| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
TWOK Finance - Smart Contract Audit Report
Summary
TWOK Finance is a new DeFi platform launching on the Binance Smart Chain.
We previously reviewed 1k Finance, but the developer of the project has since abused the controls highlighted in the report. The rest of the team has opted to relaunch the platform with some slight modifications, so we have reviewed the updated code as a courtesy to the team.
We reviewed TWOK Finance's contracts on the Binance Smart Chain mainnet at the following addresses:
Notes on the Contracts:
- The total supply of the token is 2,000.
- There is a tax on transfers in the amount of 1% by default. 90% of this fee is sent to the developers and the remaining is sent to the LiquidtyLock contract (currently not in use, so these fees are burned).
- The token contract will be deployed behind upgradable proxies; meaning the team can change this contract at any time without notice.
- The team can update the transfer fee to any amount at any time; as well as the portion of the fee that goes to the development team.
- The team can also freeze the tokens in any account; preventing them from being transferred.
- The team can recover tokens and BNB erroneously sent to the token contract.
- Users can lock with LP tokens in the vault to earn rewards in TWOK token.
- This contract receives 10% of the fees from transfers of the token and uses those tokens to provide rewards.
- Users can lock their tokens for a chosen amount of time in the contract to earn rewards.
- There is a minimum and maximum lockup time; determined by the project team.
- The team can update the token used for rewards at any time
- The team can also change the address of the token to be locked and token to be rewarded at any time. This could allow the team to access user's funds and was re-added after the TWOK audit.
- The team has the ability to transfer any tokens (including user's staked funds) from the Vault at any time.
General Notes:- The team has rolled back most of our recommended changes regarding gas optimizations and the level of owner control from the ONEK audit.
- Utilization of SafeMath throughout the platform to prevent overflow issues.
Audit Findings Summary
- No security issues from external attackers were identified.
- Ensure trust in the project team as they have retained substantial power in the ecosystem, can transfer user's funds directly out of the Vault contract, and can updgrade the contracts at any time.
- Date: March 8th, 2021
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Initializable
- [Prv] isConstructor
+ ContextUpgradeSafe (Initializable)
- [Int] __Context_init #
- modifiers: initializer
- [Int] __Context_init_unchained #
- modifiers: initializer
- [Int] _msgSender
- [Int] _msgData
+ OwnableUpgradeSafe (Initializable, ContextUpgradeSafe)
- [Int] __Ownable_init #
- modifiers: initializer
- [Int] __Ownable_init_unchained #
- modifiers: initializer
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ LockLiquidity (Initializable, OwnableUpgradeSafe)
- [Pub] initialize #
- modifiers: initializer
- [Pub] setTWOK #
- modifiers: onlyOwner
- [Pub] setLiquidityProviderToken #
- modifiers: onlyOwner
- [Pub] addFeeAndUpdatePrice #
- [Pub] lockLiquidity #
- [Pub] extractEarnings #
- [Pub] getAmountLocked
- [Pub] extractTokensIfStuck #
- modifiers: onlyOwner
- [Pub] extractETHIfStruck #
- modifiers: onlyOwner
Source Code
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Initializable
- [Prv] isConstructor
+ ContextUpgradeSafe (Initializable)
- [Int] __Context_init #
- modifiers: initializer
- [Int] __Context_init_unchained #
- modifiers: initializer
- [Int] _msgSender
- [Int] _msgData
+ OwnableUpgradeSafe (Initializable, ContextUpgradeSafe)
- [Int] __Ownable_init #
- modifiers: initializer
- [Int] __Ownable_init_unchained #
- modifiers: initializer
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
+ ERC20UpgradeSafe (Initializable, ContextUpgradeSafe, IERC20)
- [Int] __ERC20_init #
- modifiers: initializer
- [Int] __ERC20_init_unchained #
- modifiers: initializer
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #
+ [Int] ILockLiquidity
- [Ext] addFeeAndUpdatePrice #
+ TWOK (Initializable, OwnableUpgradeSafe, ERC20UpgradeSafe)
- [Pub] initialize #
- modifiers: initializer
- [Pub] setDevTreasury #
- modifiers: onlyOwner
- [Pub] setDevTreasuryPercentage #
- modifiers: onlyOwner
- [Pub] setLockLiquidityContract #
- modifiers: onlyOwner
- [Int] _transfer #
- [Pub] burn #
- modifiers: onlyOwner
- [Pub] extractETHIfStuck #
- modifiers: onlyOwner
- [Pub] extractTokenIfStuck #
- modifiers: onlyOwner
- [Pub] freezeTokens #
- modifiers: onlyOwner
- [Pub] unFreezeTokens #
- modifiers: onlyOwner
- [Pub] changeFee #
- modifiers: onlyOwner
- [Int] calculateFee
Source Code
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Initializable
- [Prv] isConstructor
+ ContextUpgradeSafe (Initializable)
- [Int] __Context_init #
- modifiers: initializer
- [Int] __Context_init_unchained #
- modifiers: initializer
- [Int] _msgSender
- [Int] _msgData
+ OwnableUpgradeSafe (Initializable, ContextUpgradeSafe)
- [Int] __Ownable_init #
- modifiers: initializer
- [Int] __Ownable_init_unchained #
- modifiers: initializer
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ Vault (Initializable, OwnableUpgradeSafe)
- [Ext] ($)
- [Pub] initialize #
- modifiers: initializer
- [Ext] setLockToken #
- modifiers: onlyOwner
- [Ext] setRewardPerBlock #
- modifiers: onlyOwner
- [Ext] setDevTreasury #
- modifiers: onlyOwner
- [Ext] setRewardToken #
- modifiers: onlyOwner
- [Ext] setTimeLocks #
- modifiers: onlyOwner
- [Ext] setDevPercentages #
- modifiers: onlyOwner
- [Int] addFeeAndUpdatePrice #
- [Int] updateFeeIn #
- [Pub] lockLiquidity #
- [Pub] extractEarnings #
- [Pub] extractLiquidity #
- [Pub] calcDevTreasuryPercentage
- [Ext] getAmountLocked
- [Ext] extractTokensIfStuck #
- modifiers: onlyOwner
- [Ext] extractETHIfStruck #
- modifiers: onlyOwner