TronWin888 - Smart Contract Audit Report

Summary

TronWin888 TronWin888 is a scam platform that promises to provide 1.66% daily returns (332% APY) on Tron deposited into the contract; and provides additonal rewards for referring other users to make deposits. TronWin888 achieves this through a pyramid scheme, where the interest payments of early investors are taken from the deposits of new users. As with any pyramid/Ponzi scheme, this is not sustainable, and users who invest later in the course of the project will lose their TRX. In this Ponzi scheme, the project pays its initial investors interest using money raised from new investors. Eventually, the project will no longer be able to find enough new investors to pay the users who have already deposited, and the scheme collapses leading to massive loss of funds. This is very similar to the infamous Bank of Tron & Tron Chain.
TronWin888 is a Pyramid Scheme TronWin888 is a Ponzi Scheme

  • We audited TronWin888's main contract, deployed at TRWfBkXte2Lz82gfkYhGHAhcVDW6PZEXJv
  • USDTPool has not yet been deployed. This contracts provides similar functionality to TronWin888, but uses USDT-Panda LP tokens instead of TRX. When staking in the USDT pool, users can only stake and withdraw in incrememts of 180. Users also pay a 20% tax upon staking.
  • PandaReferral has not yet been deployed. This contract rewards users in Panda token for referring others users that deposit funds.
  • Audit Findings:
    • This is a Ponzi/pyramid scheme. We do not reccomend depositing any funds. Investing later in the lifecycle of the project likely will result in loss of funds.
    • No issues from outside attackers were identifed.
    • Date: December 8th, 2020.

    We ran over 400,000 transactions interacting with this suite of contracts on a test blockchain to determine these results.
    Date: December 8th, 2020
    Vulnerability CategoryNotesResult
    Arbitrary Storage WriteN/APASS
    Arbitrary JumpN/APASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether/Token ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Integer Over/UnderflowN/APASS
    Multiple SendsN/APASS
    OracleN/APASS
    SuicideN/APASS
    State Change External CallsN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety ----->PASS

    Function Graph

    TronWin888 Smart Contract Graph

    Inheritence Chart

    TronWin888 Smart Contract Inheritance

    Functions Overview

    
    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
    
     +  TronWin888 
        - [Pub]  #
        - [Ext]  ($)
        - [Prv] _setUpline #
        - [Prv] _deposit #
        - [Prv] _pollDeposits #
        - [Prv] _refPayout #
        - [Prv] _drawPool #
        - [Ext] deposit ($)
        - [Ext] withdraw #
        - [Ext] maxPayoutOf
        - [Ext] payoutOf
        - [Ext] userInfo
        - [Ext] userInfoTotals
        - [Ext] contractInfo
        - [Ext] poolTopInfo  
    							

    Click here to download the source code as a .sol file.

    
    pragma solidity 0.5.10;
    
    contract TronWin888 {
        struct User {
            uint256 cycle;
            address upline;
            uint256 referrals;
            uint256 payouts;
            uint256 direct_bonus;
            uint256 pool_bonus;
            uint256 match_bonus;
            uint256 deposit_amount;
            uint256 deposit_payouts;
            uint40 deposit_time;
            uint256 total_deposits;
            uint256 total_payouts;
            uint256 total_structure;
        }
    
        address payable public owner;
        address payable public dev1 = address(0x41F424B1C4724A111EA619E5A0510581A422843E46); //TYE7qSKywd112UK3HBcKjpuLUtBCRem8y6
        address payable public dev2 = address(0x415C74701B4CF05C8292F3149C65AB480516607CF5); //TJQ4exP8wzZCPPpwAQ2EeRSSVcZVeMp6KU
        address payable public dev3 = address(0x41EA8A4DB647DAB24789B45603AFBEEF05456B04A9); //TXMLoSu2DMNj3MjQn4wpVGZ2aRNMJ4K8UQ
        address payable public grandPrice = address(0x419BA60BE65EC201DA6B32F334A05A648B09F6F983); //TQACeuRasK3L8dymZLzczKKpDncTZ72zRs
    
        mapping(address => User) public users;
        mapping(uint256 => address) public id2Address;
    
        uint256[] public cycles;
        uint8[] public ref_bonuses;
    
        uint8[] public pool_bonuses;
        uint40 public pool_last_draw = uint40(block.timestamp);
        uint256 public pool_cycle;
        uint256 public pool_balance;
        uint256 public startTime = 1605506400;//1605506400
        mapping(uint256 => mapping(address => uint256)) public pool_users_refs_deposits_sum;
        mapping(uint8 => address) public pool_top;
    
        uint256 public total_users = 1;
        uint256 public total_deposited;
        uint256 public total_withdraw;
    
        event Upline(address indexed addr, address indexed upline);
        event NewDeposit(address indexed addr, uint256 amount);
        event DirectPayout(address indexed addr, address indexed from, uint256 amount);
        event MatchPayout(address indexed addr, address indexed from, uint256 amount);
        event PoolPayout(address indexed addr, uint256 amount);
        event Withdraw(address indexed addr, uint256 amount);
        event LimitReached(address indexed addr, uint256 amount);
    
        constructor() public {
            owner = msg.sender;
    
            ref_bonuses.push(30);
            ref_bonuses.push(10);
            ref_bonuses.push(10);
            ref_bonuses.push(10);
            ref_bonuses.push(10);
            ref_bonuses.push(8);
            ref_bonuses.push(8);
            ref_bonuses.push(8);
            ref_bonuses.push(8);
            ref_bonuses.push(8);
            ref_bonuses.push(5);
            ref_bonuses.push(5);
            ref_bonuses.push(5);
            ref_bonuses.push(5);
            ref_bonuses.push(5);
    
            pool_bonuses.push(40);
            pool_bonuses.push(30);
            pool_bonuses.push(20);
            pool_bonuses.push(10);
    
            cycles.push(5e11);
            cycles.push(1e12);
            cycles.push(2e12);
            cycles.push(5e12);
        }
    
        function() payable external {
            _deposit(msg.sender, msg.value);
        }
    
        function _setUpline(address _addr, address _upline) private {
            if(users[_addr].upline == address(0) && _upline != _addr && _addr != owner && (users[_upline].deposit_time > 0 || _upline == owner)) {
                users[_addr].upline = _upline;
                users[_upline].referrals++;
    
                emit Upline(_addr, _upline);
                id2Address[total_users] = _addr;
                total_users++;
    
                for(uint8 i = 0; i < ref_bonuses.length; i++) {
                    if(_upline == address(0)) break;
    
                    users[_upline].total_structure++;
    
