tLaunchpad

Smart Contract Audit Report

Audit Summary

tLaunchpad is building a new IDO launchpad and token locking mechanism.

For this audit, we reviewed the project team's TKOPower, IDOFactory, and IDO contracts at commit eeed74b5a6030e32ca4402da9c6343b9f4be699f on the team's Github repository.

Audit Findings

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem.
Date: May 18th, 2022.
Updated: May 31st, 2022 to reflect changes made to the TKOPower contract that resolves Finding #1.
Finding #1 - TKOPower - High (Resolved)
Description: There is a mismatch between the ratio of Power tokens that are calculated in the lock() function and _transfer() function.
function lock(uint256 _amount) external nonReentrant {
...
if (power >= 100e18 && power < 400e18) {
	power = power / 100;
} else if (power >= 400e18 && power < 1200e18) {
	power = power * 11 / 1000;
} else if (power >= 1200e18 && power < 4000e18) {
	power =  power * 115 /10000;
} else if (power >= 4000e18 && power < 12000e18) {
	power = power * 12 / 1000;
} else if (power >= 12000e18) {
	power = power * 125 / 10000;
} else {
	power = 0;   
}
...
function _transfer(address from, address to, uint256 amount) internal override nonReentrant {
...
  else {
	stakeTime[from] = timestamp;
	if (amount >= 4e18 && amount < 12e18) {
		tkoAmount = amount * 10 / 11;   
	} else if (amount >= 12e18 && amount < 40e18) {
		tkoAmount = amount * 100 / 115;
	} else if (amount >= 40e18 && amount < 120e18) {
		tkoAmount = amount * 10 / 12;
	} else if (amount >= 120e18) {
		tkoAmount = amount * 100 / 125;
	} else {
		tkoAmount = amount * 100;    
	}
}
stakedAmount[from] -= tkoAmount;       
stakedAmount[to] += tkoAmount;
Risk/Impact: When a user locks tokens after they are transferred Power tokens, the minimum number of TKO tokens a user must lock will be inaccurate as the Power token balance for the user is miscalculated.
Recommendation: The team should modify these Power token calculations to properly fit their intended functionality.
Resolution: The team has disabled the ability to transfer Power tokens.

Contracts Overview

The contracts utilize ReentrancyGuard to prevent against reentrancy attacks in applicable functions.
As the contracts are implemented with Solidity v0.8.x, they are safe from any possible overflows/underflows.
TKOPower Contract:
Any user can use this contract to lock TKO tokens in order to claim them at a later date.
The TKO token address will be set upon deployment.
Users can lock at least 10,000 TKO tokens (in multiples of 10,000) into the contract if they currently do not have any pending tokens to claim.
The user must grant the contract a sufficient allowance in order for this transaction to be successful.
Upon locking tokens, a number of Power tokens will be calculated based on the total number of TKO tokens the user currently has locked in the contract. If the user's total number of locked tokens is:
Less than 100, their Power value will be 0.
Between 100 and 399, their Power value will be 1% of their total number of locked tokens.
Between 400 and 1199, their Power value will be 1.1% of their total number of locked tokens.
Between 1,200 and 3,999, their Power value will be 1.15% of their total number of locked tokens.
Between 4,000 and 11,999, their Power value will be 1.2% of their total number of locked tokens.
12,000 or more, their Power value will be 1.25% of their total number of locked tokens.
The user will only be minted Power tokens if the calculated Power value is greater than their current Power balance.
Users can unlock their tokens when the lock period (determined by the owner) has passed since their last deposit.
Upon unlocking tokens, the user's full Power token balance will be burned and their claim time will be set based on the claim lock period of the contract (determined by the owner).
Users can claim tokens when the claim lock period has passed. The user's full deposited TKO amount will be sent to their wallet address from the contract.
Tokens transfers are disabled on the platform.
The owner can set the lock period and claim lock period to any values at any time.
IDOFactory Contract:
Addresses assigned to the OPS Role by the team can use this contract to generate a new IDO contract where users will be able to deposit ETH or the specified payment token into the contract in exchange for an amount of the Presale token.
The team will set the addresses of the Presale token and the payment token upon the creation of the contract.
The team will also specify the cost per Presale token, the minimum & maximum number of tokens a user can use for swapping, whether or not users must be whitelisted to participate, the withdraw fee percentage, the owner of the created contract, and the start time & end of the sale.
Ownership will be transferred to the specified owner address upon creation.
IDO Contract:
Any user can fund the contract as long as the start time has not yet passed by entering in a number of tokens that will be sent to the contract.
Users must grant the contract a sufficient allowance in order for the transfer to be successful.
The sale will be considered completely funded when the total number of Presale tokens sent to the contract reaches the threshold value that was specified by the creator.
Users can initiate a swap by entering a number of tokens to purchase once the start date has passed (and before the end date has passed) and the sale has been completely funded.
The contract uses an off-chain generated Merkle tree to store and verify addresses that are whitelisted for swapping when a whitelist is enforced in the contract.
The user must provide a proof that can be used to verify against the Merkle tree to ensure that the user is indeed whitelisted.
If the creator has specified that the payment is in ETH, the user must have supplied a sufficient amount of ETH to cover the cost of the transaction. Any excess ETH is returned to the user.
If the creator has specified a token address for the payment, the tokens will be transferred from the user to the contract to cover the cost of the transaction. Users must grant the contract a sufficient allowance in order for the transfer to be successful.
The cost per Presale token is specified by the creator upon deployment.
The Presale tokens will be sent to the user from the contract if the creator has specified that the swapping process is atomic.
If the swap was not specified as atomic, users must manually redeem their tokens and can do so after the end date has passed.
When redeeming tokens, if the minimum number of total purchased tokens (specified by the creator) for the Presale has been met, the Presale tokens due to the user will be transferred from the contract to their wallet address.
If the minimum number of total purchased tokens for the Presale has not been met, any number of tokens or ETH supplied by the user during the swapping process will be returned.
The owner can withdraw all of the payment tokens or ETH from the contract after the end date has passed and the minimum number of total tokens for the Presale was met.
A fee will be charged on all withdraws that will be sent to the fee address specified by the team.
The owner can withdraw any unsold tokens from the contract after the end date has passed.
The owner can withdraw any tokens besides the Presale token and the Payment token from the contract at any time.

