mona.finance Security Code Review https://twitter.com/VidarTheAuditor - 17 December 2020 MONA.FINANCE CODE REVIEW 1 Overview Project Summary Project Name mona.finance Description The MONA FINANCE project aims to gradually build a decentralized financial ecosystem Platform Ethereum, Solidity Codebase Provided as source code bundle Executive Summary Three contracts were provided: • ERC20 compatible token with burn functionality and maximum total supply set at construction. No minting capability exists. • Pre-sale contract with automatic liquidity adding to Uniswap and locking LP tokens. • Timelock contract based on standard Timelock implementation. No significant issues were found in the implementation of the aforementioned contracts. Disclaimer: The analysis did not include any detailed tokenomics or staking. MONA.FINANCE CODE REVIEW 2 Architecture & Standards Please find below the calling architecture of the reviewed contract. Mona_Token: MONA.FINANCE CODE REVIEW 3 Mona__Presale: Mona__Timelock: MONA.FINANCE CODE REVIEW 4 Mona__Token is fully ERC-20 compliant. MONA.FINANCE CODE REVIEW 5 Findings Number of contracts: 6+ (including inherited ones) Use: SafeMath Receiving ETH is disabled by the following code: MONA.FINANCE CODE REVIEW 6 Static Analysis Findings High issues: None Medium issues: Divide before multiply: Solidity integer division might truncate. It may happen that performing multiplication before division might reduce precision. [Recommendation] All those operation have to be carefully analysed for any precision reduction based on the code business logic. Not a significant risk. Re-entrancy possibility: [Manual check] Not an issue as the functionality is to credit not debit. However, good recommendation is to use safeTransfer and/or re-entrancy guard for critical functions. Not a significant risk. Low/Informational issues Unused state variables: MONA.FINANCE CODE REVIEW 7 [Recommendation] Remove unused variables. State variable that could be declared constant: [Recommendation] The above variables could be declared as constant. MONA.FINANCE CODE REVIEW 8 Dynamic Tests We have run fuzzing/property-based testing of Solidity smarts contracts. It was using sophisticated grammar-based fuzzing campaigns based on a contract ABI to falsify user-defined predicates or Solidity assertions. There were also dynamic tests run on EVM byte code to detect common vulnerabilities including integer underflows, owner-overwrite-to-Ether-withdrawal, and others. [Manual Check] As the function can be only executed by owner it does not posses significant risks. [Manual Check] It is part of the functionality and it does not posses significant risks. No significant issues were found. MONA.FINANCE CODE REVIEW 9 Manual Checks Mona__Token: Mona__Token contract (ERC20 compatible contract) has few functions controlled by contract owner. The pool setup has to be done manually by contract owner, it can be done only once. So there is no risk of changing it once it is set. DEV funds (in $LISA tokens) can be taken out daily up to a max value set in the contract. MONA__Presale contract: The pre-sale contract receives ETH using payable function receive. It distributes 25 $LISA token per 1 ETH. The contract has the automatic functionality to add liquidity to UNISWAP. It does provide liquidity locking mechanism that is provided by Locking contract. The LP is locked until 1 January 2022 00:59:59 MONA.FINANCE CODE REVIEW 10 It also has an emergency withdraw functionality that allows to withdraw all tokens and ETH to the owner address in case of any issue during automatic liquidity adding. All this onlyOwner functions has to be called manually. The contract deployment should be verified once on Mainnet, especially that the owner is either ordinary address or governance contract (with verified source code). MONA.FINANCE CODE REVIEW 11 Deployment & Contract Ownership The contracts are deployed at the following addresses: $LISA token smart contract address 0x74D8c60B2134F80A6DD9f3366D623776673f4f88 $LISA pre-sale smart contract address 0x3A70F276Ba72A7a7810b07b6349d0a9cA515200f $LISA liquidity lock smart contract address 0xE748CBf0D97761E268d8cC0226484C06D83D116F The deployment and ownership structure has been done according to the described functionality. MONA.FINANCE CODE REVIEW 12 Disclaimer The information appearing in this report is for general purposes only and is not intended to provide any legal security guarantees to any individual or entity. As one review is not enough to provide 100% security against any attacks or bugs, it is advisable to conduct more reviews. The report does not provide personalised investment advice or recommendations, especially does not provide advice to conclude any transactions and it does not provide investment, financial, legal or tax advice. We are not responsible or liable for any loss which results from the report. The report should not be considered as an investment advice. MONA.FINANCE CODE REVIEW 13
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-