Zelda Inu - Audit Report


Zelda Inu Audit Report Zelda Inu ($ZLDA) is a new BEP20 token on the Binance Smart Chain that features automatic liquidity adds and pays holders dividends in BUSD.

We reviewed the ZeldaINU contract that is deployed at 0x26a7546c8f5e5f706cb598CAA68134f6eCf8d657 on the Binance Smart Chain mainnet.

Notes on the Contract:

  • The total supply of the token is set to 600 million $ZLDA [600,000,000].
  • No mint or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
  • At the time of writing this report, 15% of the total supply has been sent to the 0x..dead address.
  • 14% of the total supply belongs to a token vesting contract behind a proxy.
  • 7.57% of the total supply is in Pancakeswap liquidity.
  • Of that liquidity, 86.92% of the LP tokens also belong to the token vesting contract behind a proxy.
  • 12.69% of the LP tokens belong to the owner.
  • The next five holders own a cumulative 13.27% of the total supply.

  • There is a Reflection fee, Liquidity Fee, Marketing Fee, Ecosystem Fee, and Burn fee, on all transfers where neither the sender nor the recipient are excluded from fees.
  • The fees that are charged on transactions are stored in the contract address balance. Once a threshold value of $ZLDA (specified by the team) is met, the tokens are swapped for BNB for the purpose of being distributed to the team's Ecosystem wallet, Marketing wallet, the Dividend Distributor Contract, and to support the automatic liquidity adding mechanism.
  • Liquidity-adds are funded by selling half of the tokens allocated to funding liquidity, pairing the received BNB with the token, and adding it as liquidity to the BNB pair.
  • The LP tokens received through this process are sent to the team's Liquidity wallet. We recommend that the team locks these newly acquired LP tokens.
  • The portion of the tokens collected from the Marketing Fee and Ecosystem Fee are swapped for BNB and sent to the team's Marketing Wallet and Ecosystem Wallet respectively.
  • The final portion of the tokens collected from the Reward Fee are swapped for BUSD and instantly sent to the Dividend Distributor Contract by use of the deposit function. The BUSD that is received by the contract is stored in the contract address until dividends are distributed.
  • The tokens collected from the burn fee are sent to the Burn fee receiver address set by the team. This address is currently set to the 0x00 address but can be updated by the team at any time.

  • A user must hold an amount of $ZLDA tokens (specified by the team) to be eligible for dividends.
  • Once dividends are distributed, they will need to be claimed; claiming happens automatically on each transfer.
  • Dividend rewards can also be claimed manually by kicking off the claim cycle, which will process all eligible token holders.
  • Alternatively, a user can manually claim dividends as an individual.
  • There is a wait-time of 2700 seconds (45 minutes) between claiming dividend rewards.
  • Claimed dividends are sent to the user's wallet address.

  • The contract includes functionality to interact with an external antibot contract. The antibot contract was out of scope for the purpose of this audit.
  • Some gas optimizations can be achieved through declaring functions external instead of public, and some variables could be declared constant. As this contract is already deployed, this is merely informational.
  • The contract utilizes the SafeMath library to prevent overflows along with following the BEP20 standard.

  • Ownership Controls:
  • The owner can assign any addresses to an Authorized role which can be used to maintain control over various role-restricted functions within the ecosystem.
  • The owner can enable or disable trading at any time. This will prevent all transfers unless the sender or recipient is an Authorized address.
  • The owner can enable/disable the use of a blacklist, as well as add/remove addresses from it at any time. Addresses that are added to the blacklist will not be able to participate in transfers.
  • The owner can set and update a cooldown time that must elapse in between transfers when the same address is buying tokens from Pancakeswap.
  • The owner can set and update a maximum wallet amount at any time. The maximum wallet amount will prevent transfers from occurring if the recipient's amount of owned $ZLDA tokens will exceed the limit that is set by the team.
  • The owner can set and update a maximum transaction amount at any time, which will impose a limit to the number of tokens that can be transferred during any given transaction.
  • The owner can update the sell multiplier value, which increases fees on selling transactions, to any amount at any time. The team should exercise caution when setting this multiplier to ensure that holders are not locked out of selling.
  • The owner can Airdrop any amount of tokens to any user. A for loop is used to transfer funds for the airdrop; The team must ensure the maximum number of addresses that can be involved in a single airdrop is no more than 350 to prevent this loop from hitting the block gas limit.

  • Authorized addresses can set each fee percentage to any amount at any time as long as the sum of the fees does not exceed 50%.
  • Authorized addresses can withdraw any BEP20 tokens or BNB from the contract address at any time.
  • Authorized addresses can update the Ecosystem, Marketing, and Liquidity, and Burn wallets to any addresses at any time.
  • Authorized addresses can exclude addresses from fees, cooldowns, and the maximum transaction amount at any time.
  • Authorized addresses can exclude any address from dividends at any time.
  • Authorized addresses can enable and disable swapping, and update the contract token balance threshold for swapping at any time.
  • Authorized addresses can update the maximum amount of gas used for processing to any value up to 750,000 at any time. We do not recommend setting a value below 200,000.
  • Authorized addresses can update the amount of time that must elapse between claiming dividends to any amount of time. Authorized addresses can also update the minimum rewards payout that a holder must have in order to be able to claim. We recommend the team exercises caution when setting these values, to avoid locking out holders from claiming entirely.
  • Authorized addresses can transfer any BNB that is held in the contract address balance to their own wallet or the team's Marketing wallet at any time.

