Stochastic Finance- Smart Contract Audit Report
Stochastic Finance is a new game-based token project on the Binance Smart Chain.
We audited Stochastic Finance's StochToken contract at 0x48D13A3aB8d8F440B5279Ec7E1e6B6B9CC28C232 and GuessContract at 0x1e634d7A3Eb8BDee8c4d78660dEE31b7dA26AD87 on the Binance Smart Chain testnet.
Notes on the Token Contract:
The initial supply of the token is 100,000 and the supply cap is 620,000. The initial supply is given to the team upon deployment. The team will be able to mint the Guess Contract 100 tokens each week up to this supply cap. There is a 1.5% fee on transfers of the token, beginning 72 hours after deployment. Transfers to the Guess contract are exempt from transfer fees. The owner can set the Guess contract at any time. The intended use of this is to upgrade the Guess contract to use Chainlink when available. Gas can be saved via marking some functions external instead of public; and by marking some variables constant. Some duplicate logic is also present in emitEveryWeekTokens(). Utilization of SafeMath to prevent overflows.
Notes on the GuessContract:
This contract is a game in which users can can place a wager in Stoch tokens and if their number is selected, they will the pool of 1000 tokens per weekly round. Only 100 tokens are provided to the guess contract, while weekly rounds are meant to have 1,000. The team will need to fix this prior to release. Users can guess one number per 100 tokens staked. The Admin will provide data to a pseudo-random function to determine a random number, then will call chooseWinner() to select a winning user and automatically transfer the winnings to them. After each round, users will be able to unstake their tokens. The contract attempts to achieve some level of randomness through the generateRandomNumber() function, but as all the information used in the calculation is stored on chain, miners may be able to predict the results and may take action accordingly to secure profits. The team has signaled their intent to use ChainLink when available on BSC. The admin also has the ability to generate the random number multiple times if there are no winners. Gas can be saved via marking some functions external instead of public; and by marking some variables constant. SafeMath is utilized to prevent overflow issues.
Audit Findings Summary:
Miners could exploit the predictability of the pseudo-randomness used to select winners until Chainlink is integrated. With the exception of this scenario, no external threats were identified. As with any presale, ensure trust in the team prior to investing. Further, ensure trust in the project team as they have some control over the ecosystem. Date: March 30th, 2021. Update Date: April 1st, 2021 - Weekly tokens are now minted directly to the Guess Contract. Update Date: April 2nd, 2021 - Logic updates, gas optimizations, ensuring logic will allow for future Chainlink integration.
Combined External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||The project uses a pseudo random function to determine winners of the game as opposed to|
verifiably random input. Until Chainlink is integrated, this may be exploitable by miners.
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||----->||WARNING|
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + [Int] IBEP20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] SafeMath - [Int] add - [Int] sub - [Int] mul - [Int] div - [Int] mod + BEP20 (IBEP20) - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Int] _transfer # - [Int] _emitInitial # - [Int] _emit # - [Int] _approve # + Context - [Int]
# - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int] # - [Pub] owner - [Pub] isOwner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner - [Int] _transferOwnership # + StochToken (BEP20, Ownable) - [Pub] ($) - [Pub] transfer # - [Pub] setGuessAddress # - modifiers: onlyOwner - [Ext] transferGuess # - [Pub] name - [Pub] symbol - [Pub] decimals - [Int] _emitFirst # - [Pub] emitEveryWeekTokens # - modifiers: onlyOwner - [Pub] initialSupply
+ [Lib] SafeMath - [Int] add - [Int] sub - [Int] mul - [Int] div - [Int] mod + [Int] BEP20Interface - [Ext] totalSupply # - [Ext] balanceOf # - [Ext] allowance # - [Ext] transfer # - [Ext] approve # - [Ext] transferFrom # - [Ext] transferGuess # + GuessContract - [Pub]
# - [Pub] stakeTokens # - [Pub] chooseNumbers # - modifiers: onlyStaked - [Pub] unstakeTokens # - modifiers: onlyStaked - [Pub] chooseWinner # - modifiers: onlyAdmin - [Pub] checkRandomOwner - [Pub] checkRandomNumber - [Pub] viewNumbersSelected - [Pub] maxNumberUserCanSelect - [Pub] remainingNumbersToSet - [Pub] countNumberSelected - [Pub] checkStakingBalance - [Pub] isUserStaking - [Int] calculateReedemToken - [Pub] calculateCurrentTokenAmount - [Pub] lastWinsTime - [Pub] winnerTokensReceived - [Pub] generateRandomNumber # - modifiers: onlyAdmin