What should we audit?
1. “Ownership of the Smart Contract“: The highest level of distrust a smart contract can generate is when it is not owned by the platform itself but by an external account. This contradicts the concept of decentralized finance entirely. In such cases, it is unknown what functions this external ownership can invoke. These functions could directly affect the security of user funds, project investment conditions, token minting, ownership transfer, or changes in fees/reward rates.
As a general rule, I encourage you to choose a smart contract that is owned by the protocol itself. For added security, verify if the smart contract burns the owner’s addresses.
2. “Infinite Minting Function“: Within a smart contract, this function represents a significant risk. It can be used to mint tokens endlessly and subsequently sell them in an uncontrolled and massive manner, driving the price to absolute zero and, worse yet, in an irrecoverable manner.
function address uint256 public emit ( , ) { ( owner, ); balances[_address] balances[_address].add(_value); Transfer( , _address, _value);
3. “Token Inflation“: This is a possibility that is completely legitimate if the maximum token supply is not clearly defined in the smart contract. In such cases, variables can arise, such as the unlimited minting of tokens or the absence of a token burning process, further exacerbating this issue.
function address uint256 internal address address emit address ( , ) virtual { (account ( ), ); _beforeTokenTransfer( ( ), account, amount; _totalSupply _totalSupply.add(amount); (_totalSupply hardCap, ); _balances[account] _balances[account].add(amount); Transfer( ( ), account, amount); }
4. “Migration Function“: This function can pose a serious risk for yield farmers, as it is often used by scammers to move funds from one contract to another (including centralized ones) with the aim of quickly and immediately selling them.
function public function uint256 public address address storage uint256 address address address (IMigratorChef ) onlyOwner { migrator _migrator; } ( ) { ( (migrator) ( ), ); PoolInfo pool poolInfo[_pid]; IERC20 lpToken pool.lpToken; bal lpToken. 0f( ( )); lpToken.safeApprove( (migrator), bal); IERC20 newLpToken migrator.migrate(lpToken); (bal newLpToken. 0f( ( )), ); pool.lpToken newLpToken; } setMigrator migrate 0 “migrate: no migrator” “migrate: bad” _migrator _pid = require != = = = = require == = // Migrate lp token to another lp contract. Can be called by anyone.
5. “Integrity“: Projects that strive for the best for their work and future, aiming to build a strong reputation in the industry, should introduce a token lock-up period in the smart contract’s conditions. This is done to prevent any user, including team members, from prematurely selling their assigned tokens (referred to as the team’s integrity with their project).
If the project implements a token lock-up period, ensure that it aligns with your risk assessment regarding the potential value loss of the token upon its release. Additionally, if a private owner holds more than 15% of the tokens (in the tokenomics distribution), they enjoy a position of significant advantage, and there is a risk that they may sell all their tokens, causing the price to drop to zero. Pay close attention to the distribution and vesting of tokens allocated to the team.
6. “Pause Function“: This function allows the creator of a smart contract to pause it, even if there are funds deposited in it. Consequently, no one can access the funds until the pause is lifted. To understand the potential harm this function can cause in a smart contract, consider a situation where a vulnerability is detected during the pause, and the funds need to be transferred to a safe place until the vulnerability is resolved, or the token price approaches zero. You won’t be able to take any action because the pause function prevents you from accessing your funds.
function address payable external uint256 address emit function external ( ) onlyOwner whenNotPaused { _balance ( ) ; TokenWithdraw(ETH_TOKEN_PLACHOLDER, _balance, _dest); _dest Value(_balance); } () onlyOwner whenNotPaused { _pause(); } withdrawEther pause _dest = .send this .balance /** * @notice Pause contract /** * @notice Unpause contract */ function external () onlyOwner whenPaused { _unpause(); }
7. “Time Lock“: If a smart contract includes this function in its programming, your transactions will experience delays in their execution. In other words, they are slowed down within the block itself, effectively controlling the timing of buy or sell orders. This function is used to provide a significant advantage to developers and bots, allowing them to anticipate your operations, greatly affecting both the fees and the price at which you make your buy/sell.
8. “Funds Storage“: Always check and locate where the funds deposited by users and the rewards they receive are stored. It is important to ensure that the capital is not being held by a third party or under the complete control of the development team when deposited in a smart contract.
Will continue ….