Transcription
SMART CONTRACT SECURITY AUDIT OFEGGPLUS
SOCIAL @interfinetwork WEB interfi.networkAudit IntroductionAuditing FirmInterFi NetworkAudit ArchitectureInterFi Echelon Auditing StandardLanguageSolidityClient FirmEggPlusReport DateMay 05, 2022About EggPlusEggPlus, A decentralized financial asset which rewards users with a sustainable fixed compoundinterest model. Delivering one of the top fixed APY in the industry, simply by buying and holding EGGPLUSPAGE 2 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkAudit SummaryInterFi team has performed a line-by-line manual analysis and automated review of smartcontracts. Smart contracts were analyzed mainly for common contract vulnerabilities, exploits, andmanipulation hacks. According to the audit:v EggPlus’ solidity source code has LOW RISK SEVERITYv EggPlus’ smart contract has an ACTIVE OWNERSHIPv EggPlus’ centralization risk correlated to the active owner is MEDIUMv Important owner privileges – BLACKLIST, SET LP, WITHDRAW ALL TO TREASURYv EggPlus’ smart contract utilizes REBASE. With rebase, the circulating token supply adjusts(increases or decreases) automatically or manually according to set parameters.Be aware that smart contracts deployed on the blockchain aren’t resistant to internal exploit,external vulnerability, or hack. For a detailed understanding of risk severity, source codevulnerability, exploitability, and audit disclaimer, kindly refer to the audit. Contract address: 0x07c4730D4300730abF060f8Bf3A88e71D8283c6F Blockchain: Binance Smart Chain Verify the authenticity of this report on InterFi’s GitHub: https://github.com/interfinetworkPAGE 3 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkTable Of ContentsAudit InformationAudit Scope. 5Echelon Audit StandardAudit Methodology . 6Risk Classification . 8Centralization Risk . 9Smart Contract Risk AssessmentStatic Analysis .10Software Analysis .14Manual Analysis. 17SWC Attacks .19Risk Status & Radar Chart . 21Audit SummaryAuditor’s Verdict .22Legal AdvisoryImportant Disclaimer .23About InterFi Network . 24PAGE 4 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkAudit ScopeInterFi was consulted by EggPlus to conduct the smart contract security audit of their solidity sourcecodes. The audit scope of work is strictly limited to the mentioned solidity file(s) only:v EggPlus.solSolidity Source Code On Blockchain (Verified Contract Source abF060f8Bf3A88e71D8283c6F#codeContract Name: EggPlusCompiler Version: v0.7.6Optimization Enabled: No with 200 runsSolidity Source Code On InterFi des/blob/main/EggPlus.solSHA-1 HashSolidity source code is audited at hash #b468fc3a14d16ba06f738a53ca7c32373011a9e3PAGE 5 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkAudit MethodologyThe scope of this report is to audit the smart contract source code of EggPlus. InterFi has scannedcontracts and reviewed codes for common vulnerabilities, exploits, hacks, and back-doors. Due tobeing out of scope, InterFi has not tested contracts on testnet to assess any functional flaws. Belowis the list of commonly known smart contract vulnerabilities, exploits, and hacks:Categoryv Re-entrancyv Unhandled Exceptionsv Transaction Order DependencySmart Contract Vulnerabilitiesv Integer Overflowv Unrestricted Actionv Incorrect Inheritance Orderv Typographical Errorsv Requirement Violationv Gas Limit and Loopsv Deployment Consistencyv Repository Consistencyv Data Consistencyv Token Supply ManipulationSource Code Reviewv Access Control and Authorizationv Operations Trail and Event Generationv Assets Manipulationv Ownership Controlv Liquidity AccessPAGE 6 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkInterFi’s Echelon Audit StandardThe aim of InterFi’s “Echelon” standard is to analyze smart contracts and identify the vulnerabilitiesand the hacks. Kindly note, InterFi does not test smart contracts on testnet. It is recommended thatsmart contracts are thoroughly tested prior to the audit submission. Mentioned are the steps usedby InterFi to audit smart contracts:1.Solidity smart contract source code reviewal:v Review of the specifications, sources, and instructions provided to InterFi to make sure weunderstand the size, and scope of the smart contract audit.v Manual review of code, which is the process of reading source code line-by-line to identifypotential vulnerabilities.2. Static, Manual, and Software analysis:v Test coverage analysis is the process of determining whether the test cases are coveringthe code and how much code is exercised when we run