Audit Findings Summary
  • No external threats were identified.
  • Please ensure trust in the team prior to investing, as they have substantial control in the ecosystem and currently own 100% of the total supply.
  • Further, ensure trust in the team as they are responsible for properly setting the dividend rewards mechanism.
  • Date: December 16th, 2021
  • Updated: January 2nd, 2022 to reflect the contract's new mainnet address.

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Centralization of Control
  • The owner can set total fees up to 50%.
  • The owner is responsible for properly setting the dividend rewards mechanism.
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Multiple SendsN/APASS
    State Change External CallsN/APASS
    Unbounded LoopN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    BEP20 Token Graph

    Multi-file Token

    ($) = payable function
     # = non-constant function
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
     + [Int] IBEP20 
        - [Ext] totalSupply
        - [Ext] decimals
        - [Ext] symbol
        - [Ext] name
        - [Ext] getOwner
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
     +  Auth 
        - [Pub]  #
        - [Pub] authorize #
           - modifiers: onlyOwner
        - [Pub] unauthorize #
           - modifiers: onlyOwner
        - [Pub] isOwner
        - [Pub] isAuthorized
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
     + [Int] IDEXFactory 
        - [Ext] createPair #
     + [Int] IDEXRouter 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
     + [Int] IDividendDistributor 
        - [Ext] setDistributionCriteria #
        - [Ext] setShare #
        - [Ext] deposit ($)
        - [Ext] process #
     +  DividendDistributor (IDividendDistributor)
        - [Pub]  #
        - [Ext] setDistributionCriteria #
           - modifiers: onlyToken
        - [Ext] setShare #
           - modifiers: onlyToken
        - [Ext] deposit ($)
           - modifiers: onlyToken
        - [Ext] process #
           - modifiers: onlyToken
        - [Int] shouldDistribute
        - [Int] distributeDividend #
        - [Ext] claimDividend #
        - [Pub] getUnpaidEarnings
        - [Int] getCumulativeDividends
        - [Int] addShareholder #
        - [Int] removeShareholder #
     +  ZeldaINU (IBEP20, Auth)
        - [Pub]  #
           - modifiers: Auth
        - [Ext]  ($)
        - [Ext] totalSupply
        - [Ext] decimals
        - [Ext] symbol
        - [Ext] name
        - [Ext] getOwner
        - [Pub] balanceOf
        - [Ext] allowance
        - [Pub] approve #
        - [Ext] approveMax #
        - [Ext] transfer #
        - [Ext] transferFrom #
        - [Ext] setMaxWalletPercent_base1000 #
           - modifiers: onlyOwner
        - [Ext] setMaxTxPercent_base1000 #
           - modifiers: onlyOwner
        - [Ext] setTxLimit #
           - modifiers: authorized
        - [Int] _transferFrom #
        - [Int] _basicTransfer #
        - [Int] checkTxLimit
        - [Int] shouldTakeFee
        - [Int] takeFee #
        - [Int] shouldSwapBack
        - [Ext] clearStuckBalance #
           - modifiers: authorized
        - [Ext] clearStuckBalance_sender #
           - modifiers: authorized
        - [Ext] set_sell_multiplier #
           - modifiers: onlyOwner
        - [Pub] tradingStatus #
           - modifiers: onlyOwner
        - [Pub] cooldownEnabled #
           - modifiers: onlyOwner
        - [Int] swapBack #
           - modifiers: swapping
        - [Ext] setIsDividendExempt #
           - modifiers: authorized
        - [Pub] enable_blacklist #
           - modifiers: onlyOwner
        - [Pub] manage_blacklist #
           - modifiers: onlyOwner
        - [Ext] setIsFeeExempt #
           - modifiers: authorized
        - [Ext] setIsTxLimitExempt #
           - modifiers: authorized
        - [Ext] setIsTimelockExempt #
           - modifiers: authorized
        - [Ext] setFees #
           - modifiers: authorized
        - [Ext] setFeeReceivers #
           - modifiers: authorized
        - [Ext] setSwapBackSettings #
           - modifiers: authorized
        - [Ext] setTargetLiquidity #
           - modifiers: authorized
        - [Ext] setDistributionCriteria #
           - modifiers: authorized
        - [Ext] setDistributorSettings #
           - modifiers: authorized
        - [Pub] getCirculatingSupply
        - [Pub] getLiquidityBacking
        - [Pub] isOverLiquified
        - [Ext] multiTransfer #
           - modifiers: onlyOwner
        - [Ext] multiTransfer_fixed #
           - modifiers: onlyOwner