PolkaCity Token - Smart Contract Audit Report

Summary

PolkaCity Token Audit Report PolkaCity intends to build a platform to allow users to invest into specific assets like taxis and energy stations. Further features are still in development; thus far the team only has a ERC20 token contract.

For this audit we reviewed only the project's token contract, deployed at 0xaA8330FB2B4D5D07ABFE7A72262752a8505C6B37.

Notes of the contract:
  • The total supply of the token is 250 million.
  • No accessible mint function exists, though a burn function is present.
  • Currently the deployer's address holds 200 million tokens, representing 80% of the total supply; 25% of which are unlocked with the rest of the tokens vesting over time. This is referred to by the team as the "platform wallet"
  • 10 million tokens are locked in an address controlled by the team via a locking mechanism included in the contract, which will be unlocked over time.
  • The marketing wallet (controlled by the team) is allocated 5 million tokens; 4 million of which are locked and released over time.
  • 2.5 million tokens allocated to a private sale have been distributed
  • 7.5 million tokens are held in a wallet intended for use in a presale.
  • 25 million tokens are allocated for use on exchangesl these tokens are unlocked and accessible to the team.

  • The contract includes features to conduct a presale (which ends on February 28th).
  • Users can buy tokens directly through the contract during the presale period,
  • All ETH raised through the presale is sent directly to the team.
  • A specific funcition exists for burning tokens not sold in the presale.

  • In an effort to prevent bot trading, the token can only be transferred once per block. This may cause failing transactions if the token's usage becomes popular; though the owner can enable/disable it at any time.
  • The owner additonally has the ability to whitelist addresses so they are exempt from the 1 transfer per block limit.
  • No other Ownership-protected functions are present.
  • Utilization of SafeMath to prevent overflows.
Audit Findings Summary
  • No issues from external attackers were identified.
  • The developer of the protocl has performed KYC with our firm; and is domiciled in the United States.
  • Users give their ETH directly to the project team during the presale, and the team controls a large number of tokens. Ensure trust in the team.
  • The team claims to be releasing an NFT staking contract after listing, but have declined to share the code because it is "worth too much."
  • Date: February 19th, 2021.

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
OraclesN/APASS
SuicideN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS

ERC20 Token Graph

Multi-file Token


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub

 + [Int] ItokenRecipient 
    - [Ext] receiveApproval #

 + [Int] IERC20Token 
    - [Ext] totalSupply
    - [Ext] transfer #
    - [Ext] transferFrom #
    - [Ext] balanceOf
    - [Ext] approve #
    - [Ext] allowance

 +  Ownable 
    - [Pub]  #
    - [Pub] changeOwner #
       - modifiers: onlyOwner
    - [Ext] getOwner

 +  StandardToken (IERC20Token)
    - [Pub] totalSupply
    - [Pub] transfer #
    - [Pub] transferFrom #
    - [Pub] balanceOf
    - [Pub] approve #
    - [Pub] allowance

 +  POLCToken (Ownable, StandardToken)
    - [Pub]  #
    - [Pub] transfer #
    - [Pub] transferFrom #
    - [Pub] burn #
    - [Pub] approveAndCall #
    - [Pub] releaseTokens #
    - [Int] checkTransferLimit #
    - [Pub] enableTXLimit #
       - modifiers: onlyOwner
    - [Pub] disableTXLimit #
       - modifiers: onlyOwner
    - [Pub] includeWhiteList #
       - modifiers: onlyOwner
    - [Pub] removeWhiteList #
       - modifiers: onlyOwner
    - [Pub] getLockedBalance
    - [Pub] buy ($)
    - [Pub] burnUnsold #
       - modifiers: onlyOwner
  
							

Click here to download the source code as a .sol file.


/**
 *Submitted for verification at Etherscan.io on 2021-02-17
*/

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

library SafeMath {

    function add(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a + b;
        require(c >= a, "SafeMath: addition overflow");

        return c;
    }

    function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        return sub(a, b, "SafeMath: subtraction overflow");
    }

    function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
        require(b <= a, errorMessage);
        uint256 c = a - b;

        return c;
    }
        
}

interface ItokenRecipient { 
    function receiveApproval(address _from, uint256 _value, address _token, bytes calldata _extraData) external returns (bool); 
}

interface IERC20Token {
    function totalSupply() external view returns (uint256 supply);
    function transfer(address _to, uint256 _value) external  returns (bool success);
    function transferFrom(address _from, address _to, uint256 _value) external returns (bool success);
    function balanceOf(address _owner) external view returns (uint256 balance);
    function approve(address _spender, uint256 _value) external returns (bool success);
    function allowance(address _owner, address _spender) external view returns (uint256 remaining);
}

contract Ownable {

    address private owner;
    
    event OwnerSet(address indexed oldOwner, address indexed newOwner);
    
    modifier onlyOwner() {
        require(msg.sender == owner, "Caller is not owner");
        _;
    }