those test cases.v Symbolic execution is analyzing a program to determine what inputs cause each part ofa program to execute.3. Best practices review, which is a review of the smart contracts to improve efficiency,effectiveness, clarify, maintainability, security, and control based on the established industryand academic practices, recommendations, and research.4. Specific, itemized, actionable recommendations to help you take steps to secure your smartcontractsAutomated 3P frameworks used to assess the smart contract vulnerabilitiesv Consensys Toolsv SWC Registryv Solidity Coveragev Open Zeppelin Code Analyzerv Solidity Code ComplierPAGE 7 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkRisk ClassificationSmart contracts are generally designed to manipulate and hold funds denominated in ETH/BNB.This makes them very tempting attack targets, as a successful attack may allow the attacker todirectly steal funds from the contract. Below are the typical risk levels of a smart contract:Vulnerable: A contract is vulnerable if it has been flagged by a static analysis tool as such. As wewill see later, this means that some contracts may be vulnerable because of a false positive.Exploitable: A contract is exploitable if it is vulnerable and the vulnerability could be exploited by anexternal attacker. For example, if the “vulnerability” flagged by a tool is in a function that requiresowning the contract, it would be vulnerable but not exploitable.Exploited: A contract is exploited if it received a transaction on the main network which triggeredone of its vulnerabilities. Therefore, a contract can be vulnerable or even exploitable without havingbeen exploited.Risk severity! HighMeaningThis level vulnerabilities could be exploited easily and can lead to asset loss,data loss, asset, or data manipulation. They should be fixed right away.This level vulnerabilities are hard to exploit but very important to fix, they carry! Mediuman elevated risk of smart contract manipulation, which can lead to high-riskseverity! LowThis level vulnerabilities should be fixed, as they carry an inherent risk of futureexploits, and hacks which may or may not impact the smart contract execution.This level vulnerabilities can be ignored. They are code style violations and! Informationalinformational statements in the code. They may not affect the smart contractexecutionPAGE 8 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkCentralization RiskCentralization risk is the most common cause of decentralized finance hacks. When a smartcontract has an active contract ownership, the risk related to centralization is elevated. There aresome well-intended reasons to be an active contract owner, such as:v Contract owner can be granted the power to pause() or lock() the contract in case of anexternal attack.v Contract owner can use functions like, include(), and exclude() to add or remove walletsfrom fees, swap checks, and transaction limits. This is useful to run a presale, and to list onan exchange.Authorizing a full centralized power to a single body can be dangerous. Unfortunately, centralizationrelated risks are higher than common smart contract vulnerabilities. Centralization of ownershipcreates a risk of rug pull scams, where owners cash out tokens in such quantities that they becomevalueless. Most important question to ask here is, how to mitigate centralization risk? Here’sInterFi’s recommendation to lower the risks related to centralization hacks:v Smart contract owner’s private key must be carefully secured to avoid any potential hack.v Smart contract ownership should be shared by multi-signature (multi-sig) wallets.v Smart contract ownership can be locked in a contract, user voting, or community DAO canbe introduced to unlock the ownership.EggPlus’ Centralization Statusv EggPlus’ smart contract has an active ownership.v Smart contract ownership is set to 0xb0e9fbd3275e5abc1ef781b888d3343ec317c683 at thetime of the audit.PAGE 9 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkStatic AnalysisSymbolMeaning Function can modify state Function is payable Function is locked Function can be accessed Important functionality **SafeMathInt** Library mul Internal div Internal sub Internal add Internal abs Internal **SafeMath** Library add Internal sub Internal sub Internal mul Internal div Internal div Internal mod Internal **IERC20** Interface totalSupply External NO balanceOf External NO allowance External NO transfer External NO approve External NO transferFrom External NO **IPancakeSwapPair** Interface name External NO symbol External NO decimals External NO totalSupply External NO balanceOf External NO allowance External NO PAGE 10 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.network approve External NO transfer External NO transferFrom External NO DOMAIN SEPARATOR External NO PERMIT TYPEHASH External NO nonces External NO permit External NO MINIMUM LIQUIDITY External NO factory External NO token0 External NO token1 External NO getReserves External NO price0CumulativeLast External NO price1CumulativeLast External NO kLast External NO mint External NO burn External NO swap External NO skim External NO sync External NO initialize External NO **IPancakeSwapRouter** Interface factory External NO WETH External NO addLiquidity External NO addLiquidityETH External NO removeLiquidity External NO removeLiquidityETH External NO removeLiquidityWithPermit External NO removeLiquidityETHWithPermit External NO swapExactTokensForTokens External NO swapTokensForExactTokens External NO swapExactETHForTokens External NO swapTokensForExactETH External NO swapExactTokensForETH External NO swapETHForExactTokens External NO quote External NO getAmountOut External NO getAmountIn External NO getAmountsOut External NO getAmountsIn External NO removeLiquidityETHSupportingFeeOnTransferTokens External NO rTokens External NO ens External NO swapExactETHForTokensSupportingFeeOnTransferTokens External NO swapExactTokensForETHSupportingFeeOnTransferTokens External NO **IPancakeSwapFactory** Interface feeTo External NO PAGE 11 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.network feeToSetter External NO getPair External NO allPairs External NO allPairsLength External NO createPair External NO setFeeTo External NO setFeeToSetter External NO **Ownable** Implementation Constructor Public NO owner Public NO isOwner Public NO renounceOwnership Public onlyOwner transferOwnership Public onlyOwner transferOwnership Internal **ERC20Detailed** Implementation IERC20 Constructor Public NO name Public NO symbol Public NO decimals Public NO **EggPlus** Implementation ERC20Detailed, Ownable Constructor Public ERC20Detailed Ownable rebase Internal transfer External validRecipient transferFrom External validRecipient basicTransfer Internal transferFrom Internal takeFee Internal addLiquidity Internal swapping swapBack Internal swapping withdrawAllToTreasury External swapping onlyOwner shouldTakeFee Internal shouldRebase Internal shouldAddLiquidity Internal shouldSwapBack Internal setAutoRebase External onlyOwner setAutoAddLiquidity External onlyOwner allowance External NO decreaseAllowance External NO increaseAllowance External NO approve External NO checkFeeExempt External NO getCirculatingSupply Public NO isNotInSwap External NO manualSync External NO setFeeReceivers External onlyOwner getLiquidityBacking Public NO setWhitelist External onlyOwner PAGE 12 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.network setBotBlacklist External onlyOwner setPairAddress Public onlyOwner setLP External onlyOwner totalSupply External NO balanceOf External NO isContract Internal Receive Ether External NO PAGE 13 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkSoftware AnalysisFunction 1530adf81f7ecebe00d505accfba9a7a56c45a01550dfe1681 imals()DOMAIN SEPARATOR()PERMIT nt256,uint256,uint8,bytes32,bytes32)MINIMUM d55a3d5493 umulativeLast()7464fc3d6a62784289afcb44022c0d9f 256,address,bytes)bc25cf77fff6cae9485cc955ad5c4648 ()e8e33700f305d719baa2abde ress,uint256)PAGE 14 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.network02751cec ,address,uint256)2195995c ,bytes32)ded9382a s32)38ed1739 ,address,uint256)8803dbee ,address,uint256)7ff36ab5 nt256)4a25d94a dress,uint256)18cbafe5 dress,uint256)fb3bdb41 nt256)ad615dec quote(uint256,uint256,uint256)054d50d4 getAmountOut(uint256,uint256,uint256)85f8c259 getAmountIn(uint256,uint256,uint256)d06ca61f getAmountsOut(uint256,address[])1f00ca74 getAmountsIn(uint256,address[])af2979eb 5984 nt256,bool,uint8,bytes32,bytes32)5c11d795 de95 (uint256,address[],address,uint256)791ac947 8 feeTo()094b7415 feeToSetter()e6a43905 getPair(address,address)1e3dd18b allPairs(uint256)574f2ba3 allPairsLength()c9c65396 createPair(address,address)f46901ed setFeeTo(address)a2e74af6 setFeeToSetter(address)8da5cb5b owner()8f32d59b isOwner()715018a6 renounceOwnership()f2fde38b transferOwnership(address)d29d44ee transferOwnership(address)af14052c rebase()f0774e71 basicTransfer(address,address,uint256)cb712535 transferFrom(address,address,uint256)20cb7bce