                    _upline = users[_upline].upline;
                }
            }
        }
    
        function _deposit(address _addr, uint256 _amount) private {
            require(users[_addr].upline != address(0) || _addr == owner, "No upline");
    
            if(users[_addr].deposit_time > 0) {
                users[_addr].cycle++;
    
                require(users[_addr].payouts >= this.maxPayoutOf(users[_addr].deposit_amount), "Deposit already exists");
                require(_amount >= users[_addr].deposit_amount && _amount <= cycles[users[_addr].cycle > cycles.length - 1 ? cycles.length - 1 : users[_addr].cycle], "Bad amount");
            }
            else require(_amount >= 1e8 && _amount <= cycles[0], "Bad amount");
    
            users[_addr].payouts = 0;
            users[_addr].deposit_amount = _amount;
            users[_addr].deposit_payouts = 0;
            users[_addr].deposit_time = uint40(block.timestamp);
            users[_addr].total_deposits += _amount;
    
            total_deposited += _amount;
    
            emit NewDeposit(_addr, _amount);
    
            if(users[_addr].upline != address(0)) {
                users[users[_addr].upline].direct_bonus += _amount / 10;
    
                emit DirectPayout(users[_addr].upline, _addr, _amount / 10);
            }
    
            _pollDeposits(_addr, _amount);
    
            if(pool_last_draw + 1 days < block.timestamp) {
                _drawPool();
            }
    
            uint256 _devFee = _amount / 20;
            grandPrice.transfer(_devFee);
            dev1.transfer(_devFee);
            dev2.transfer(_devFee);
            dev3.transfer(_devFee);
        }
    
        function _pollDeposits(address _addr, uint256 _amount) private {
            pool_balance += _amount * 3 / 100;
    
            address upline = users[_addr].upline;
    
            if(upline == address(0)) return;
    
            pool_users_refs_deposits_sum[pool_cycle][upline] += _amount;
    
            for(uint8 i = 0; i < pool_bonuses.length; i++) {
                if(pool_top[i] == upline) break;
    
                if(pool_top[i] == address(0)) {
                    pool_top[i] = upline;
                    break;
                }
    
                if(pool_users_refs_deposits_sum[pool_cycle][upline] > pool_users_refs_deposits_sum[pool_cycle][pool_top[i]]) {
                    for(uint8 j = i + 1; j < pool_bonuses.length; j++) {
                        if(pool_top[j] == upline) {
                            for(uint8 k = j; k <= pool_bonuses.length; k++) {
                                pool_top[k] = pool_top[k + 1];
                            }
                            break;
                        }
                    }
    
                    for(uint8 j = uint8(pool_bonuses.length - 1); j > i; j--) {
                        pool_top[j] = pool_top[j - 1];
                    }
    
                    pool_top[i] = upline;
    
                    break;
                }
            }
        }
    
        function _refPayout(address _addr, uint256 _amount) private {
            address up = users[_addr].upline;
    
            for(uint8 i = 0; i < ref_bonuses.length; i++) {
                if(up == address(0)) break;
    
                if(users[up].referrals >= i + 1) {
                    uint256 bonus = _amount * ref_bonuses[i] / 100;
    
                    users[up].match_bonus += bonus;
    
                    emit MatchPayout(up, _addr, bonus);
                }
    
                up = users[up].upline;
            }
        }
    
        function _drawPool() private {
            pool_last_draw = uint40(block.timestamp);
            pool_cycle++;
    
            uint256 draw_amount = pool_balance / 10;
    
            for(uint8 i = 0; i < pool_bonuses.length; i++) {
                if(pool_top[i] == address(0)) break;
    
                uint256 win = draw_amount * pool_bonuses[i] / 100;
    
                users[pool_top[i]].pool_bonus += win;
                pool_balance -= win;
    
                emit PoolPayout(pool_top[i], win);
            }
    
            for(uint8 i = 0; i < pool_bonuses.length; i++) {
                pool_top[i] = address(0);
            }
        }
    
        function deposit(address _upline) payable external {
            require(block.timestamp >= startTime, 'not started');
            _setUpline(msg.sender, _upline);
            _deposit(msg.sender, msg.value);
        }
    
        function withdraw() external {
            (uint256 to_payout, uint256 max_payout) = this.payoutOf(msg.sender);
    
            require(users[msg.sender].payouts < max_payout, "Full payouts");
    
            // Deposit payout
            if(to_payout > 0) {
                if(users[msg.sender].payouts + to_payout > max_payout) {
                    to_payout = max_payout - users[msg.sender].payouts;
                }
    
                users[msg.sender].deposit_payouts += to_payout;
                users[msg.sender].payouts += to_payout;
    
                _refPayout(msg.sender, to_payout);
            }
    
            // Direct payout
            if(users[msg.sender].payouts < max_payout && users[msg.sender].direct_bonus > 0) {
                uint256 direct_bonus = users[msg.sender].direct_bonus;
    
                if(users[msg.sender].payouts + direct_bonus > max_payout) {
                    direct_bonus = max_payout - users[msg.sender].payouts;
                }
    
                users[msg.sender].direct_bonus -= direct_bonus;
                users[msg.sender].payouts += direct_bonus;
                to_payout += direct_bonus;
            }
    
            // Pool payout
            if(users[msg.sender].payouts < max_payout && users[msg.sender].pool_bonus > 0) {
                uint256 pool_bonus = users[msg.sender].pool_bonus;
    
                if(users[msg.sender].payouts + pool_bonus > max_payout) {
                    pool_bonus = max_payout - users[msg.sender].payouts;
                }
    
                users[msg.sender].pool_bonus -= pool_bonus;
                users[msg.sender].payouts += pool_bonus;
                to_payout += pool_bonus;
            }
    
