xYeld Token - Smart Contract Audit Report

Summary

xYeld Audit Report xYeld is a new reward token part of the PolyYeld yield farming ecosystem, some of which was previously reviewed by our team here.

For this audit, we reviewed xYeld's contracts at commit 0x90AC3fa9fCD997B168f218041de26eB01399Bb55 on the Polygon Mainnet.

Notes on the Contract:
  • The total supply of the token is 1,076.
  • The token can be minted by its owner up to the maximum supply of 7,728 tokens.
  • 47.4% of the token's supply is held in the MasterChef staking contract.
  • 25.5% of the supply is held in two liquidity pools.
  • ~95% of liquidity has been staked into the MasterChef contract. The deployer holds ~5% of the LP tokens unlocked.
  • 11% of the token's supply is held in a different MasterChef staking contract.
  • The team holds ~9% of the token's supply unlocked.
  • ~5% of the token's supply has been burned.
  • The next largest holder has 0.35%

  • The token is designed to be a governance token where 1 token = 1 vote.
  • Token holders can delegate their voting rights to any address. To save gas, users can also do so using an EIP-712 signature.
  • There is a 3% fee charged on transfers of the token.
  • The tokens from this fee are stored in the contract and, once a threshold value is met, used to fund Uniswap liqudity.
  • Liquidity-adds are funded by selling half of the tokens collected as fees, pairing the received MATIC with the token, and adding it as liquidity to the MATIC pair.
  • The team will receive the LP tokens from this process.
  • The operator of the contract (the team) can alter the token's tax rate, up to a maximum rate of 10%
  • The team can also update the minimum number of tokens to trigger a swap and liquify event, and toggle if swap and liquify is enabled.
  • The team can enable and disable the liquidity-adding mechanism at any time. Additionally, the team can update the threshold of tokens needed to trigger a liquidity-add.
  • Some functions could have been declared external instead of public to save some gas on each call.
  • The contract utilizes SafeMath to prevents overflow issues.
  • Audit Findings Summary:
    • No security issues from outside attackers were identified.
    • As with any presale, ensure trust in the team prior to investing.
    • Date: July 20th, 2021.

    External Threat Results

    Vulnerability CategoryNotesResult
    Arbitrary Storage WriteN/APASS
    Arbitrary JumpN/APASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Integer Over/UnderflowN/APASS
    Multiple SendsN/APASS
    SuicideN/APASS
    State Change External CallsN/APass
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Smart Contract Graph

    Contract Inheritance

    
     ($) = payable function
     # = non-constant function
     
     Int = Internal
     Ext = External
     Pub = Public
     
     + [Lib] SafeMath 
        - [Int] add
        - [Int] sub
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] div
        - [Int] mod
        - [Int] mod
    
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     +  Ownable (Context)
        - [Int]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
    
     + [Int] IBEP20 
        - [Ext] totalSupply
        - [Ext] decimals
        - [Ext] symbol
        - [Ext] name
        - [Ext] getOwner
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     +  BEP20 (Context, IBEP20, Ownable)
        - [Pub]  #
        - [Ext] getOwner
        - [Pub] name
        - [Pub] decimals
        - [Pub] symbol
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Pub] transfer #
        - [Pub] allowance
        - [Pub] approve #
        - [Pub] transferFrom #
        - [Pub] increaseAllowance #
        - [Pub] decreaseAllowance #
        - [Pub] mint #
           - modifiers: onlyOwner
        - [Int] _transfer #
        - [Int] _mint #
        - [Int] _burn #
        - [Int] _approve #
        - [Int] _burnFrom #
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Prv] _functionCallWithValue #
    
     + [Int] IUniswapV2Factory 
        - [Ext] feeTo
        - [Ext] feeToSetter
        - [Ext] getPair
        - [Ext] allPairs
        - [Ext] allPairsLength
        - [Ext] createPair #
        - [Ext] setFeeTo #
        - [Ext] setFeeToSetter #
    
     + [Int] IUniswapV2Pair 
        - [Ext] name
        - [Ext] symbol
        - [Ext] decimals
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transfer #
        - [Ext] transferFrom #
        - [Ext] DOMAIN_SEPARATOR
        - [Ext] PERMIT_TYPEHASH
        - [Ext] nonces
        - [Ext] permit #
        - [Ext] MINIMUM_LIQUIDITY
        - [Ext] factory
        - [Ext] token0
        - [Ext] token1
        - [Ext] getReserves
        - [Ext] price0CumulativeLast
        - [Ext] price1CumulativeLast
        - [Ext] kLast
        - [Ext] mint #
        - [Ext] burn #
        - [Ext] swap #
        - [Ext] skim #
        - [Ext] sync #
        - [Ext] initialize #
    
     + [Int] IUniswapV2Router01 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] removeLiquidity #
        - [Ext] removeLiquidityETH #
        - [Ext] removeLiquidityWithPermit #
        - [Ext] removeLiquidityETHWithPermit #
        - [Ext] swapExactTokensForTokens #
        - [Ext] swapTokensForExactTokens #
        - [Ext] swapExactETHForTokens ($)
        - [Ext] swapTokensForExactETH #
        - [Ext] swapExactTokensForETH #
        - [Ext] swapETHForExactTokens ($)
        - [Ext] quote
        - [Ext] getAmountOut
        - [Ext] getAmountIn
        - [Ext] getAmountsOut
        - [Ext] getAmountsIn
    
     + [Int] IUniswapV2Router02 (IUniswapV2Router01)
        - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
        - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
    
     +  xYeld (BEP20)
        - [Pub]  #
           - modifiers: BEP20
        - [Pub] isExcluded
        - [Pub] excludeaccount #
           - modifiers: onlyOwner
        - [Pub] mint #
           - modifiers: onlyOwner
        - [Int] _transfer #
        - [Prv] swapAndLiquify #
           - modifiers: lockTheSwap,transferTaxFree
        - [Prv] swapTokensForEth #
        - [Prv] addLiquidity #
        - [Ext]  ($)
        - [Pub] updateTransferTaxRate #
           - modifiers: onlyOperator
        - [Pub] updateMinAmountToLiquify #
           - modifiers: onlyOperator
        - [Pub] updateSwapAndLiquifyEnabled #
           - modifiers: onlyOperator
        - [Pub] updatexYeldRouter #
           - modifiers: onlyOperator
        - [Pub] operator
        - [Pub] transferOperator #
           - modifiers: onlyOperator
        - [Ext] delegates
        - [Ext] delegate #
        - [Ext] delegateBySig #
        - [Ext] getCurrentVotes
        - [Ext] getPriorVotes
        - [Int] _delegate #
        - [Int] _moveDelegates #
        - [Int] _writeCheckpoint #
        - [Int] safe32
        - [Int] getChainId