MoonKat x Solid Group : Audit Results
Solid Group’s auditing process goes in-depth and covers a wide range of token code characteristics. The main things the audit checks for are vulnerabilities and imminent risks to the safety and security of the code, Solid Group does an extensive auditing process intending to help their customers increase their code quality while reducing the high level of risk presented by cryptographic tokens and blockchain technology.
Highlights of the process
✅ No mint function
Privileged Functions / Owner Capabilities
setExcludeFromMaxTx — The owner can exclude an address from anti whale/bot limitation.
excludeFromFee — The owner can exclude an address from fees.
includeInFee — The owner can include an address from fees.
setTaxFeePercent — The owner can set taxFee to any value between 0% to 15%
setLiquidityFeePercent — The owner can set liquidity fee (the % of fee that will be taken toward liquidity addition) to any value between 0% to 15%
setMaxTxPercent — The owner can set the amount of tokens that can be transferred each sell/buy transaction
temporarilyFreezeSwapAndLiquify — the owner of the contract can toggle off swap and liquify feature for two hours maximum each time.
Issue #1 | Owner Capabilities| 🟠 Medium | lock, unlock | Fixed ✅
The contract uses a modified version of Ownable contract. These modifications have a significant flaw — a malicious owner can get his owner capabilities even after calling renounceOwnership!
Here’s a list of the required steps:
1️⃣ The owner of the contract can call lock() to lock the contract (the lock function saves the previous owner into a variable)
2️⃣ After the locking period has passed the owner of the contract can call unlock() and regain the ownership.
3️⃣ The owner of the contract can then call the renounceOwnership function. Now, the contract allegedly has no owner (users can verify it by looking for the renounceOwnership transaction and making sure that the owner is set to the zero address).
4️⃣ The owner of the contract can call the unlock function again, and get the ownership back.
Remove lock and unlock functions.
Issue #2 | Logical Issue | 🟢 Informational| claimBNBReward | ✅ Fixed
require(balanceOf(msg.sender) >= 0, ‘Error: must own MKAT to claim reward’);
The condition will always be True.
Change the condition to:
require(balanceOf(msg.sender) > 0, ‘Error: must own MKAT to claim reward’);
Issue #3 | Logical Issue| 🟡 Low | ✅ Fixed
_isExcludedFromMaxTx is not used in the contract.
Remove this variable or properly use it ( In ensureMaxTxAmount function).
Issue #4 | Logical Issue | 🟡 Low | swapAndLiquify | ✅ Fixed
swapAndLiquify feature cannot be toggled off.
SwapAndLiquify takes place only on sell transactions. There is a chance that the contract would accrue a significant amount of tokens and a malicious user could execute many small sell txs and cause a large dump in price. The consequence is a pretty significant price drop because of the large number of tokens that would enter the pool. The team should be aware of this issue.
Create an emergency function that would toggle off the swapAndLiquify feature or limit the rate of the buybacks.
Issue #6 | Owner Capabilities | 🔴 High | 🔍 addLiquidity | ✅ Fixed
The recipient of the newly created LP tokens is the LiquidityReciever. The newly created LP tokens are unlocked.
1Utils.addLiquidity(address(pancakeRouter), owner(), otherPiece, bnbToBeAddedToLiquidity);
Change the recipient of the newly created LP tokens to the contract in order to ensure that the LP tokens are locked.
No issues were found.
Moonkat is a next generation defi built on Binance Smart chain to reward token holders in $BNB while increasing in both liquidity and value, it does this by applying a 6% tax per transaction : 2% to liquidity and 4% converted to $BNB to reward holders.
About Solid Group
Solid Group is a blockchain consulting and auditing service provider, founded by 3 cybersecurity experts with a passion for thinking out of the box, learning, and sharing knowledge. Every project goes through a meticulous process and is viewed by at least two partners, thereby achieving a high level of credibility and professionalism. Our group is partnered with multiple organizations and launchpads that have a combined market cap of over 400 million USD.
SolidGroup reports are not, nor should be considered, an “endorsement” or “disapproval” of any particular project or team. These reports are not, nor should be considered, an indication of the economics or value of any “product” or “asset” created by any team. Solid Group do not cover testing or auditing the integration with external contract or services (such as Unicrypt, Uniswap, PancakeSwap etc’…)
SolidGroup Audits do not provide any warranty or guarantee regarding the absolute bug-free nature of the technology analyzed, nor do they provide any indication of the technologies proprietors. SolidGroup Audits should not be used in any way to make decisions around investment or involvement with any particular project. These reports in no way provide investment advice, nor should be leveraged as investment advice of any sort. SolidGroup Reports represent an extensive auditing process intending to help our customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology. Blockchain technology and cryptographic assets present a high level of ongoing risk. SolidGroup’s position is that each company and individual are responsible for their own due diligence and continuous security. SolidGroup in no way claims any guarantee of security or functionality of the technology we agree to analyze.