            // Match payout
            if(users[msg.sender].payouts < max_payout && users[msg.sender].match_bonus > 0) {
                uint256 match_bonus = users[msg.sender].match_bonus;
    
                if(users[msg.sender].payouts + match_bonus > max_payout) {
                    match_bonus = max_payout - users[msg.sender].payouts;
                }
    
                users[msg.sender].match_bonus -= match_bonus;
                users[msg.sender].payouts += match_bonus;
                to_payout += match_bonus;
            }
    
            require(to_payout > 0, "Zero payout");
    
            users[msg.sender].total_payouts += to_payout;
            total_withdraw += to_payout;
    
            msg.sender.transfer(to_payout);
    
            emit Withdraw(msg.sender, to_payout);
    
            if(users[msg.sender].payouts >= max_payout) {
                emit LimitReached(msg.sender, users[msg.sender].payouts);
            }
        }
    
        function maxPayoutOf(uint256 _amount) pure external returns(uint256) {
            return _amount * 3333 / 1000;
        }
    
        function payoutOf(address _addr) view external returns(uint256 payout, uint256 max_payout) {
            max_payout = this.maxPayoutOf(users[_addr].deposit_amount);
    
            if(users[_addr].deposit_payouts < max_payout) {
                payout = (users[_addr].deposit_amount * ((block.timestamp - users[_addr].deposit_time) / 1 days) / 100) * 1666/1000 - users[_addr].deposit_payouts;
    
                if(users[_addr].deposit_payouts + payout > max_payout) {
                    payout = max_payout - users[_addr].deposit_payouts;
                }
            }
        }
    
    
        /*
            Only external call
        */
        function userInfo(address _addr) view external returns(address upline, uint40 deposit_time, uint256 deposit_amount, uint256 payouts, uint256 direct_bonus, uint256 pool_bonus, uint256 match_bonus) {
            return (users[_addr].upline, users[_addr].deposit_time, users[_addr].deposit_amount, users[_addr].payouts, users[_addr].direct_bonus, users[_addr].pool_bonus, users[_addr].match_bonus);
        }
    
        function userInfoTotals(address _addr) view external returns(uint256 referrals, uint256 total_deposits, uint256 total_payouts, uint256 total_structure) {
            return (users[_addr].referrals, users[_addr].total_deposits, users[_addr].total_payouts, users[_addr].total_structure);
        }
    
        function contractInfo() view external returns(uint256 _total_users, uint256 _total_deposited, uint256 _total_withdraw, uint40 _pool_last_draw, uint256 _pool_balance, uint256 _pool_lider) {
            return (total_users, total_deposited, total_withdraw, pool_last_draw, pool_balance, pool_users_refs_deposits_sum[pool_cycle][pool_top[0]]);
        }
    
        function poolTopInfo() view external returns(address[4] memory addrs, uint256[4] memory deps) {
            for(uint8 i = 0; i < pool_bonuses.length; i++) {
                if(pool_top[i] == address(0)) break;
    
                addrs[i] = pool_top[i];
                deps[i] = pool_users_refs_deposits_sum[pool_cycle][pool_top[i]];
            }
        }
    }
    
    

    Function Graph

    TronWin888 USDT Pool Smart Contract Graph

    Inheritence Chart

    TronWin888 USDT Pool Smart Contract Inheritance

    Functions Overview

    
    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
    
     + [Lib] Math 
        - [Int] max
        - [Int] min
        - [Int] average
    
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     +  Context 
        - [Int]  #
        - [Int] _msgSender
        - [Int] _msgData
    
     +  Ownable (Context)
        - [Int]  #
        - [Pub] owner
        - [Pub] isOwner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
    
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] mint #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] toPayable
        - [Int] sendValue #
    
     + [Lib] SafeERC20 
        - [Int] safeTransfer #
        - [Int] safeTransferFrom #
        - [Int] safeApprove #
        - [Int] safeIncreaseAllowance #
        - [Int] safeDecreaseAllowance #
        - [Prv] callOptionalReturn #
    
     +  IRewardDistributionRecipient (Ownable)
        - [Ext] notifyRewardAmount #
        - [Ext] setRewardDistribution #
           - modifiers: onlyOwner
    
     +  PandaReferralInterface 
        - [Ext] refPayout #
        - [Ext] register #
        - [Ext] deregister #
        - [Pub] getHarvestRate
    
     +  LPTokenWrapper (Ownable)
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Int] stake #
        - [Pub] withdraw #
        - [Ext] setUnStakeRate #
           - modifiers: onlyOwner
    
     +  UsdtPdaPool (LPTokenWrapper, IRewardDistributionRecipient)
        - [Pub] lastTimeRewardApplicable
        - [Pub] rewardPerToken
        - [Pub] earned
        - [Pub] stake #
           - modifiers: updateReward,checkhalve,checkStart
        - [Pub] withdraw #
           - modifiers: updateReward,checkhalve,checkStart
        - [Ext] exit #
        - [Pub] getReward #
           - modifiers: updateReward,checkhalve,checkStart
        - [Ext] notifyRewardAmount #
           - modifiers: onlyRewardDistribution,updateReward
    
    							

    Click here to download the source code as a .sol file.

    
    pragma solidity ^0.5.0;
    
    /**
     * @dev Standard math utilities missing in the Solidity language.
     */
    library Math {
        /**
         * @dev Returns the largest of two numbers.
         */
        function max(uint256 a, uint256 b) internal pure returns (uint256) {
            return a >= b ? a : b;
        }
    
        /**
         * @dev Returns the smallest of two numbers.
         */
        function min(uint256 a, uint256 b) internal pure returns (uint256) {
            return a < b ? a : b;
        }
    
        /**
         * @dev Returns the average of two numbers. The result is rounded towards
         * zero.
         */
        function average(uint256 a, uint256 b) internal pure returns (uint256) {
            // (a + b) / 2 can overflow, so we distribute
            return (a / 2) + (b / 2) + ((a % 2 + b % 2) / 2);
        }
    }
    
    // File: @openzeppelin/audits/math/SafeMath.sol
    
    pragma solidity ^0.5.0;
    
