PresaleChef - Audit Report
Summary
The Doge Whisperer is a building a multi-pool presale contract in support of their upcoming $TSST token sale.We audited the project team's contract at 0xe42c8c7de4f10c57a009497202d4cb43f184a7c3 on the Ethereum Mainnet.We previously reviewed the project team's token contract here.
Overview of the Contract:Audit Findings Summary
- This contract facilitates a presale in which users can deposit ETH into one or many pools in exchange for presale tokens.
- Each pool has a start time and end time, an allocated amount of presale tokens, and a tokens per ETH rate assigned by the project team.
- In order for a user to claim their presale tokens, the pool must be in finalized status and the tokens per ETH rate must be set.
- Upon initialization, the address deploying the contract is assigned as the Owner and the Operator.
- The Owner role can be transferred to any address or renounced at any time, but the Operator role cannot be changed will always remain as the deployer of the contract.
- In the event that the Owner chooses to renounce ownership, the project team will still be 100% in control of the contract via the Operator role.
- The Owner and the Operator can set the address of the presale token to any address at any time. The project team must exercise caution when choosing the presale token as to not use an ERC777-compliant token in order to avoid any reentrancy attacks that could be carried out via the claim() function.
- We recommend the project team ensure this contract is excluded from the token contract's fees if the chosen presale token in a fee-on-transfer token.
- The Owner and the Operator can create any pools at any time, specifying the start time, end time, and the amount of the presale token assigned to the pool.
- The Owner and the Operator can set the start time, the end time, the amount of the presale token assigned to the pool, and the tokens per ETH rate at any time.
- The Owner and the Operator can toggle the finalized status for any pool at any time.
- The Owner and the Operator can withdraw any ETH or any tokens (including the presale tokens) from the contract at any time.
- Several functions could have been declared external for some gas savings. However as this contract is already deployed, this is merely informational.
- As the contract properly utilizes the SafeMath library, it is protected against any overflow/underflow attacks.
- No security threats from outside attackers were identified.
- Ensure trust in the team as they have substantial control in the ecosystem.
- Date: December 5rd, 2021
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Centralization of Control | The project team can prevent users from claiming any presale tokens through various means. | WARNING |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
($) = payable function
# = non-constant function
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
- [Int] min
- [Int] sqrt
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Prv] _functionCallWithValue #
+ [Lib] SafeERC20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ Context
- [Int] #
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ PresaleChef (Ownable)
- [Pub] #
- [Ext] ($)
- [Pub] setTSST #
- modifiers: onlyOwner
- [Pub] deposit ($)
- [Pub] add #
- modifiers: onlyOwner
- [Pub] set #
- modifiers: onlyOwner
- [Ext] recoverERC20 #
- modifiers: onlyOwner
- [Pub] claim #
- [Ext] withdrawAllContributions #
- modifiers: onlyOwner
- [Ext] withdrawContributionsFromPool #
- modifiers: onlyOwner
- [Pub] getLeftPoolTime
- [Pub] isOpen
- [Pub] hasEnded