takeFee(address,address,uint256)e8078d94 addLiquidity()6ac5eeee swapBack()bd595581 withdrawAllToTreasury()332402f8 shouldTakeFee(address,address)63eab10a shouldRebase()PAGE 15 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB 1c8854cff2f37c9be87a22d48322f34d282 eritance GraphPAGE 16 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkManual AnalysisFunctionTotal SupplyBalance OfTransferApproveAllowanceDescriptionprovides information about the total ntexecutes transfers of a specified number oftokens to a specified addressallow a spender to withdraw a set number oftokens from a specified accountreturns a set number of tokens from a spender tothe PassedYesPassedYesPassedYes! LowYesPassedYesPassedcirculating token supply adjusts (increases orRebasedecreases) automatically according to a token'sprice fluctuationsBlacklistTransfer Ownershipstops specified wallets from interacting with thesmart contract function modulesexecutes transfer of contract ownership to aspecified walletRenounceexecutes transfer of contract ownership to aOwnershipdead addressPAGE 17 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkNotable Information v EggPlus’ smart contract utilizes rebase. With rebase, the circulating token supply adjusts(increases or decreases) automatically or manually according to set parameters.v The smart contract utilizes “SafeMath” function to avoid common smart contractvulnerabilities.string private name "EggPlus";library SafeMath {function add(uint256 a, uint256 b) internal pure returns (uint256)uint256 c a b;require(c a, "SafeMath: addition overflow");function sub(uint256 a, uint256 b) internal pure returns (uint256)return sub(a, b, "SafeMath: subtraction overflow");uint256 c a * b;require(c / a b, "SafeMath: multiplication overflow");return c;function div(uint256 a, uint256 b) internal pure returns (uint256)return div(a, b, "SafeMath: division by zero");function mod(uint256 a, uint256 b) internal pure returns (uint256)return mod(a, b, "SafeMath: modulo by zero");{{{{v Smart contract owner can withdraw EGGPLUS tokens from the token contract to treasury.function withdrawAllToTreasury() external swapping onlyOwner {uint256 amountToSwap gonBalances[address(this)].div( gonsPerFragment);require( amountToSwap 0,"There is no EggPlus token deposited in token contract");v Smart contract owner can blacklist certain wallets from interacting with the contractfunction modules.function setBotBlacklist(address botAddress, bool flag) external onlyOwner {require(isContract( botAddress), "only contract address, not allowed exteranlly owned account");v Smart contract has a low severity issue which may or may not create any functionalvulnerability."severity": 8, (! Low Severity)" Expected token Comma got 'Identifier'”PAGE 18 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkSWC AttacksSWC IDDescriptionStatusSWC-101Integer Overflow and UnderflowPassedSWC-102Outdated Compiler VersionSWC-103Floating PragmaPassedSWC-104Unchecked Call Return ValuePassedSWC-105Unprotected Ether WithdrawalPassedSWC-106Unprotected SELF-DESTRUCT InstructionPassedSWC-107Re-entrancySWC-108State Variable Default VisibilityPassedSWC-109Uninitialized Storage PointerPassedSWC-110Assert ViolationPassedSWC-111Use of Deprecated Solidity FunctionsPassedSWC-112Delegate Call to Untrusted CalleePassedSWC-113DoS with Failed CallPassedSWC-114Transaction Order DependencePassedSWC-115Authorization through tx.originPassedSWC-116Block values as a proxy for timePassedSWC-117Signature MalleabilityPassedSWC-118Incorrect Constructor NamePassedPAGE 19 SMART CONTRACT SECURITY AUDIT OF EGGPLUS! Informational! Low
SOCIAL @interfinetwork WEB interfi.networkSWC-119Shadowing State VariablesPassedSWC-120Weak Sources of Randomness from Chain AttributesPassedSWC-121Missing Protection against Signature Replay AttacksPassedSWC-122Lack of Proper Signature VerificationPassedSWC-123Requirement ViolationPassedSWC-124Write to Arbitrary Storage LocationPassedSWC-125Incorrect Inheritance OrderPassedSWC-126Insufficient Gas GriefingPassedSWC-127Arbitrary Jump with Function Type VariablePassedSWC-128DoS With Block Gas LimitPassedSWC-129Typographical ErrorPassedSWC-130Right-To-Left-Override control character (U 202E)PassedSWC-131Presence of unused variablesPassedSWC-132Unexpected Ether balancePassedSWC-133Hash Collisions With Multiple Variable Length ArgumentsPassedSWC-134Message call with the hardcoded gas amountPassedSWC-135Code With No Effects (Irrelevant/Dead Code)PassedSWC-136Unencrypted Private Data On-ChainPassedPAGE 20 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkRisk Status & Radar ChartRisk SeverityStatusHighNo high severity issues identifiedMediumNo medium severity issues identifiedLow2 low severity issues identifiedInformational1 informational severity issue identifiedCentralization RiskActive contract ownership identifiedScore out of 100Compiler Check1009590Interface Safety8580Static Analysis75Manual AnalysisPAGE 21 SMART CONTRACT SECURITY AUDIT OF EGGPLUSSoftware Analysis
