PYEToken

Smart Contract Audit Report

Audit Summary

PYEToken is a new token which tracks users' staked amounts.

For this audit, we reviewed the project team's PYEToken contract at 0x4d542De559D9696cbC15a3937Bf5c89fEdb5b9c7 on the Binance Smart Chain Mainnet.

Audit Findings

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: April 11th, 2022.
Updated: April 13th, 2022 to reflect changes from address 0xd8F05581b61eDA82cbDcE9986054790E345b3C8b to address 0x4d542De559D9696cbC15a3937Bf5c89fEdb5b9c7.

Finding #1 - PYEToken - High (Resolved)

Description: If a user transfers or receives tokens from a non-Staking Contract, their share balance will be updated to their current balance, ignoring their staked balance.
Risk/Impact: A user's share balance is intended to be the sum of their token balance and their staked tokens; however, their share balance will be less than this if they send or receive tokens while having tokens staked. Users will have to fully unstake in order to fix their share balance.
Recommendation: The team should change the logic so that staked shares are tracked in a separate variable.
Resolution: The project team has implemented the above recommendation. A user's "Owned Balance" is now calculated as the sum of their separately tracked "staked" amount and their token balance.

Finding #2 - PYEToken - High (Resolved)

Description: If a user partially unstakes from one of the contract's Staking Contracts, their shares will be deducted by the amount remaining in the staking contract.
Risk/Impact: A user's share balance is intended to be the sum of their token balance and their staked tokens; however, their share balance will be less than this if they partially unstake. Users will have to fully unstake in order to fix their share balance.
Recommendation: The team should change the logic so that staked shares are tracked in a separate variable.
Resolution: The project team has implemented the above recommendation.

Contract Overview

  • The total supply of PYEToken is 10 billion.
  • At the time of writing this report, ~100% of tokens are held by a PYEDeployer contract.
  • Blacklisted users are not permitted to receive token transfers.
  • A user's "Owned Balance" is equal to the sum of their "staked" amount and their token balance.
  • When transferring to or from a contract marked as a Staking Contract, users staked balances are incremented or decremented accordingly, meaning their Owned Balance will not be affected.
  • As the PYEDeployer and Staking contracts were not included in the scope of this audit, we are unable to provide an assessment with regards to security or functionality.
  • The Admin can mark any address as a Staking Contract at any time.
  • The Admin can add or remove any address from the Blacklist at any time.
  • The Admin can withdraw any tokens or BNB from the contract at any time.

Audit Results

Vulnerability CategoryNotesResult
Arbitrary Jump/Storage WriteN/APASS
Centralization of Control
  • The owner has the permissions described above.
  • The owner can add any address to a Blacklist at any time.
  • The owner can set any address as a Staking Contract at any time.
    		• WARNING
    Compiler IssuesN/APASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Ether/Token TheftN/APASS
    Flash LoansN/APASS
    Front RunningN/APASS
    Improper EventsN/APASS
    Improper Authorization SchemeN/APASS
    Integer Over/UnderflowN/APASS
    Logical IssuesN/APASS
    Oracle IssuesN/APASS
    Outdated Compiler VersionN/APASS
    Race ConditionsN/APASS
    ReentrancyN/APASS
    Signature IssuesN/APASS
    Unbounded LoopsN/APASS
    Unused CodeN/APASS
    Overall Contract Safety PASS

    Inheritance Chart

    Smart Contract Audit - Inheritance

    Function Graph

    Smart Contract Audit - Graph

    Functions Overview

    
 ($) = payable function
 # = non-constant function
 
 + [Int] IPYE 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20 
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transfer #
    - [Ext] transferFrom #

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 + [Lib] SafeMath 
    - [Int] tryAdd
    - [Int] trySub
    - [Int] tryMul
    - [Int] tryDiv
    - [Int] tryMod
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod
    - [Int] sub
    - [Int] div
    - [Int] mod

 +  PYEToken (Context, IPYE, Ownable)
    - [Pub]  #
    - [Ext] getOwner
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] getOwnedBalance
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #
    - [Ext] increaseAllowance #
    - [Ext] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _approve #
    - [Int] setStaked #
    - [Int] addHolder #
    - [Int] removeHolder #
    - [Ext] setIsStakingContract #
       - modifiers: onlyOwner
    - [Ext] blacklistAddress #
       - modifiers: onlyOwner
    - [Ext] removeFromBlacklist #
       - modifiers: onlyOwner
    - [Ext] rescueBNB #
       - modifiers: onlyOwner
    - [Ext] rescueToken #
       - modifiers: onlyOwner

    About SourceHat

    SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
    Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

    Contact us today to get a free quote for a smart contract audit of your project!

    What is a SourceHat Audit?

    Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

    How Do I Interpret the Findings?

    Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

    • High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
    • Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
    • Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
    • Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.