Audit Results

Vulnerability Category	Notes	Result
Arbitrary Jump/Storage Write	N/A	PASS
Centralization of Control	The owner can set the lock period and claim lock period to any values in the TKOPower contract. The team can set the withdraw fee to any percentage in the IDOFactory contract.	WARNING
Compiler Issues	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Ether/Token Theft	N/A	PASS
Flash Loans	N/A	PASS
Front Running	N/A	PASS
Improper Events	N/A	PASS
Improper Authorization Scheme	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	N/A	PASS
Oracle Issues	N/A	PASS
Outdated Compiler Version	N/A	PASS
Race Conditions	N/A	PASS
Reentrancy	N/A	PASS
Signature Issues	N/A	PASS
Unbounded Loops	N/A	PASS
Unused Code	N/A	PASS
Overall Contract Safety		PASS

TKOPower Contract

Smart Contract Audit - Inheritance

Smart Contract Audit - Graph


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public
 
 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _spendAllowance #
    - [Int] _beforeTokenTransfer #
    - [Int] _afterTokenTransfer #

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Int] functionDelegateCall #
    - [Int] functionDelegateCall #
    - [Int] verifyCallResult

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 +  ReentrancyGuard 
    - [Pub]  #

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 +  TKOPower (ERC20, Ownable, ReentrancyGuard)
    - [Pub]  #
       - modifiers: ERC20
    - [Ext] setLockPeriod #
       - modifiers: onlyOwner
    - [Ext] setClaimLockPeriod #
       - modifiers: onlyOwner
    - [Ext] setProxyAddressBatch #
       - modifiers: onlyOwner
    - [Ext] lock #
       - modifiers: nonReentrant
    - [Ext] unlock #
       - modifiers: nonReentrant
    - [Ext] claim #
       - modifiers: nonReentrant
    - [Int] _transfer #
       - modifiers: nonReentrant

IDOFactory and IDO Contracts

Smart Contract Audit - Inheritance

Smart Contract Audit - Graph


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public
 
 + [Int] IAccessControl 
    - [Ext] hasRole
    - [Ext] getRoleAdmin
    - [Ext] grantRole #
    - [Ext] revokeRole #
    - [Ext] renounceRole #

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 + [Lib] Strings 
    - [Int] toString
    - [Int] toHexString
    - [Int] toHexString
    - [Int] toHexString

 + [Int] IERC165 
    - [Ext] supportsInterface

 +  ERC165 (IERC165)
    - [Pub] supportsInterface

 +  AccessControl (Context, IAccessControl, ERC165)
    - [Pub] supportsInterface
    - [Pub] hasRole
    - [Int] _checkRole
    - [Int] _checkRole
    - [Pub] getRoleAdmin
    - [Pub] grantRole #
       - modifiers: onlyRole
    - [Pub] revokeRole #
       - modifiers: onlyRole
    - [Pub] renounceRole #
    - [Int] _setupRole #
    - [Int] _setRoleAdmin #
    - [Int] _grantRole #
    - [Int] _revokeRole #

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 +  ReentrancyGuard 
    - [Pub]  #

 + [Lib] MerkleProof 
    - [Int] verify
    - [Int] processProof
    - [Prv] _efficientHash

 + [Lib] Counters 
    - [Int] current
    - [Int] increment #
    - [Int] decrement #
    - [Int] reset #

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Int] functionDelegateCall #
    - [Int] functionDelegateCall #
    - [Int] verifyCallResult

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 + [Int] IERC20Decimals (IERC20)
    - [Ext] decimals

 +  IDO (Ownable, ReentrancyGuard)
    - [Pub]  #
    - [Ext] setMerkleRoot #
       - modifiers: onlyOwner
    - [Pub] setTokenURI #
       - modifiers: onlyOwner
    - [Ext] lastId
    - [Ext] fund #
       - modifiers: nonReentrant
    - [Ext] swap ($)
    - [Ext] swap ($)
    - [Int] swapint #
       - modifiers: nonReentrant
    - [Ext] redeemTokens #
       - modifiers: isNotAtomicSwap,isSaleFinalized,nonReentrant
    - [Ext] redeemGivenMinimumGoalNotAchieved #
       - modifiers: isNotAtomicSwap,isSaleFinalized,nonReentrant
    - [Ext] withdrawFunds #
       - modifiers: onlyOwner,isSaleFinalized
    - [Ext] withdrawUnsoldTokens #
       - modifiers: onlyOwner,isSaleFinalized
    - [Ext] removeOtherbep20Tokens #
       - modifiers: onlyOwner,isSaleFinalized

 +  IDOFactory (AccessControl)
    - [Pub]  #
    - [Ext] changeFeeAddress #
       - modifiers: onlyRole
    - [Ext] createIDO #
       - modifiers: onlyRole

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

Go Home

SourceHat