SOCIAL @interfinetwork WEB interfi.networkAuditor’s VerdictInterFi team has performed a line-by-line manual analysis and automated review of smartcontracts. Smart contracts were analyzed mainly for common contract vulnerabilities, exploits, andmanipulation hacks. According to the audit:v EggPlus’ smart contract source code has LOW RISK SEVERITYv EggPlus’ smart contract has an ACTIVE OWNERSHIPv EggPlus’ centralization risk correlated to the active owner is MEDIUMNote for stakeholdersv Be aware that active smart contract owner privileges constitute an elevated impact on smartcontract safety and security.v If the smart contract is not deployed on any blockchain at the time of the audit, the contractcan be modified or altered before blockchain development. Verify contract’s deploymentstatus in the audit report.v Make sure that the project team’s KYC/identity is verified by an independent firm.v Always check if the contract’s liquidity is locked. A longer liquidity lock plays an important rolein the project’s longevity. It is recommended to have multiple liquidity providers.v Examine the unlocked token supply in the owner, developer, or team’s private wallets.Understand the project’s tokenomics, and make sure the tokens outside of the LP Pair arevested or locked for a longer period.PAGE 22 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkImportant DisclaimerInterFi Network provides contract development, testing, auditing and project evaluation services forblockchain projects. The purpose of the audit is to analyze the on-chain smart contract source codeand to provide a basic overview of the project. This report should not be transmitted, disclosed,referred to, or relied upon by any person for any purpose without InterFi’s prior written consent.InterFi provides the easy-to-understand assessment of the project, and the smart contract(otherwise known as the source code). The audit makes no statements or warranties on the securityof the code. It also cannot be considered as enough assessment regarding the utility and safety ofthe code, bug-free status, or any other statements of the contract. While we have used all the dataat our disposal to provide the transparent analysis, it is important to note that you should not relyon this report only — we recommend proceeding with several independent audits and a public bugbounty program to ensure the security of smart contracts. Be aware that smart contractsdeployed on a blockchain aren’t resistant to external vulnerability, or a hack. Be aware thatactive smart contract owner privileges constitute an elevated impact on smart contract safetyand security. Therefore, InterFi does not guarantee the explicit security of the audited smartcontract.The analysis of the security is purely based on the smart contracts alone. No applications oroperations were reviewed for security. No product code has been reviewed.This report should not be considered as an endorsement or disapproval of any project or team.The information provided in this report does not constitute investment advice, financial advice,trading advice, or any other sort of advice and you should not treat any of the report’s content assuch. Do conduct your due diligence and consult your financial advisor before making anyinvestment decisions.PAGE 23 SMART CONTRACT SECURITY AUDIT OF EGGPLUS
SOCIAL @interfinetwork WEB interfi.networkAbout InterFi NetworkInterFi Network provides intelligent blockchain solutions. InterFi is developing an ecosystem that isseamless and responsive. Some of our services: Blockchain Security, Token Launchpad, NFTMarketplace, etc. InterFi’s mission is to interconnect multiple services like Blockchain Security,D
PAGE 5 SMART CONTRACT SECURITY AUDIT OF EGGPLUS Audit Scope InterFi was consulted by EggPlus to conduct the smart contract security audit of their solidity source codes. The audit scope of work is strictly limited to the mentioned solidity file(s) only: v EggPlus.sol Solidity Source Code On Blockchain (Verified Contract Source Code)
