Worthpad smart contract security audit, conducted by the Callisto Network Security Department during December 2021.

 

 

Worthpad Token Security Audit Report

Are Your Funds Safe?

Summary

Worthpad smart contract security audit report performed by Callisto Security Audit Department.

Worthpad ecosystem is powered by the $WORTH Token.

https://worthpad.medium.com/worth-token-the-fuel-that-powers-theworthpad-ecosystem-fe89b9266e33

Platform

Binance Smart Chain.

1. In scope

Commit 71760542a40e580ad6c0c57c5ec5798072c0a3b0

  • WorthToken.sol
  • WorthTokenSale.sol
  • WorthTokenTimeLock.sol

1.1 Excluded

OpenZeppelin standard imports were excluded from the audit.

2. Findings

In total, 1 issues were reported including:

  • 0 high severity issues.
  • 0 medium severity issue.
  • 1 low severity issue.

In total, 10 notes were reported, including:

  • 2 notes.
  • 8 owner privileges.

No critical security issues were found.

2.1 Owner Privileges

Description:

WorthToken contract owner has rights to:

  1. Exclude/include any account from/in the fee.
  2. Set Worth DVC Fund fee percentage in range 1% – 10%.
  3. Set liquidity fee percentage in range 1% – 10%.
  4. Change the maximal amount per transaction from 0 to 100,000,000 tokens.
  5. Enable or disable adding liquidity to pool, using function setSwapAndLiquifyEnabled.

WorthTokenSale contract owner has rights to:

  1. Add users to whitelist and set maximum allocation amount (in USD).
  2. Close tokens sale calling function endSale(). Without ending sale users could not claim bought tokens.
  3. Withdraw all tokens from contract using function withdrawTokens include unclaimed users tokens.

2.2 allDepositIds is not necessary

Severity: note.

Description:

The allDepositIds array contain sequence of id from 1 to depositId. So all deposits Ids is below or equal to depositId.

2.3 The Hard cap may be exceeded

Severity: note.

Description

The Hard cap is checked before adding the amount that the user sends to exchangeUSDTForToken and exchangeBUSDForToken. It may cause exceed Hard cap if a user sends a bigger amount than left to reach the hard cap.

2.4 The owner can withdraw the user’s unclaimed tokens

Severity: low.

Description

The function withdrawTokens allow the contract owner to withdraw the entire balance of the contract, including tokens that users bought but did not claim yet.

Recommendation

Create variable unclaimedTokens and add to it amount tokens when user buy it and subtract tokens when user claims it.

In the function withdrawTokens withdraw balance - unclaimedTokens instead of the entire balance.

3. Security practices

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

Pay attention to WorthTokenSale contract owner rights that may hurt users.

It is recommended to adhere to the security practices described in pt. 4 of this report to ensure the contract’s operability and prevent any issues that are not directly related to the code of this smart contract.

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.

 


Trust the Blockchain, Audit the Smart Contracts.


Follow Callisto’s Security Department on Twitter to get our latest news and updates!