PresaleChef - Audit Report


The Doge Whisperer is a building a multi-pool presale contract in support of their upcoming $TSST token sale.

We audited the project team's contract at 0xe42c8c7de4f10c57a009497202d4cb43f184a7c3 on the Ethereum Mainnet.

We previously reviewed the project team's token contract here.

Overview of the Contract:
  • This contract facilitates a presale in which users can deposit ETH into one or many pools in exchange for presale tokens.
  • Each pool has a start time and end time, an allocated amount of presale tokens, and a tokens per ETH rate assigned by the project team.
  • In order for a user to claim their presale tokens, the pool must be in finalized status and the tokens per ETH rate must be set.
  • Upon initialization, the address deploying the contract is assigned as the Owner and the Operator.
  • The Owner role can be transferred to any address or renounced at any time, but the Operator role cannot be changed will always remain as the deployer of the contract.
  • In the event that the Owner chooses to renounce ownership, the project team will still be 100% in control of the contract via the Operator role.
  • The Owner and the Operator can set the address of the presale token to any address at any time. The project team must exercise caution when choosing the presale token as to not use an ERC777-compliant token in order to avoid any reentrancy attacks that could be carried out via the claim() function.
  • We recommend the project team ensure this contract is excluded from the token contract's fees if the chosen presale token in a fee-on-transfer token.
  • The Owner and the Operator can create any pools at any time, specifying the start time, end time, and the amount of the presale token assigned to the pool.
  • The Owner and the Operator can set the start time, the end time, the amount of the presale token assigned to the pool, and the tokens per ETH rate at any time.
  • The Owner and the Operator can toggle the finalized status for any pool at any time.
  • The Owner and the Operator can withdraw any ETH or any tokens (including the presale tokens) from the contract at any time.

  • Several functions could have been declared external for some gas savings. However as this contract is already deployed, this is merely informational.
  • As the contract properly utilizes the SafeMath library, it is protected against any overflow/underflow attacks.

Audit Findings Summary
  • No security threats from outside attackers were identified.
  • Ensure trust in the team as they have substantial control in the ecosystem.
  • Date: December 5rd, 2021

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Centralization of ControlThe project team can prevent users from claiming
any presale tokens through various means.
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
External CallsN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
State Change External CallsN/APASS
Unbounded LoopsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS

Smart Contract Graph

Multi-file Token

($) = payable function
 # = non-constant function

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod
    - [Int] min
    - [Int] sqrt

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] getOwner
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Prv] _functionCallWithValue #

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 +  Context 
    - [Int]  #
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 +  PresaleChef (Ownable)
    - [Pub]  #
    - [Ext]  ($)
    - [Pub] setTSST #
       - modifiers: onlyOwner
    - [Pub] deposit ($)
    - [Pub] add #
       - modifiers: onlyOwner
    - [Pub] set #
       - modifiers: onlyOwner
    - [Ext] recoverERC20 #
       - modifiers: onlyOwner
    - [Pub] claim #
    - [Ext] withdrawAllContributions #
       - modifiers: onlyOwner
    - [Ext] withdrawContributionsFromPool #
       - modifiers: onlyOwner
    - [Pub] getLeftPoolTime
    - [Pub] isOpen
    - [Pub] hasEnded

© SourceHat Labs Inc. | All rights reserved.