Astronaut x HashEx Audit Report

Disclaimer

Introduction

  • Identify potential security issues with smart contracts.
  • Formally check the logic behind given smart contracts.
  • Information in this report should be used to understand the risk exposure of smart contracts, and as a guide to improve the security posture of smart contracts by remediating the issues that were identified.
    We found out that Astronaut token is a fork of Reflect.finance [1] custom token with an audit report available [2].
  • Contracts overview
  • astronaut-contract/AstronautToken.sol
  • Implementation of BEP20 token standard with custom functionality of auto-yield by burning tokens on transfers.

Found issues

  1. 01 No safeguard for _TAX_FEE — Critical
  2. 02 excludeAccount() abuse — High
  3. 03 BEP20 standard violation — High
  4. 04 for() loop in getCurrentSupply() — High
  5. 05 updateBurnFee() bug — Medium
  6. 06 Low severity issues — Low
  7. 07 Recommendations — Low
  1. excludeAccount() function contains hardcoded address of Uniswap Router02 [5] in Ethereum blockchain which make this requirement completely useless for current realization in BSC. Moreover, address hardcoding is not a good practice as third-party contracts could be deprecated/upgraded.
  2. Maximum transfer amount is restricted for a non-owner user by _MAX_TX_SIZE variable. This variable is set to 10x of total supply which makes it virtually useless still gas consuming.
  3. Private function _getTaxFee() is not used anywhere. It’s visibility should be changed to external.
  4. Function transfer() consists of an excessive number of conditional statements. Default condition is never reached.
  5. updateTaxFee() and updateBurnFee() functions use unsafe multiplication, although the proposed safeguard will justify this.
  6. Incorrect error message: must be “Account is already included”.
  7. Solidity version is not fixed but set to pragma ^0.6.0. Address library is OpenZeppelin
  8. v3.0.0 with ^0.6.2. Such inconsistencies may lead to compilation errors.
  9. There are zero custom events besides IBEP20 interface. We suggest to implement such events for user actions as well as for changing values of crucial variables.
  10. Defaults for _TAX_FEE and _BURN_FEE are 6% and 3%. Whitepaper claims “we will set it to 4% slippage which will do a 3% burn and 1% redistribution”. Up to the block 6008624 we can’t ensure that tax fee was updated.
  1. Getters functions for contract constants may be set to pure and/or external. name()
  • symbol() decimals() _getMaxTxAmount()
  1. We suggest to add a permit() function to ERC20 tokens for gas savings on approvals.
  2. Private function _getMaxTxAmount() is not used anywhere. It could be removed for the gas economy or made external.
  3. _GRANULARITY constant can be used with 100x multiplier to save gas on calculations.
  4. _tFeeTotal and _tBurnTotal variables are not in practical usage. The contract may be
  5. reworked to reduce gas costs.
  6. Address library is not in use and may be removed.
  7. We suggest adding unit tests for future development according to the roadmap of the Astronaut project.
  8. Code style recommendations: _TAX_FEE and _BURN_FEE should be in mixedCase; omitted curly braces should be added for readability; four different cases of transfer function (L646, L656, L667, L678) should be merged in _transfer().

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Astronaut.to

Protocol for decentralizing the way your ideas raise capital. Built on the Binance Smart Chain — astronaut.to