SwapzLiquidityPool - Smart Contract Audit Report


Swapz Network is building a cross-chain liquidity pool supporting stable coin swaps.

We audited the project team's SwapzLiquidityPool contract at commit 10bf3482272c8fbeeebdf9e62adfe4a6c8621f11 on the team's Github repository.

Notes on the Contract:
  • The address of the stable token used by the platform is set on deployment.
  • Initially, the platform only supports chain IDs 3 (Ethereum Ropsten Testnet) and 97 (Binance Smart Chain Testnet).
  • Users can use this contract to submit a swap request in order to initiate the process of moving an amount of the stable token used by the platform from one chain to another; users must pay a fee in the origin chain's native currency in order to do so.
  • The owner can then send the stable tokens specified in the swap request to the user on the desired chain. 0.04% of the amount is taken as a fee; 0.01% goes to the project team as a mesh fee, and 0.03% is contributed towards liquidity.
  • In the event that there is not enough liquidity on the user's desired chain, the owner can send the stable tokens back to the user on the origin chain.
  • Anyone can add liquidity to the pool on any chain at any time; an amount of shares proportional to the amount of liquidity being added and the amount of existing liquidity in the pool will be minted to the user.
  • Users can exit their position in the liquidity pool at any time; their shares will be burned and a proportional amount of stable tokens will be returned to the user.
  • In the event there is not enough stable coins for a user to exit their position on the chain they had joined on, the user can burn their shares on the origin chain and specify a chain from which to claim their stable tokens.
  • The owner can set the fee for any chain ID to any value at any time.
  • The owner can withdraw the stable tokens collected as the mesh fee at any time.

  • Cross-chain swaps involve some off-chain logic run by the team. Please note we have not reviewed the off-chain logic related to the bridge.
  • The contract complies with the ERC-20 standard.
  • As the contract is implemented with Solidity v0.8.4, it is protected from overflows.

Audit Findings Summary
  • No security threats from outside attackers were identified.
  • Users must trust the team as they will operate off-chain logic to power the bridge used for cross-chain transfers.
  • Date: September 13th, 2021

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
External CallsN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS

Smart Contract Graph

Multi-file Token

($) = payable function
 # = non-constant function

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _beforeTokenTransfer #
    - [Int] _afterTokenTransfer #

 + [Lib] SafeMath 
    - [Int] tryAdd
    - [Int] trySub
    - [Int] tryMul
    - [Int] tryDiv
    - [Int] tryMod
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod
    - [Int] sub
    - [Int] div
    - [Int] mod

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Prv] _setOwner #

 +  SwapzLiquidityPool (ERC20, Ownable)
    - [Pub] chainChainFee #
       - modifiers: onlyOwner
    - [Pub]  #
    - [Pub] decimals
    - [Ext] swapRequest ($)
    - [Pub] sendBackAll #
       - modifiers: onlyOwner
    - [Pub] sendAll #
       - modifiers: onlyOwner
    - [Pub] sendBack #
       - modifiers: onlyOwner
    - [Pub] send #
       - modifiers: onlyOwner
    - [Pub] withdrawMeshFee #
       - modifiers: onlyOwner
    - [Pub] join #
    - [Prv] burn #
    - [Pub] leaveForeign ($)
    - [Pub] leave #