PandaDAO - Smart Contract Audit Report

Summary

PandaDAO is a new organization focused on charity and giving.

We reviewed PandaDAO's token and interest contracts at commit b15acafc1b72732de30a6e18c93b719bdb16fd03 and again at commit 5343d6f5592cceeeff283927e3168f045e03015b.

Notes on the Pando Dao Finance Token:
  • The total supply of the token is 100 million.
  • When deployed, the team will receive the entirety of the supply.
  • No mint functions are present.
  • The contract implements an 2% fee on all transfers of the token, once enabled.
  • 0.5% of each transaciton will be sent to the Charity Pool contract.
  • 0.5% of each transaction will be burned, reducing the circulating supply.
  • The final 1% of the fee charged on transactions is stored in the contract and, once a threshold value is met, used to fund PancakeSwap liqudity.
  • Liquidity-adds are funded by selling half of the tokens collected as fees, pairing the received BNB with the token, and adding it as liquidity to the BNB pair.
  • The LPLock contract will receive the LP tokens from this process.
  • The team has the ability to enable and disable all fees at any time; though the fee amounts cannot be changed.
  • The team can also exclude any address from the fee mechanism and update the addresses of the Charity Pool & LPLock contract.

  • Notes on the Pando Dao Charity Pool:
  • The contract receives tokens from the charity fee charged on transfers of the token.
  • All functions on the contract can only be called by the owner of the contract.
  • The owner will be able to withdraw a percentage of the tokens in the contract each week.
  • The owner of the contract can set the percentage for weekly withdraws to any value, essentially allowing the owner to claim all the tokens at any time.
  • The owner of the contract can also withdraw other tokens or BNB erroneously sent to the contract.

  • Notes on the LP Locker:
  • The contract receives LP tokens from the swapAndLiquify logic in the token.
  • LP tokens will be locked for 1 year from the contract's deployment.
  • The owner can add another year to the lock expiration at any time.
  • After the lock period has expired, the owner can withdraw all of the LP tokens in the contract.


  • Audit Findings Summary
    • No external threats were identified.
    • As with any presale, ensure trust in the team prior to investing.
    • Further, ensure trsut in the team as they hae notable control in the ecosystem and control the charity pool and LP locker contracts.
    • Date: May 25th, 2021

    Audit Results

    Vulnerability CategoryNotesResult
    Arbitrary Storage WriteN/APASS
    Arbitrary JumpN/APASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Multiple SendsN/APASS
    OraclesN/APASS
    SuicideN/APASS
    State Change External CallsN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Details: PandaDAOCharityPool



    Function Graph

    ERC20 Token Graph


    Inheritance Chart

    Multi-file Token


    Functions Overview

    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
     
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Prv] _functionCallWithValue #
    
     +  Ownable (Context)
        - [Int]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Pub] geUnlockTime
        - [Pub] lock #
           - modifiers: onlyOwner
        - [Pub] unlock #
    
     +  PandaDAOCharityPool (Context, Ownable)
        - [Pub]  #
        - [Ext]  ($)
        - [Pub] totalCharityAmount
        - [Pub] getLastWithdrawTime
        - [Pub] getWithdrawTimeDelay
        - [Ext] checkOtherTokenBalance
        - [Ext] withdrawOtherToken #
           - modifiers: onlyOwner
        - [Ext] withdrawBNB #
           - modifiers: onlyOwner
        - [Ext] setMaxPercentageOfWithdraw #
           - modifiers: onlyOwner
        - [Ext] withdrawPDD #
           - modifiers: onlyOwner


    Details: PandaDAOFinanceToken



    Function Graph

    ERC20 Token Graph


    Inheritance Chart

    Multi-file Token


    Functions Overview

    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
     
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Prv] _functionCallWithValue #
    
     +  Ownable (Context)
        - [Int]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Pub] geUnlockTime
        - [Pub] lock #
           - modifiers: onlyOwner
        - [Pub] unlock #
    