    constructor() {
        owner = msg.sender; // 'msg.sender' is sender of current call, contract deployer for a constructor
        emit OwnerSet(address(0), owner);
    }    function changeOwner(address newOwner) public onlyOwner {
        emit OwnerSet(owner, newOwner);
        owner = newOwner;
    }

    function getOwner() external view returns (address) {
        return owner;
    }
}

contract StandardToken is IERC20Token {
    
    using SafeMath for uint256;
    mapping (address => uint256) public balances;
    mapping (address => mapping (address => uint256)) public allowed;
    uint256 public _totalSupply;
    
    event Transfer(address indexed _from, address indexed _to, uint256 _value);
    event Approval(address indexed _owner, address indexed _spender, uint256 _value);
    
    function totalSupply() override public view returns (uint256 supply) {
        return _totalSupply;
    }

    function transfer(address _to, uint256 _value) override virtual public returns (bool success) {
        require(_to != address(0x0), "Use burn function instead");                              
		require(_value >= 0, "Invalid amount"); 
		require(balances[msg.sender] >= _value, "Not enough balance");
		balances[msg.sender] = balances[msg.sender].sub(_value);
		balances[_to] = balances[_to].add(_value);
		emit Transfer(msg.sender, _to, _value);
        return true;
    }

    function transferFrom(address _from, address _to, uint256 _value) override virtual public returns (bool success) {
        require(_to != address(0x0), "Use burn function instead");                               
		require(_value >= 0, "Invalid amount"); 
		require(balances[_from] >= _value, "Not enough balance");
		require(allowed[_from][msg.sender] >= _value, "You need to increase allowance");
		balances[_from] = balances[_from].sub(_value);
		balances[_to] = balances[_to].add(_value);
		emit Transfer(_from, _to, _value);
        return true;
    }

    function balanceOf(address _owner) override public view returns (uint256 balance) {
        return balances[_owner];
    }

    function approve(address _spender, uint256 _value) override public returns (bool success) {
        allowed[msg.sender][_spender] = _value;
        emit Approval(msg.sender, _spender, _value);
        return true;
    }

    function allowance(address _owner, address _spender) override public view returns (uint256 remaining) {
        return allowed[_owner][_spender];
    }
    
}

contract POLCToken is Ownable, StandardToken {

    using SafeMath for uint256;
    string public name = "Polka City";
    uint8 public decimals = 18;
    string public symbol = "POLC";

    // Time lock for progressive release of team, marketing and platform balances
    struct TimeLock {
        uint256 totalAmount;
        uint256 lockedBalance;
        uint128 baseDate;
        uint64 step;
        uint64 tokensStep;
    }
    mapping (address => TimeLock) public timeLocks; 

    // Prevent Bots - If true, limits transactions to 1 transfer per block (whitelisted can execute multiple transactions)
    bool public limitTransactions;
    mapping (address => bool) public contractsWhiteList;
    mapping (address => uint) public lastTXBlock;
    event Burn(address indexed from, uint256 value);

// token sale

    // Wallet for the tokens to be sold, and receive ETH
    address payable public salesWallet;
    uint256 public soldOnCSale;
    uint256 public constant CROWDSALE_START = 1613926800;
    uint256 public constant CROWDSALE_END = 1614556740;
    uint256 public constant CSALE_WEI_FACTOR = 15000;
    uint256 public constant CSALE_HARDCAP = 7500000 ether;
    
    constructor() {
        _totalSupply = 250000000 ether;
        
        // Base date to calculate team, marketing and platform tokens lock
        uint256 lockStartDate = 1613494800;
        
        // Team wallet - 10000000 tokens
        // 0 tokens free, 10000000 tokens locked - progressive release of 5% every 30 days (after 180 days of waiting period)
        address team = 0x4ef5B3d10fD217AC7ddE4DDee5bF319c5c356723;
        balances[team] = 10000000 ether;
        timeLocks[team] = TimeLock(10000000 ether, 10000000 ether, uint128(lockStartDate + (180 days)), 30 days, 500000);
        emit Transfer(address(0x0), team, balances[team]);

        // Marketing wallet - 5000000 tokens
        // 1000000 tokens free, 4000000 tokens locked - progressive release of 5% every 30 days
        address marketingWallet = 0x056F878d4Ac07E66C9a46a8db4918E827c6fD71c;
        balances[marketingWallet] = 5000000 ether;
        timeLocks[marketingWallet] = TimeLock(4000000 ether, 4000000 ether, uint128(lockStartDate), 30 days, 200000);
        emit Transfer(address(0x0), marketingWallet, balances[marketingWallet]);
        
        // Private sale wallet - 2500000 tokens
        address privateWallet = 0xED854fCF86efD8473F174d6dE60c8A5EBDdCc37A;
        balances[privateWallet] = 2500000 ether;
        emit Transfer(address(0x0), privateWallet, balances[privateWallet]);
        
        // Sales wallet, holds Pre-Sale balance - 7500000 tokens
        salesWallet = payable(0x4bb74E94c1EB133a6868C53aA4f6BD437F99c347);
        balances[salesWallet] = 7500000 ether;
        emit Transfer(address(0x0), salesWallet, balances[salesWallet]);
        