    /**
     * @dev Wrappers over Solidity's arithmetic operations with added overflow
     * checks.
     *
     * Arithmetic operations in Solidity wrap on overflow. This can easily result
     * in bugs, because programmers usually assume that an overflow raises an
     * error, which is the standard behavior in high level programming languages.
     * `SafeMath` restores this intuition by reverting the transaction when an
     * operation overflows.
     *
     * Using this library instead of the unchecked operations eliminates an entire
     * class of bugs, so it's recommended to use it always.
     */
    library SafeMath {
        /**
         * @dev Returns the addition of two unsigned integers, reverting on
         * overflow.
         *
         * Counterpart to Solidity's `+` operator.
         *
         * Requirements:
         * - Addition cannot overflow.
         */
        function add(uint256 a, uint256 b) internal pure returns (uint256) {
            uint256 c = a + b;
            require(c >= a, "SafeMath: addition overflow");
    
            return c;
        }
    
        /**
         * @dev Returns the subtraction of two unsigned integers, reverting on
         * overflow (when the result is negative).
         *
         * Counterpart to Solidity's `-` operator.
         *
         * Requirements:
         * - Subtraction cannot overflow.
         */
        function sub(uint256 a, uint256 b) internal pure returns (uint256) {
            return sub(a, b, "SafeMath: subtraction overflow");
        }
    
        /**
         * @dev Returns the subtraction of two unsigned integers, reverting with custom message on
         * overflow (when the result is negative).
         *
         * Counterpart to Solidity's `-` operator.
         *
         * Requirements:
         * - Subtraction cannot overflow.
         *
         * _Available since v2.4.0._
         */
        function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
            require(b <= a, errorMessage);
            uint256 c = a - b;
    
            return c;
        }
    
        /**
         * @dev Returns the multiplication of two unsigned integers, reverting on
         * overflow.
         *
         * Counterpart to Solidity's `*` operator.
         *
         * Requirements:
         * - Multiplication cannot overflow.
         */
        function mul(uint256 a, uint256 b) internal pure returns (uint256) {
            // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
            // benefit is lost if 'b' is also tested.
            // See: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/522
            if (a == 0) {
                return 0;
            }
    
            uint256 c = a * b;
            require(c / a == b, "SafeMath: multiplication overflow");
    
            return c;
        }
    
        /**
         * @dev Returns the integer division of two unsigned integers. Reverts on
         * division by zero. The result is rounded towards zero.
         *
         * Counterpart to Solidity's `/` operator. Note: this function uses a
         * `revert` opcode (which leaves remaining gas untouched) while Solidity
         * uses an invalid opcode to revert (consuming all remaining gas).
         *
         * Requirements:
         * - The divisor cannot be zero.
         */
        function div(uint256 a, uint256 b) internal pure returns (uint256) {
            return div(a, b, "SafeMath: division by zero");
        }
    
        /**
         * @dev Returns the integer division of two unsigned integers. Reverts with custom message on
         * division by zero. The result is rounded towards zero.
         *
         * Counterpart to Solidity's `/` operator. Note: this function uses a
         * `revert` opcode (which leaves remaining gas untouched) while Solidity
         * uses an invalid opcode to revert (consuming all remaining gas).
         *
         * Requirements:
         * - The divisor cannot be zero.
         *
         * _Available since v2.4.0._
         */
        function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
            // Solidity only automatically asserts when dividing by 0
            require(b > 0, errorMessage);
            uint256 c = a / b;
            // assert(a == b * c + a % b); // There is no case in which this doesn't hold
    
            return c;
        }
    
        /**
         * @dev Returns the remainder of dividing two unsigned integers. (unsigned integer modulo),
         * Reverts when dividing by zero.
         *
         * Counterpart to Solidity's `%` operator. This function uses a `revert`
         * opcode (which leaves remaining gas untouched) while Solidity uses an
         * invalid opcode to revert (consuming all remaining gas).
         *
         * Requirements:
         * - The divisor cannot be zero.
         */
        function mod(uint256 a, uint256 b) internal pure returns (uint256) {
            return mod(a, b, "SafeMath: modulo by zero");
        }
    
        /**
         * @dev Returns the remainder of dividing two unsigned integers. (unsigned integer modulo),
         * Reverts with custom message when dividing by zero.
         *
         * Counterpart to Solidity's `%` operator. This function uses a `revert`
         * opcode (which leaves remaining gas untouched) while Solidity uses an
         * invalid opcode to revert (consuming all remaining gas).
         *
         * Requirements:
         * - The divisor cannot be zero.
         *
         * _Available since v2.4.0._
         */
        function mod(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
            require(b != 0, errorMessage);
            return a % b;
        }
    }
    
    // File: @openzeppelin/audits/GSN/Context.sol
    
    pragma solidity ^0.5.0;
    
    /*
     * @dev Provides information about the current execution context, including the
     * sender of the transaction and its data. While these are generally available
     * via msg.sender and msg.data, they should not be accessed in such a direct
     * manner, since when dealing with GSN meta-transactions the account sending and
     * paying for execution may not be the actual sender (as far as an application
     * is concerned).
     *
     * This contract is only required for intermediate, library-like contracts.
     */
    contract Context {
        // Empty internal constructor, to prevent people from mistakenly deploying
        // an instance of this contract, which should be used via inheritance.
        constructor () internal { }
        // solhint-disable-previous-line no-empty-blocks
    
        function _msgSender() internal view returns (address payable) {
            return msg.sender;
        }
    
        function _msgData() internal view returns (bytes memory) {
            this; // silence state mutability warning without generating bytecode - see https://github.com/ethereum/solidity/issues/2691
            return msg.data;
        }
    }
    
    // File: @openzeppelin/audits/ownership/Ownable.sol
    
    pragma solidity ^0.5.0;
    
    /**
     * @dev Contract module which provides a basic access control mechanism, where
     * there is an account (an owner) that can be granted exclusive access to
     * specific functions.
     *
     * This module is used through inheritance. It will make available the modifier
     * `onlyOwner`, which can be applied to your functions to restrict their use to
     * the owner.
     */
    contract Ownable is Context {
        address private _owner;
    
        event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
    
        /**
         * @dev Initializes the contract setting the deployer as the initial owner.
         */
        constructor () internal {
            _owner = _msgSender();
            emit OwnershipTransferred(address(0), _owner);
        }
    
        /**
         * @dev Returns the address of the current owner.
         */
        function owner() public view returns (address) {
            return _owner;
        }
    
        /**
         * @dev Throws if called by any account other than the owner.
         */
        modifier onlyOwner() {
            require(isOwner(), "Ownable: caller is not the owner");
            _;
        }
    
        /**
         * @dev Returns true if the caller is the current owner.
         */
        function isOwner() public view returns (bool) {
            return _msgSender() == _owner;
        }
    
