Safuu
Smart Contract Audit Report
Audit Summary
Safuu is a new BEP20 token with an elastic supply and automatic LP adds.
For this audit, we reviewed the Safuu contract at commit abfeaa57281a013440db836c6e85516b1c691049 on the team's GitHub repository.
Audit Findings
Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: February 19th, 2022.
Updated: February 20th, 2022 to reflect changes from commit ac2f85b7792c24a1fb61ccbc17d7b65d2119b284 to commit abfeaa57281a013440db836c6e85516b1c691049.Finding #1 - Medium (Resolved)
Description: In the rebase() function, the second 'if' condition will always be true after one year. As a result of this, the last two conditions will never be reached.if (deltaTimeFromInit < (365 days)) { rebaseRate = 2355; } else if (deltaTimeFromInit >= (365 days)) { rebaseRate = 211; } else if (deltaTimeFromInit >= ((15 * 365 days) / 10)) { rebaseRate = 14; } else if (deltaTimeFromInit >= (7 * 365 days)) { rebaseRate = 2; }
Risk/Impact: The rebase rate will permenantly remain the same after its first change.
Recommendation: The ordering of these 'if' conditions should be either reversed or reconstructed so that the intended rebase rates are set.
Resolution: The team has properly restructured these conditions.Finding #2 - Low
Description: Division before multiplication occurs when calculating fee amounts in the below lines of the takeFee() function. Division before multiplication can result in truncation and less accurate results.Risk/Impact: Fees may not be accurately calculated when transferring smaller amounts of tokens._gonBalances[firePit] = _gonBalances[firePit].add( gonAmount.div(feeDenominator).mul(firePitFee) ); _gonBalances[address(this)] = _gonBalances[address(this)].add( gonAmount.div(feeDenominator).mul(_treasuryFee.add(safuuInsuranceFundFee)) ); _gonBalances[autoLiquidityReceiver] = _gonBalances[autoLiquidityReceiver].add( gonAmount.div(feeDenominator).mul(liquidityFee) );
Recommendation: Multiplication should instead occur before division on these lines.Finding #3 - Informational
Description: The following variables are not declared constant, but are never updated:Recommendation: These variables can be declared constant for additional gas savings.DEAD, ZERO, _decimals, _name, _symbol, feeDenominator, firePitFee, liquidityFee, safuuInsuranceFundFee, sellFee, swapEnabled, treasuryFeeFinding #4 - Informational
Description: The following functions are declared public, but are never called internally:Recommendation: These functions can be declared external for additional gas savings on each call.setPairAddress, getLiquidityBacking
Contract Overview
- The maximum allowed supply of $SAFUU is 3.25 billion tokens (3,250,000,000).
- Users may not burn their tokens, though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
- Addresses on the fee exempt list are exempt from fees. The Treasury address and this contract are set as fee exempt upon deployment.
- When the sender or recipient is not fee exempt, there is a 2.5% "Firepit" fee, 2.5% Treasury fee, 4% Liquidity fee, and 5% Safuu Insurance fee on buys.
- When the sender or recipient is not fee exempt, there is an additional "Treasury Sell" fee added on sells in addition to the base fees.
- Blacklisted contracts are not permitted to transfer their tokens.
- A "swapback" is performed on all token transfers (excluding transfers from the PancakeSwap Pair).
- A swapback will swap this contracts $SAFUU accrued from Treasury and Safuu Insurance Fund fees for BNB and send it to the treasury receiver and Safuu insurance fund receiver addresses. A rebase will automatically occur on a token transfer if the following conditions are met:
- The "auto rebase" flag is enabled.
- The token has not reached its maximum supply.
- At least 15 minutes have passed since the last rebase.
- During a rebase, tokens are automatically added to the total supply. The newly added tokens are distributed proportionally amongst holders in a frictionless manner.
- The amount of tokens added to total supply is dependent on the total supply at the time of rebasing and the time since deployment.
- The rebase function properly calls sync() on the PancakeSwap Pair contract to prevent theft-of-liquidity attacks which have occurred with other rebase tokens.
- A liquidity add will also occur on a token transfer if the "auto add liquidity" flag is enabled and it has been at least two days since the last liquidity add.