        // Exchanges - 25000000 tokens
        address exchanges = 0xE50d4358425a93702988eCd8B66c2EAD8b41CE5d;  
        balances[exchanges] = 25000000 ether;
        emit Transfer(address(0x0), exchanges, balances[exchanges]);
        
        // Platform wallet - 200000000 tokens
        // 50000000 tokens free, 150000000 tokens locked - progressive release of 25000000 every 90 days
        address platformWallet = 0xAD334543437EF71642Ee59285bAf2F4DAcBA613F;
        balances[platformWallet] = 200000000 ether;
        timeLocks[platformWallet] = TimeLock(150000000 ether, 150000000 ether, uint128(lockStartDate), 90 days, 25000000);
        emit Transfer(address(0x0), platformWallet, balances[platformWallet]);
            }
    
    function transfer(address _to, uint256 _value) override public returns (bool success) {
        require(checkTransferLimit(), "Transfers are limited to 1 per block");
        require(_value <= (balances[msg.sender] - timeLocks[msg.sender].lockedBalance));
        return super.transfer(_to, _value);
    }
    
    function transferFrom(address _from, address _to, uint256 _value) override public returns (bool success) {
        require(checkTransferLimit(), "Transfers are limited to 1 per block");
        require(_value <= (balances[_from] - timeLocks[_from].lockedBalance));
        return super.transferFrom(_from, _to, _value);
    }
    
    function burn(uint256 _value) public returns (bool success) {
        require(balances[msg.sender] >= _value, "Not enough balance");
		require(_value >= 0, "Invalid amount"); 
        balances[msg.sender] = balances[msg.sender].sub(_value);
        _totalSupply = _totalSupply.sub(_value);
        emit Burn(msg.sender, _value);
        return true;
    }
    
    function approveAndCall(address _spender, uint256 _value, bytes memory _extraData) public returns (bool success) {
        allowed[msg.sender][_spender] = _value;
        emit Approval(msg.sender, _spender, _value);
        ItokenRecipient recipient = ItokenRecipient(_spender);
        require(recipient.receiveApproval(msg.sender, _value, address(this), _extraData));
        return true;
    }
    

    function releaseTokens(address _account) public {
        uint256 timeDiff = block.timestamp - uint256(timeLocks[_account].baseDate);
        require(timeDiff > uint256(timeLocks[_account].step), "Unlock point not reached yet");
        uint256 steps = (timeDiff / uint256(timeLocks[_account].step));
        uint256 unlockableAmount = ((uint256(timeLocks[_account].tokensStep) * 1 ether) * steps);
        if (unlockableAmount >=  timeLocks[_account].totalAmount) {
            timeLocks[_account].lockedBalance = 0;
        } else {
            timeLocks[_account].lockedBalance = timeLocks[_account].totalAmount - unlockableAmount;
        }
    }
       
    function checkTransferLimit() internal returns (bool txAllowed) {
        address _caller = msg.sender;
        if (limitTransactions == true && contractsWhiteList[_caller] != true) {
            if (lastTXBlock[_caller] == block.number) {
                return false;
            } else {
                lastTXBlock[_caller] = block.number;
                return true;
            }
        } else {
            return true;
        }
    }
    
    function enableTXLimit() public onlyOwner {
        limitTransactions = true;
    }
    
    function disableTXLimit() public onlyOwner {
        limitTransactions = false;
    }
    
    function includeWhiteList(address _contractAddress) public onlyOwner {
        contractsWhiteList[_contractAddress] = true;
    }
    
    function removeWhiteList(address _contractAddress) public onlyOwner {
        contractsWhiteList[_contractAddress] = false;
    }
    
    function getLockedBalance(address _wallet) public view returns (uint256 lockedBalance) {
        return timeLocks[_wallet].lockedBalance;
    }
    
    function buy() public payable {
        require((block.timestamp > CROWDSALE_START) && (block.timestamp < CROWDSALE_END), "Contract is not selling tokens");
        uint weiValue = msg.value;
        require(weiValue >= (5 * (10 ** 16)), "Minimum amount is 0.05 eth");
        require(weiValue <= (20 ether), "Maximum amount is 20 eth");
        uint amount = CSALE_WEI_FACTOR * weiValue;
        require((soldOnCSale) <= (CSALE_HARDCAP), "That quantity is not available");
        soldOnCSale += amount;
        balances[salesWallet] = balances[salesWallet].sub(amount);
        balances[msg.sender] = balances[msg.sender].add(amount);
        require(salesWallet.send(weiValue));
        emit Transfer(salesWallet, msg.sender, amount);

    }
    
    function burnUnsold() public onlyOwner {
        require(block.timestamp > CROWDSALE_END);
        uint currentBalance = balances[salesWallet];
        balances[salesWallet] = 0;
        _totalSupply = _totalSupply.sub(currentBalance);
        emit Burn(salesWallet, currentBalance);
    }
}