     + [Int] IPancakeFactory 
        - [Ext] feeTo
        - [Ext] feeToSetter
        - [Ext] getPair
        - [Ext] allPairs
        - [Ext] allPairsLength
        - [Ext] createPair #
        - [Ext] setFeeTo #
        - [Ext] setFeeToSetter #
        - [Ext] INIT_CODE_PAIR_HASH
    
     + [Int] IPancakePair 
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transfer #
        - [Ext] transferFrom #
        - [Ext] DOMAIN_SEPARATOR
        - [Ext] PERMIT_TYPEHASH
        - [Ext] nonces
        - [Ext] permit #
        - [Ext] MINIMUM_LIQUIDITY
        - [Ext] factory
        - [Ext] token0
        - [Ext] token1
        - [Ext] getReserves
        - [Ext] price0CumulativeLast
        - [Ext] price1CumulativeLast
        - [Ext] kLast
        - [Ext] mint #
        - [Ext] burn #
        - [Ext] swap #
        - [Ext] skim #
        - [Ext] sync #
        - [Ext] initialize #
    
     + [Int] IPancakeRouter01 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] removeLiquidity #
        - [Ext] removeLiquidityETH #
        - [Ext] removeLiquidityWithPermit #
        - [Ext] removeLiquidityETHWithPermit #
        - [Ext] swapExactTokensForTokens #
        - [Ext] swapTokensForExactTokens #
        - [Ext] swapExactETHForTokens ($)
        - [Ext] swapTokensForExactETH #
        - [Ext] swapExactTokensForETH #
        - [Ext] swapETHForExactTokens ($)
        - [Ext] quote
        - [Ext] getAmountOut
        - [Ext] getAmountIn
        - [Ext] getAmountsOut
        - [Ext] getAmountsIn
    
     + [Int] IPancakeRouter02 (IPancakeRouter01)
        - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
        - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
    
     +  PandaDAOFinanceToken (Context, IERC20, Ownable)
        - [Pub]  #
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
        - [Ext] totalSupply
        - [Pub] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
        - [Ext] increaseAllowance #
        - [Ext] decreaseAllowance #
        - [Ext] totalFees
        - [Ext]  ($)
        - [Prv] _getRValues
        - [Prv] _takeLiquidity #
        - [Prv] calculateLiquidityFee
        - [Prv] removeAllFee #
        - [Prv] restoreAllFee #
        - [Ext] isExcludedFromFee
        - [Prv] _approve #
        - [Prv] _transfer #
        - [Prv] swapAndLiquify #
           - modifiers: lockTheSwap
        - [Prv] swapTokensForEth #
        - [Prv] addLiquidity #
        - [Prv] _tokenTransfer #
        - [Prv] _transferStandard #
        - [Ext] excludeFromFee #
           - modifiers: onlyOwner
        - [Ext] includeInFee #
           - modifiers: onlyOwner
        - [Ext] setCharityPoolAddress #
           - modifiers: onlyOwner
        - [Ext] setLPLockedPoolAddress #
           - modifiers: onlyOwner
        - [Ext] enableAllFees #
           - modifiers: onlyOwner
        - [Ext] disableAllFees #
           - modifiers: onlyOwner
        - [Ext] setSwapAndLiquifyEnabled #
           - modifiers: onlyOwner


    Details: PandaDAOLPLockedPool



    Function Graph

    ERC20 Token Graph


    Inheritance Chart

    Multi-file Token


    Functions Overview

    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
     
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Prv] _functionCallWithValue #
    
     +  Ownable (Context)
        - [Int]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Pub] geUnlockTime
        - [Pub] lock #
           - modifiers: onlyOwner
        - [Pub] unlock #
    
     +  PandaDAOLPLockedPool (Context, Ownable)
        - [Pub]  #
        - [Ext] setLPTokenAddress #
           - modifiers: onlyOwner
        - [Ext] getTotalLockedLP
        - [Ext] currentBlockTime
        - [Ext] addOneYearLockedBlock #
           - modifiers: onlyOwner
        - [Ext] withdrawAllLP #
           - modifiers: onlyOwner