Ext] swapExactTokensForTokens #
    - [Ext] swapTokensForExactTokens #
    - [Ext] swapExactETHForTokens ($)
    - [Ext] swapTokensForExactETH #
    - [Ext] swapExactTokensForETH #
    - [Ext] swapETHForExactTokens ($)
    - [Ext] quote
    - [Ext] getAmountOut
    - [Ext] getAmountIn
    - [Ext] getAmountsOut
    - [Ext] getAmountsIn

 + [Int] IUniswapV2Router02 (IUniswapV2Router01)
    - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
    - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 + [Int] IUniswapV2Factory 
    - [Ext] feeTo
    - [Ext] feeToSetter
    - [Ext] getPair
    - [Ext] allPairs
    - [Ext] allPairsLength
    - [Ext] createPair #
    - [Ext] setFeeTo #
    - [Ext] setFeeToSetter #

 + [Lib] SignedSafeMath 
    - [Int] mul
    - [Int] div
    - [Int] sub
    - [Int] add

 + [Lib] SafeMath 
    - [Int] tryAdd
    - [Int] trySub
    - [Int] tryMul
    - [Int] tryDiv
    - [Int] tryMod
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod
    - [Int] sub
    - [Int] div
    - [Int] mod

 + [Lib] SafeCast 
    - [Int] toUint224
    - [Int] toUint128
    - [Int] toUint96
    - [Int] toUint64
    - [Int] toUint32
    - [Int] toUint16
    - [Int] toUint8
    - [Int] toUint256
    - [Int] toInt128
    - [Int] toInt64
    - [Int] toInt32
    - [Int] toInt16
    - [Int] toInt8
    - [Int] toInt256

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _beforeTokenTransfer #
    - [Int] _afterTokenTransfer #

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Prv] _setOwner #

 + [Lib] IterableMapping 
    - [Pub] get
    - [Pub] getIndexOfKey
    - [Pub] getKeyAtIndex
    - [Pub] size
    - [Pub] set #
    - [Pub] remove #

 + [Int] DividendPayingTokenOptionalInterface 
    - [Ext] withdrawableDividendOf
    - [Ext] withdrawnDividendOf
    - [Ext] accumulativeDividendOf

 + [Int] DividendPayingTokenInterface 
    - [Ext] dividendOf
    - [Ext] distributeDividends ($)
    - [Ext] withdrawDividend #

 +  DividendPayingToken (ERC20, DividendPayingTokenInterface, DividendPayingTokenOptionalInterface)
    - [Pub]  #
       - modifiers: ERC20
    - [Ext]  ($)
    - [Pub] distributeDividends ($)
    - [Pub] withdrawDividend #
    - [Int] _withdrawDividendOfUser #
    - [Pub] dividendOf
    - [Pub] withdrawableDividendOf
    - [Pub] withdrawnDividendOf
    - [Pub] accumulativeDividendOf
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _setBalance #

 +  ORBNDividendTracker (DividendPayingToken, Ownable)
    - [Pub]  #
       - modifiers: DividendPayingToken
    - [Int] _transfer
    - [Pub] withdrawDividend
    - [Ext] excludeFromDividends #
       - modifiers: onlyOwner
    - [Ext] updateClaimWait #
       - modifiers: onlyOwner
    - [Ext] getLastProcessedIndex
    - [Ext] getNumberOfTokenHolders
    - [Pub] getAccount
    - [Pub] getAccountAtIndex
    - [Prv] canAutoClaim
    - [Ext] setBalance #
       - modifiers: onlyOwner
    - [Pub] process #
    - [Pub] processAccount #
       - modifiers: onlyOwner

 +  SafeToken (Ownable)
    - [Pub]  #
    - [Pub] setSafeManager #
       - modifiers: onlyOwner
    - [Ext] withdraw #
    - [Ext] withdrawBNB #

 +  ORBN (ERC20, Ownable, SafeToken)
    - [Pub] setFee #
       - modifiers: onlyOwner
    - [Pub] setSellFee #
       - modifiers: onlyOwner
    - [Pub] setMaxSelltx #
       - modifiers: onlyOwner
    - [Pub] setmarketingWallet #
       - modifiers: onlyOwner
    - [Pub]  #
       - modifiers: ERC20
    - [Ext]  ($)
    - [Pub] updateUniswapV2Router #
       - modifiers: onlyOwner
    - [Pub] excludeFromFees #
       - modifiers: onlyOwner
    - [Pub] setExcludeFromMaxTx #
       - modifiers: onlyOwner
    - [Pub] setExcludeFromAll #
       - modifiers: onlyOwner
    - [Pub] excludeMultipleAccountsFromFees #
       - modifiers: onlyOwner
    - [Pub] setAutomatedMarketMakerPair #
       - modifiers: onlyOwner
    - [Pub] setSWapToensAtAmount #
       - modifiers: onlyOwner
    - [Prv] _setAutomatedMarketMakerPair #
    - [Pub] updateGasForProcessing #
       - modifiers: onlyOwner
    - [Ext] updateClaimWait #
       - modifiers: onlyOwner
    - [Ext] getClaimWait
    - [Ext] getTotalDividendsDistributed
    - [Pub] isExcludedFromFees
    - [Pub] isExcludedFromMaxTx
    - [Pub] withdrawableDividendOf
    - [Pub] dividendTokenBalanceOf
    - [Ext] getAccountDividendsInfo
    - [Ext] getAccountDividendsInfoAtIndex
    - [Ext] processDividendTracker #
    - [Ext] claim #
    - [Ext] getLastProcessedIndex
    - [Ext] getNumberOfDividendTokenHolders
    - [Ext] excludeFromDividends #
       - modifiers: onlyOwner
    - [Pub] setSwapAndLiquifyEnabled #
       - modifiers: onlyOwner
    - [Int] _transfer #
    - [Prv] swapAndLiquify #
       - modifiers: lockTheSwap
    - [Prv] swapTokensForBnb #
    - [Prv] swapAndSendBNBToMarketing #
    - [Prv] addLiquidity #

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1300+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value across 1500 projects!.
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

Go Home