        /**
         * @dev Leaves the contract without owner. It will not be possible to call
         * `onlyOwner` functions anymore. Can only be called by the current owner.
         *
         * NOTE: Renouncing ownership will leave the contract without an owner,
         * thereby removing any functionality that is only available to the owner.
         */
        function renounceOwnership() public onlyOwner {
            emit OwnershipTransferred(_owner, address(0));
            _owner = address(0);
        }
    
        /**
         * @dev Transfers ownership of the contract to a new account (`newOwner`).
         * Can only be called by the current owner.
         */
        function transferOwnership(address newOwner) public onlyOwner {
            _transferOwnership(newOwner);
        }
    
        /**
         * @dev Transfers ownership of the contract to a new account (`newOwner`).
         */
        function _transferOwnership(address newOwner) internal {
            require(newOwner != address(0), "Ownable: new owner is the zero address");
            emit OwnershipTransferred(_owner, newOwner);
            _owner = newOwner;
        }
    }
    
    // File: @openzeppelin/audits/token/ERC20/IERC20.sol
    
    pragma solidity ^0.5.0;
    
    /**
     * @dev Interface of the ERC20 standard as defined in the EIP. Does not include
     * the optional functions; to access them see {ERC20Detailed}.
     */
    interface IERC20 {
        /**
         * @dev Returns the amount of tokens in existence.
         */
        function totalSupply() external view returns (uint256);
    
        /**
         * @dev Returns the amount of tokens owned by `account`.
         */
        function balanceOf(address account) external view returns (uint256);
    
        /**
         * @dev Moves `amount` tokens from the caller's account to `recipient`.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * Emits a {Transfer} event.
         */
        function transfer(address recipient, uint256 amount) external returns (bool);
        function mint(address account, uint amount) external;
    
        /**
         * @dev Returns the remaining number of tokens that `spender` will be
         * allowed to spend on behalf of `owner` through {transferFrom}. This is
         * zero by default.
         *
         * This value changes when {approve} or {transferFrom} are called.
         */
        function allowance(address owner, address spender) external view returns (uint256);
    
        /**
         * @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * IMPORTANT: Beware that changing an allowance with this method brings the risk
         * that someone may use both the old and the new allowance by unfortunate
         * transaction ordering. One possible solution to mitigate this race
         * condition is to first reduce the spender's allowance to 0 and set the
         * desired value afterwards:
         * https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
         *
         * Emits an {Approval} event.
         */
        function approve(address spender, uint256 amount) external returns (bool);
    
        /**
         * @dev Moves `amount` tokens from `sender` to `recipient` using the
         * allowance mechanism. `amount` is then deducted from the caller's
         * allowance.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * Emits a {Transfer} event.
         */
        function transferFrom(address sender, address recipient, uint256 amount) external returns (bool);
    
        /**
         * @dev Emitted when `value` tokens are moved from one account (`from`) to
         * another (`to`).
         *
         * Note that `value` may be zero.
         */
        event Transfer(address indexed from, address indexed to, uint256 value);
    
        /**
         * @dev Emitted when the allowance of a `spender` for an `owner` is set by
         * a call to {approve}. `value` is the new allowance.
         */
        event Approval(address indexed owner, address indexed spender, uint256 value);
    }
    
    // File: @openzeppelin/audits/utils/Address.sol
    
    pragma solidity ^0.5.5;
    
    /**
     * @dev Collection of functions related to the address type
     */
    library Address {
        /**
         * @dev Returns true if `account` is a contract.
         *
         * This test is non-exhaustive, and there may be false-negatives: during the
         * execution of a contract's constructor, its address will be reported as
         * not containing a contract.
         *
         * IMPORTANT: It is unsafe to assume that an address for which this
         * function returns false is an externally-owned account (EOA) and not a
         * contract.
         */
        function isContract(address account) internal view returns (bool) {
            // This method relies in extcodesize, which returns 0 for contracts in
            // construction, since the code is only stored at the end of the
            // constructor execution.
    
            // According to EIP-1052, 0x0 is the value returned for not-yet created accounts
            // and 0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470 is returned
            // for accounts without code, i.e. `keccak256('')`
            bytes32 codehash;
            bytes32 accountHash = 0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470;
            // solhint-disable-next-line no-inline-assembly
            assembly { codehash := extcodehash(account) }
            return (codehash != 0x0 && codehash != accountHash);
        }
    
        /**
         * @dev Converts an `address` into `address payable`. Note that this is
         * simply a type cast: the actual underlying value is not changed.
         *
         * _Available since v2.4.0._
         */
        function toPayable(address account) internal pure returns (address payable) {
            return address(uint160(account));
        }
    
        /**
         * @dev Replacement for Solidity's `transfer`: sends `amount` wei to
         * `recipient`, forwarding all available gas and reverting on errors.
         *
         * https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
         * of certain opcodes, possibly making contracts go over the 2300 gas limit
         * imposed by `transfer`, making them unable to receive funds via
         * `transfer`. {sendValue} removes this limitation.
         *
         * https://diligence.consensys.net/posts/2019/09/stop-using-soliditys-transfer-now/[Learn more].
         *
         * IMPORTANT: because control is transferred to `recipient`, care must be
         * taken to not create reentrancy vulnerabilities. Consider using
         * {ReentrancyGuard} or the
         * https://solidity.readthedocs.io/en/v0.5.11/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
         *
         * _Available since v2.4.0._
         */
        function sendValue(address payable recipient, uint256 amount) internal {
            require(address(this).balance >= amount, "Address: insufficient balance");
    
            // solhint-disable-next-line avoid-call-value
            (bool success, ) = recipient.call.value(amount)("");
            require(success, "Address: unable to send value, recipient may have reverted");
        }
    }
    
    // File: @openzeppelin/audits/token/ERC20/SafeERC20.sol
    
    pragma solidity ^0.5.0;
    
    
    
