PISTON - Smart Contract Audit Report
Audit Summary
PISTON ($PISTON) is a new BEP-20 token on the Binance Smart Chain that is an automatic liquidity providing protocol.
We reviewed the PISTON implementation contract at 0xe62946A6b6Fb5362F4733D873655e22A3A4f1cC1 and Proxy contract at 0x740DeB4FA5BdEC0f4D514728fD679d567DEce093 on the Binance Smart Chain mainnet.
Audit Findings
Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: February 22nd, 2022.Finding #1 - PISTON - Informational
Description: Several functions are declared public, but are never called internally.Recommendation: We recommend declaring these functions external for additional gas savings on each call.symbol, updateUniswapV2Router, excludeMultipleAccountsFromFees, setAutomatedMarketMakerPair, isExcludedFromFees
Finding #2 - PISTON - Informational
Description: Although the SafeMath library is utilized, the contract is deployed with Solidity v0.8.9 which has built-in overflow checks.
Recommendation: SafeMath could be safely removed to reduce contract size and deployment costs.
Contract Overview
Ownership Controls:
- The total supply of the token is currently 1 million $PISTON [1,000,000].
- The contract utilizes a Minter role that allows the assigned address to mint any amount of tokens to any account at any time.
- No burn functions exist, though the circulating supply can be decreased by sending tokens to the 0x..dead address.
- At the time of writing this report, 100% of the total supply belongs to the owner.
- Trading must be enabled by the owner in order for all trading to take place on the platform. Only accounts that are excluded from fees can participate in transfers when trading is set to disabled.
- There is a Liquidity fee, Ecosystem fee, and Dev fee on all transfers where neither the sender nor the recipient is excluded from fees.
- Fees are increased by a percentage (determined by the owner) when selling tokens to Pancakeswap.
- The liquidity fee charged during transfers is stored in the contract address. The tokens are swapped for BUSD for the purpose of funding Pancakeswap liquidity when the following conditions are met:
- The automatic liquidity add functionality is enabled by the team.
- The threshold number of tokens in the contract address (determined by the owner) has been reached.
- The contract is not currently performing an automatic liquidity add.
- The transfer is not a buying transaction via Pancakeswap.
- Neither the sender nor the recipient is the owner.
- Liquidity-adds are automatically performed by selling the tokens collected as fees, pairing the received BUSD with the token, and adding it as liquidity to the pair.
- The LP tokens received through this process are sent to the 0x00 address.
- The tokens collected from the Dev fee and Ecosystem fee are sent to the team's Dev wallet and Ecosystem wallet respectively.
- The contract enforces a maximum sell amount (determined by the owner) which imposes a limit to the number of tokens that can be sold via Pancakeswap.
- The contract enforces a maximum buy amount (determined by the owner) which imposes a limit to the number of tokens that can be bought via Pancakeswap.
- The contract enforces a maximum wallet amount which prevents a transfer from occurring if the recipient's token balance will exceed the limit number of tokens (determined by the owner) after the transfer takes place.
- The maximum buy amount, maximum sell amount, and maximum wallet amount restrictions do not apply to accounts that are excluded from fees.
- The contract is upgradable, meaning the team can swap out the current contract for a new one at any time.
- As the contract is deployed with Solidity v0.8.9, it is protected from overflows/underflows.
- The contract complies with the BEP-20 token standard.
- The owner can modify the Liquidity fee, Ecosystem fee, and Dev fee to any percentages as long as the total fee percentages combined do not exceed 25%.
- The owner can update the percentage that fees are increased by when selling tokens to Pancakeswap to any value up to 15%.
- The owner can exclude and include accounts from transfer fees.
- The owner can disable trading at any time which will prevent all accounts that are not excluded from fees from being able to participate in transfers.
- The owner can add/remove accounts from a blacklist that prevents users from being able to participate in transfers.
- The owner can update the maximum buy amount, maximum sell amount, and maximum wallet amount to any values at any time.
- The owner can enable/disable automatic liquidity adds at any time.
- The owner can update the threshold number of tokens needed to trigger an automatic liquidity add to any value at any time.
- The owner can update the paired token address that is used when performing an automatic liquidity add from BUSD to any address at any time.
- The owner can update the team's Ecosystem wallet and Dev wallet to any addresses at any time.
- The owner can update the Automated Market Maker Pair address at any time.
- The owner can update the Pancakeswap Router address at any time.
- The owner can update the token's symbol at any time.
- The assigned Minter address can transfer their role to another address at any time.