- A liquidity-add is funded by selling half of the tokens collected as liquidity fees, pairing the received BNB with the token, and adding it as liquidity to the pair.
- The LP tokens received are sent to a specified Auto Liquidity Receiver address. We recommend that the team lock these LP tokens.
- The owner can toggle liquidity add and rebase functionality at any time.
- The owner can add or remove any contract address from the Blacklist at any time. EOAs cannot be Blacklisted.
- The owner can add or remove any address from fee exclusion at any time.
- The owner can update the PancakeSwap Pair address, liquidity receiver address, treasury receiver address, Safuu insurance fund receiver address, and firepit address at any time.
- The owner can swap all $SAFUU in this contract for BNB and withdraw it from the contract to the treasury address at any time.
- SafeMath is utilized to prevent any potential overflows.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control | WARNING | |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running | N/A | PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | N/A | PASS |
| Signature Issues | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | N/A | PASS |
| Overall Contract Safety | PASS |
Function Graph
Inheritance Chart
Functions Overview
($) = payable function
# = non-constant function
+ [Lib] SafeMathInt
- [Int] mul
- [Int] div
- [Int] sub
- [Int] add
- [Int] abs
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] allowance
- [Ext] transfer #
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IPancakeSwapPair
- [Ext] name
- [Ext] symbol
- [Ext] decimals
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] allowance
- [Ext] approve #
- [Ext] transfer #
- [Ext] transferFrom #
- [Ext] DOMAIN_SEPARATOR
- [Ext] PERMIT_TYPEHASH
- [Ext] nonces
- [Ext] permit #
- [Ext] MINIMUM_LIQUIDITY
- [Ext] factory
- [Ext] token0
- [Ext] token1
- [Ext] getReserves
- [Ext] price0CumulativeLast
- [Ext] price1CumulativeLast
- [Ext] kLast
- [Ext] mint #
- [Ext] burn #
- [Ext] swap #
- [Ext] skim #
- [Ext] sync #
- [Ext] initialize #
+ [Int] IPancakeSwapRouter
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
- [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
- [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ [Int] IPancakeSwapFactory
- [Ext] feeTo
- [Ext] feeToSetter
- [Ext] getPair
- [Ext] allPairs
- [Ext] allPairsLength
- [Ext] createPair #
- [Ext] setFeeTo #
- [Ext] setFeeToSetter #
+ Ownable
- [Pub] #
- [Pub] owner
- [Pub] isOwner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ ERC20Detailed (IERC20)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
+ Safuu (ERC20Detailed, Ownable)
- [Pub] #
- modifiers: ERC20Detailed,Ownable
- [Int] rebase #
- [Ext] transfer #
- modifiers: validRecipient
- [Ext] transferFrom #
- modifiers: validRecipient
- [Int] _basicTransfer #
- [Int] _transferFrom #
- [Int] takeFee #
- [Int] addLiquidity #
- modifiers: swapping
- [Int] swapBack #
- modifiers: swapping
- [Ext] withdrawAllToTreasury #
- modifiers: swapping,onlyOwner
- [Int] shouldTakeFee
- [Int] shouldRebase
- [Int] shouldAddLiquidity
- [Int] shouldSwapBack
- [Ext] setAutoRebase #
- modifiers: onlyOwner
- [Ext] setAutoAddLiquidity #
- modifiers: onlyOwner
- [Ext] allowance
- [Ext] decreaseAllowance #
- [Ext] increaseAllowance #
- [Ext] approve #
- [Ext] checkFeeExempt
- [Pub] getCirculatingSupply
- [Ext] isNotInSwap
- [Ext] manualSync #
- [Ext] setFeeReceivers #
- modifiers: onlyOwner
- [Pub] getLiquidityBacking
- [Ext] setWhitelist #
- modifiers: onlyOwner
- [Ext] setBotBlacklist #
- modifiers: onlyOwner
- [Pub] setPairAddress #
- modifiers: onlyOwner
- [Ext] setLP #
- modifiers: onlyOwner
- [Ext] totalSupply
- [Ext] balanceOf
- [Int] isContract
- [Ext] ($)