    
    /**
     * @title SafeERC20
     * @dev Wrappers around ERC20 operations that throw on failure (when the token
     * contract returns false). Tokens that return no value (and instead revert or
     * throw on failure) are also supported, non-reverting calls are assumed to be
     * successful.
     * To use this library you can add a `using SafeERC20 for ERC20;` statement to your contract,
     * which allows you to call the safe operations as `token.safeTransfer(...)`, etc.
     */
    library SafeERC20 {
        using SafeMath for uint256;
        using Address for address;
    
        function safeTransfer(IERC20 token, address to, uint256 value) internal {
            callOptionalReturn(token, abi.encodeWithSelector(token.transfer.selector, to, value));
        }
    
        function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {
            callOptionalReturn(token, abi.encodeWithSelector(token.transferFrom.selector, from, to, value));
        }
    
        function safeApprove(IERC20 token, address spender, uint256 value) internal {
            // safeApprove should only be called when setting an initial allowance,
            // or when resetting it to zero. To increase and decrease it, use
            // 'safeIncreaseAllowance' and 'safeDecreaseAllowance'
            // solhint-disable-next-line max-line-length
            require((value == 0) || (token.allowance(address(this), spender) == 0),
                "SafeERC20: approve from non-zero to non-zero allowance"
            );
            callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, value));
        }
    
        function safeIncreaseAllowance(IERC20 token, address spender, uint256 value) internal {
            uint256 newAllowance = token.allowance(address(this), spender).add(value);
            callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, newAllowance));
        }
    
        function safeDecreaseAllowance(IERC20 token, address spender, uint256 value) internal {
            uint256 newAllowance = token.allowance(address(this), spender).sub(value, "SafeERC20: decreased allowance below zero");
            callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, newAllowance));
        }
    
        /**
         * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
         * on the return value: the return value is optional (but if data is returned, it must not be false).
         * @param token The token targeted by the call.
         * @param data The call data (encoded using abi.encode or one of its variants).
         */
        function callOptionalReturn(IERC20 token, bytes memory data) private {
            // We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
            // we're implementing it ourselves.
    
            // A Solidity high level call has three parts:
            //  1. The target address is checked to verify it contains contract code
            //  2. The call itself is made, and success asserted
            //  3. The return value is decoded, which in turn checks the size of the returned data.
            // solhint-disable-next-line max-line-length
            require(address(token).isContract(), "SafeERC20: call to non-contract");
    
            // solhint-disable-next-line avoid-low-level-calls
            (bool success, bytes memory returndata) = address(token).call(data);
            require(success, "SafeERC20: low-level call failed");
    
            if (returndata.length > 0) { // Return data is optional
                // solhint-disable-next-line max-line-length
                require(abi.decode(returndata, (bool)), "SafeERC20: ERC20 operation did not succeed");
            }
        }
    }
    
    // File: contracts/IRewardDistributionRecipient.sol
    
    pragma solidity ^0.5.0;
    
    
    
    contract IRewardDistributionRecipient is Ownable {
        address rewardDistribution;
    
        function notifyRewardAmount(uint256 reward) external;
    
        modifier onlyRewardDistribution() {
            require(_msgSender() == rewardDistribution, "Caller is not reward distribution");
            _;
        }
    
        function setRewardDistribution(address _rewardDistribution)
            external
            onlyOwner
        {
            rewardDistribution = _rewardDistribution;
        }
    }
    
    pragma solidity ^0.5.0;
    
    contract PandaReferralInterface {
      function refPayout(address _userAddr, uint256 _amount) external;
      function register(address _userAddr, address _upline) external;
      function deregister(address _userAddr) external;
      function getHarvestRate(address _userAddr) public view returns(uint8);
    }
    
    pragma solidity ^0.5.0;
    
    
    contract LPTokenWrapper is Ownable{
        using SafeMath for uint256;
        using SafeERC20 for IERC20;
    
        IERC20 public y = IERC20(0x41A614F803B6FD780986A42C78EC9C7F77E6DED13C);
        address payable public buyBackAddress = address(0x41239BECB169248E42F8CB4EED6D04295542C0C829);
        address payable public stakePoolAddress = address(0x416A3C9E4B8084224BD2B948F8AB0FFED1349AC535);
        uint256 private _totalSupply;
        uint8 public unStakeRate = 5;
    
        mapping(address => uint256) private _balances;
    
        function totalSupply() public view returns (uint256) {
            return _totalSupply;
        }
    
        function balanceOf(address account) public view returns (uint256) {
            return _balances[account];
        }
    
        function stake(uint256 amount) internal {
            require(amount == 180*1e6, "Cannot stake invalid amount");
            require(_balances[msg.sender] == 0, "already staked");
            _totalSupply = _totalSupply.add(amount);
            _balances[msg.sender] = _balances[msg.sender].add(amount);
            y.transferFrom(msg.sender, address(this), amount);
    
            uint256 tax = amount.div(5); // 20%
            y.transfer(buyBackAddress, tax);
        }
    
        function withdraw(uint256 amount) public {
            _totalSupply = _totalSupply.sub(amount);
            _balances[msg.sender] = _balances[msg.sender].sub(amount);
    
            uint256 tax = amount.mul(unStakeRate).div(100); // 5%
            y.transfer(stakePoolAddress, tax);
    
            amount = amount.sub(tax);
            y.transfer(msg.sender, amount);
    
        }
    
        function setUnStakeRate(uint8 newRate)
            external
            onlyOwner
        {
            require(newRate >= 0 && newRate <=95, "invalid rate");
            unStakeRate = newRate;
        }
    }
    
    contract UsdtPdaPool is LPTokenWrapper, IRewardDistributionRecipient {
        IERC20 public pda = IERC20(0x41FF384987022FD85471415F325D620E356E2CCCBE);
        PandaReferralInterface public pandaRef = PandaReferralInterface(0x41CCE80441D6B015162A20695D084375D68701CE21);
        address payable public burnAddress = address(0x416FF279DABA737D7AB807E5C929487DD7ECAACF93);
    
        uint256 public constant DURATION = 30 days;// days;
    
        uint256 public initreward = 750*1e18;
        uint256 public starttime = now; //start ts
        uint256 public periodFinish = 0;
        uint256 public rewardRate = 0;
        uint256 public lastUpdateTime;
        uint256 public rewardPerTokenStored;
    
        mapping(address => uint256) public userRewardPerTokenPaid;
        mapping(address => uint256) public rewards;
    
        event RewardAdded(uint256 reward);
        event Staked(address indexed user, uint256 amount);
        event Withdrawn(address indexed user, uint256 amount);
        event RewardPaid(address indexed user, uint256 reward);
    
        modifier updateReward(address account) {
            rewardPerTokenStored = rewardPerToken();
            lastUpdateTime = lastTimeRewardApplicable();
            if (account != address(0)) {
                rewards[account] = earned(account);
                userRewardPerTokenPaid[account] = rewardPerTokenStored;
            }
            _;
        }
    
        function lastTimeRewardApplicable() public view returns (uint256) {
            return Math.min(block.timestamp, periodFinish);
        }
    
        function rewardPerToken() public view returns (uint256) {
            if (totalSupply() == 0) {
                return rewardPerTokenStored;
            }
            return
                rewardPerTokenStored.add(
                    lastTimeRewardApplicable()
                        .sub(lastUpdateTime)
                        .mul(rewardRate)
                        .mul(1e18)
                        .div(totalSupply())
                );
        }
    
        function earned(address account) public view returns (uint256) {
            return
                balanceOf(account)
                    .mul(rewardPerToken().sub(userRewardPerTokenPaid[account]))
                    .div(1e18)
                    .add(rewards[account]);
        }
    