External Threat Results
Vulnerability Category | Notes | Result |
---|---|---|
Arbitrary Storage Write | N/A | PASS |
Arbitrary Jump | N/A | PASS |
Centralization of Control | WARNING | |
Delegate Call to Untrusted Contract | N/A | PASS |
Dependence on Predictable Variables | N/A | PASS |
Deprecated Opcodes | N/A | PASS |
Ether Thief | N/A | PASS |
Exceptions | N/A | PASS |
External Calls | N/A | PASS |
Flash Loans | N/A | PASS |
Integer Over/Underflow | N/A | PASS |
Logical Issues | N/A | PASS |
Multiple Sends | N/A | PASS |
Oracles | N/A | PASS |
Suicide | N/A | PASS |
State Change External Calls | N/A | PASS |
Unchecked Retval | N/A | PASS |
User Supplied Assertion | N/A | PASS |
Critical Solidity Compiler | N/A | PASS |
Overall Contract Safety | PASS |
Function Graph
Inheritance Chart
Functions Overview
($) = payable function
# = non-constant function
+ [Int] IERC20Upgradeable
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20MetadataUpgradeable (IERC20Upgradeable)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ Initializable
- [Prv] _isConstructor
+ ContextUpgradeable (Initializable)
- [Int] __Context_init #
- modifiers: onlyInitializing
- [Int] __Context_init_unchained #
- modifiers: onlyInitializing
- [Int] _msgSender
- [Int] _msgData
+ [Lib] AddressUpgradeable
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] verifyCallResult
+ ERC20Upgradeable (Initializable, ContextUpgradeable, IERC20Upgradeable, IERC20MetadataUpgradeable)
- [Int] __ERC20_init #
- modifiers: onlyInitializing
- [Int] __ERC20_init_unchained #
- modifiers: onlyInitializing
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _beforeTokenTransfer #
- [Int] _afterTokenTransfer #
+ OwnableUpgradeable (Initializable, ContextUpgradeable)
- [Int] __Ownable_init #
- modifiers: onlyInitializing
- [Int] __Ownable_init_unchained #
- modifiers: onlyInitializing
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ [Lib] SafeMathUpgradeable
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ [Int] IUniswapV2Pair
- [Ext] name
- [Ext] symbol
- [Ext] decimals
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] allowance
- [Ext] approve #
- [Ext] transfer #
- [Ext] transferFrom #
- [Ext] DOMAIN_SEPARATOR
- [Ext] PERMIT_TYPEHASH
- [Ext] nonces
- [Ext] permit #
- [Ext] MINIMUM_LIQUIDITY
- [Ext] factory
- [Ext] token0
- [Ext] token1
- [Ext] getReserves
- [Ext] price0CumulativeLast
- [Ext] price1CumulativeLast
- [Ext] kLast
- [Ext] mint #
- [Ext] burn #
- [Ext] swap #
- [Ext] skim #
- [Ext] sync #
- [Ext] initialize #
+ [Int] IUniswapV2Factory
- [Ext] feeTo
- [Ext] feeToSetter
- [Ext] getPair
- [Ext] allPairs
- [Ext] allPairsLength
- [Ext] createPair #
- [Ext] setFeeTo #
- [Ext] setFeeToSetter #
+ [Int] IUniswapV2Router01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] IUniswapV2Router02 (IUniswapV2Router01)
- [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
- [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ PISTON (Initializable, ERC20Upgradeable, OwnableUpgradeable)
- [Pub] initialize #
- modifiers: initializer
- [Pub] symbol
- [Ext] mint #
- [Ext] ($)
- [Pub] updateUniswapV2Router #
- modifiers: onlyOwner
- [Pub] excludeFromFees #
- modifiers: onlyOwner
- [Pub] excludeMultipleAccountsFromFees #
- modifiers: onlyOwner
- [Ext] setEcosystemWallet #
- modifiers: onlyOwner
- [Ext] setDevWallet #
- modifiers: onlyOwner
- [Ext] setExtraSellFee #
- modifiers: onlyOwner
- [Ext] setEcosystemFee #
- modifiers: onlyOwner
- [Ext] setDevFee #
- modifiers: onlyOwner
- [Ext] setLiquiditFee #
- modifiers: onlyOwner
- [Ext] setFeetargetTokenAddress #
- modifiers: onlyOwner
- [Ext] setLiquidityTokenAddress #
- modifiers: onlyOwner
- [Pub] setAutomatedMarketMakerPair #
- modifiers: onlyOwner
- [Ext] blacklistAddress #
- modifiers: onlyOwner
- [Ext] setTradingEnabled #
- modifiers: onlyOwner
- [Prv] _setAutomatedMarketMakerPair #
- [Ext] setSwapEnabled #
- modifiers: onlyOwner
- [Ext] setMaxBuyAmount #
- modifiers: onlyOwner
- [Ext] setMaxWalletBalance #
- modifiers: onlyOwner
- [Ext] setMaxSellAmount #
- modifiers: onlyOwner
- [Ext] setSwapTokensAtAmount #
- modifiers: onlyOwner
- [Pub] isExcludedFromFees
- [Ext] setMintMasterAddress #
- [Ext] setSymbol #
- modifiers: onlyOwner
- [Int] _transfer #
- [Prv] swapAndSendToFee #
- [Prv] swapAndLiquify #
- [Prv] swapTokensForEth #
- [Prv] swapTokensForTargetToken #
- [Prv] swapTokensForLiquidityToken #
- [Prv] addLiquidity #