        // stake visibility is public as overriding LPTokenWrapper's stake() function
        function stake(uint256 amount, address upline) public updateReward(msg.sender) checkhalve checkStart{
            require(amount > 0, "Cannot stake 0");
            pandaRef.register(msg.sender, upline);
            LPTokenWrapper.stake(amount);
            emit Staked(msg.sender, amount);
        }
    
        function withdraw(uint256 amount) public updateReward(msg.sender) checkhalve checkStart{
            require(amount == 180*1e6, "Cannot withdraw invalid amount");
            super.withdraw(amount);
            pandaRef.deregister(msg.sender);
            emit Withdrawn(msg.sender, amount);
        }
    
        function exit() external {
            withdraw(balanceOf(msg.sender));
            getReward();
        }
    
        function getReward() public updateReward(msg.sender) checkhalve checkStart{
            uint256 reward = earned(msg.sender);
            if (reward > 0) {
                rewards[msg.sender] = 0;
                uint8 harvestRate = pandaRef.getHarvestRate(msg.sender);
                uint256 harvestFee = reward.mul(harvestRate).div(100);
                pda.safeTransfer(burnAddress, harvestFee);
                reward = reward.sub(harvestFee);
                pda.safeTransfer(msg.sender, reward);
                pandaRef.refPayout(msg.sender, reward);
                emit RewardPaid(msg.sender, reward);
            }
        }
    
        modifier checkhalve(){
            if (block.timestamp >= periodFinish) {
                initreward = initreward.mul(985)/(1000);
                pda.mint(address(this),initreward);
    
                rewardRate = initreward.div(DURATION);
                periodFinish = block.timestamp.add(DURATION);
                emit RewardAdded(initreward);
            }
            _;
        }
        modifier checkStart(){
            require(block.timestamp > starttime,"not start");
            _;
        }
    
        function notifyRewardAmount(uint256 reward)
            external
            onlyRewardDistribution
            updateReward(address(0))
        {
            if (block.timestamp >= periodFinish) {
                rewardRate = reward.div(DURATION);
            } else {
                uint256 remaining = periodFinish.sub(block.timestamp);
                uint256 leftover = remaining.mul(rewardRate);
                rewardRate = reward.add(leftover).div(DURATION);
            }
            pda.mint(address(this),reward);
            lastUpdateTime = block.timestamp;
            periodFinish = block.timestamp.add(DURATION);
            emit RewardAdded(reward);
        }
    }
    
    
    	

    Function Graph

    TronWin888 Panda Referral Smart Contract Graph

    Inheritence Chart

    TronWin888 Panda Referral Smart Contract Inheritance

    Functions Overview

    
    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
    
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] mint #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     +  PandaReferral 
        - [Pub]  #
        - [Ext]  ($)
        - [Prv] _setUpline #
        - [Prv] _refPayout #
        - [Ext] refPayout #
           - modifiers: onlyAllowedContract
        - [Ext] register #
           - modifiers: onlyAllowedContract
        - [Ext] deregister #
           - modifiers: onlyAllowedContract
        - [Pub] getHarvestRate
        - [Pub] getHarvestLevel
        - [Ext] addToAllowList #
           - modifiers: onlyOwner
        - [Ext] removeFromAllowList #
           - modifiers: onlyOwner
    
     + [Lib] SafeMath 
        - [Int] mul
        - [Int] div
        - [Int] sub
        - [Int] add
    
    
    							

    Click here to download the source code as a .sol file.

    
    pragma solidity 0.5.10;
    
    /**
     * @dev Interface of the ERC20 standard as defined in the EIP. Does not include
     * the optional functions; to access them see {ERC20Detailed}.
     */
    interface IERC20 {
        /**
         * @dev Returns the amount of tokens in existence.
         */
        function totalSupply() external view returns (uint256);
    
        /**
         * @dev Returns the amount of tokens owned by `account`.
         */
        function balanceOf(address account) external view returns (uint256);
    
        /**
         * @dev Moves `amount` tokens from the caller's account to `recipient`.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * Emits a {Transfer} event.
         */
        function transfer(address recipient, uint256 amount) external returns (bool);
        function mint(address account, uint amount) external;
    
        /**
         * @dev Returns the remaining number of tokens that `spender` will be
         * allowed to spend on behalf of `owner` through {transferFrom}. This is
         * zero by default.
         *
         * This value changes when {approve} or {transferFrom} are called.
         */
        function allowance(address owner, address spender) external view returns (uint256);
    
        /**
         * @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * IMPORTANT: Beware that changing an allowance with this method brings the risk
         * that someone may use both the old and the new allowance by unfortunate
         * transaction ordering. One possible solution to mitigate this race
         * condition is to first reduce the spender's allowance to 0 and set the
         * desired value afterwards:
         * https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
         *
         * Emits an {Approval} event.
         */
        function approve(address spender, uint256 amount) external returns (bool);
    
        /**
         * @dev Moves `amount` tokens from `sender` to `recipient` using the
         * allowance mechanism. `amount` is then deducted from the caller's
         * allowance.
         *
         * Returns a boolean value indicating whether the operation succeeded.
         *
         * Emits a {Transfer} event.
         */
        function transferFrom(address sender, address recipient, uint256 amount) external returns (bool);
    
        /**
         * @dev Emitted when `value` tokens are moved from one account (`from`) to
         * another (`to`).
         *
         * Note that `value` may be zero.
         */
        event Transfer(address indexed from, address indexed to, uint256 value);
    
        /**
         * @dev Emitted when the allowance of a `spender` for an `owner` is set by
         * a call to {approve}. `value` is the new allowance.
         */
        event Approval(address indexed owner, address indexed spender, uint256 value);
    }
    
    contract PandaReferral {
        modifier onlyAllowedContract() {
            require(isAllowed[msg.sender] == true, "not allowed!");
            _;
        }
    
        modifier onlyOwner() {
          require(msg.sender == owner, "only owner!");
          _;
        }
    
        using SafeMath for uint256;
    
        struct User {
            address upline;
            uint256 referrals;
            uint256 total_payouts;
            uint256 total_structure;
        }
    
        address payable public owner;
        mapping(address => User) public users;
        mapping(uint256 => address) public id2Address;
        mapping(address => uint256) public address2Id;
        mapping(address => bool) public isAllowed;
    
        IERC20 public panda = IERC20(0x41FF384987022FD85471415F325D620E356E2CCCBE);
    
        uint8[] public ref_bonuses;
        uint8[] public ref_requirement;
        uint256 public total_users = 1;
    
        event Upline(address indexed addr, address indexed upline);
        event RefPayout(address indexed addr, address indexed upline, uint256 amount);
        constructor() public {
            owner = msg.sender;
    
            _setUpline(owner, owner);
    
            ref_bonuses.push(5);
            ref_requirement.push(3);
            ref_bonuses.push(5);
            ref_requirement.push(3);
            ref_bonuses.push(5);
            ref_requirement.push(3);
    
            ref_bonuses.push(3);
            ref_requirement.push(5);
            ref_bonuses.push(3);
            ref_requirement.push(5);
            ref_bonuses.push(3);
            ref_requirement.push(5);
            ref_bonuses.push(3);
            ref_requirement.push(5);
            ref_bonuses.push(3);
            ref_requirement.push(5);
    
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
            ref_bonuses.push(1);
            ref_requirement.push(9);
    
        }
    
        function() payable external {
          owner.transfer(msg.value);
        }
    
        function _setUpline(address _addr, address _upline) private {
            if(users[_addr].upline == address(0) && ((_addr != _upline && address2Id[_upline] > 0)  || _addr == owner)) {
                users[_addr].upline = _upline;
                users[_upline].referrals = users[_upline].referrals.add(1);
    
                emit Upline(_addr, _upline);
                id2Address[total_users] = _addr;
                address2Id[_addr] = total_users;
                total_users++;
    
                for(uint8 i = 0; i < ref_bonuses.length; i++) {
                    if(_upline == address(0)) break;
    
                    users[_upline].total_structure++;
    
                    _upline = users[_upline].upline;
                }
            }
            else if(users[_addr].upline != address(0) && users[users[_addr].upline].upline != address(0)){
              users[_upline].referrals = users[_upline].referrals.add(1);
            }
        }
    
    
        function _refPayout(address _addr, uint256 _amount) private {
            address up = users[_addr].upline;
    
            for(uint8 i = 0; i < ref_bonuses.length; i++) {
                if(up == address(0)) break;
    
                if(users[up].referrals >= ref_requirement[i] || up == owner) {
                    uint256 bonus = (_amount.mul(ref_bonuses[i])).div(100);
    
                    users[up].total_payouts = users[up].total_payouts.add(bonus);
                    panda.mint(up, bonus);
    
                    emit RefPayout(_addr, up, bonus);
                }
    
                up = users[up].upline;
            }
        }
    
    
    
        function refPayout(address _userAddr, uint256 _amount) onlyAllowedContract() external {
          require(address2Id[_userAddr] > 0, "unregistered user");
          _refPayout(_userAddr, _amount);
        }
    
        function register(address _userAddr, address payable _upline) onlyAllowedContract() external {
          if(_userAddr == _upline || address2Id[_upline] == 0){
            _setUpline(_userAddr, owner);
          }
          else{
            _setUpline(_userAddr, _upline);
          }
    
        }
    
        function deregister(address _userAddr) onlyAllowedContract() external {
          address upline = users[_userAddr].upline;
          require(address2Id[_userAddr] > 0, "unregistered user");
          require(upline != address(0), "invalidUpline");
          require(users[upline].referrals > 0, "invliad amount of referrals");
    
          users[upline].referrals = users[upline].referrals.sub(1);
        }
    
        function getHarvestRate(address _userAddr) public view returns(uint8) {
          uint256 referrals = users[_userAddr].referrals;
          if(referrals>=100){
            return 20;
          }
          else if(referrals>=40){
            return 23;
          }
          else if(referrals>=20){
            return 26;
          }
          else if(referrals>=4){
            return 28;
          }
          else{
            return 50;
          }
    
        }
    
        function getHarvestLevel(address _userAddr) public view returns(uint8) {
          uint256 referrals = users[_userAddr].referrals;
          if(referrals>=100){
            return 5;
          }
          else if(referrals>=40){
            return 4;
          }
          else if(referrals>=20){
            return 3;
          }
          else if(referrals>=4){
            return 2;
          }
          else{
            return 1;
          }
    
        }
    
        function addToAllowList(address _addr) onlyOwner() external {
          isAllowed[_addr] = true;
        }
    
        function removeFromAllowList(address _addr) onlyOwner() external {
          isAllowed[_addr] = false;
        }
    }
    
    /**
     * @title SafeMath
     * @dev Math operations with safety checks that throw on error
     */
    library SafeMath {
    
      /**
      * @dev Multiplies two numbers, throws on overflow.
      */
      function mul(uint256 a, uint256 b) internal pure returns (uint256) {
        if (a == 0) {
          return 0;
        }
        uint256 c = a * b;
        assert(c / a == b);
        return c;
      }
    
      /**
      * @dev Integer division of two numbers, truncating the quotient.
      */
      function div(uint256 a, uint256 b) internal pure returns (uint256) {
        // assert(b > 0); // Solidity automatically throws when dividing by 0
        uint256 c = a / b;
        // assert(a == b * c + a % b); // There is no case in which this doesn't hold
        return c;
      }
    
      /**
      * @dev Subtracts two numbers, throws on overflow (i.e. if subtrahend is greater than minuend).
      */
      function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        assert(b <= a);
        return a - b;
      }
    
      /**
      * @dev Adds two numbers, throws on overflow.
      */
      function add(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a + b;
        assert(c >= a);
        return c;
      }
    }