Manufactory smart contract audit report

Published in

HashEx Security Blog

2 min readNov 24, 2021

Audit by: HashEx
Prepared for: Manufactory

HashEx was commissioned by the Manufactory team to perform an audit of their smart contract. The audit was conducted on 22–11–2021.

The purpose of this audit was to achieve the following:

Identify potential security issues with smart contracts
Formally check the logic behind given smart contracts.

Information in this report should be used for understanding the risk exposure of smart contracts, and as a guide to improving the security posture of smart contracts by remediating the issues that were identified.

The code is available at 0x87cb006d1d93c790bab0c8261809c8f25484454b.

Contract

BEP20Token

Address: 0x87cb006D1D93c790BAB0c8261809c8f25484454b

The token contract implementing the BEP-20 standard.

Issues

#01. Excessive mint rights

Severity: High
Status: Fixed

If the ownership is not renounced (L:321), the owner has exclusive access to the mint() function (L:502). Thus losing control over the owner account would lead to uncontrolled emission and, therefore, token devaluation.

Recommendation: We recommend renouncing token ownership after initial minting or transferring it to a contract with a transparent minting policy.
Update: The ownership was renounced on 23–11–2021. The total supply of 500'000'000 tokens was held by a single EOA by that date.

#02. Gas optimization

Severity: Informational
Status: Acknowledged

Variables _decimals, _symbol, _name (L:353 — L:355) can be set as immutable.

uint256 private _totalSupply;
 uint8 private _decimals;
 string private _symbol;
 string private _name;constructor() public {
 _name = “MANUFACTORY”;
 _symbol = “MNFT”;
 _decimals = 12;
 _totalSupply = 500000000000000000000;
 _balances[msg.sender] = _totalSupply;emit Transfer(address(0), msg.sender, _totalSupply);
 }

2. The Internal method _burnFrom() (L:594) is not used by the contract and can be deleted. Since _burn() (L:559) is called only inside of _burnFrom() it becomes unused and also can be removed.

function _burnFrom(address account, uint256 amount) internal {
 _burn(account, amount);
 _approve(account, _msgSender(), _allowances[account][_msgSender()].sub(amount, “BEP20: burn amount exceeds allowance”));
 }

3. renounceOwnership(), transferOwnership(), increaseAllowance(), decreaseAllowance(), and mint() functions could be declared external in order to save gas.

Conclusion

1 high severity issue was found in the audited code and was fixed with the ownership renouncing. The audited contract is a standard BEP-20 and ERC-20 token with an initial supply of 500M tokens with 12 decimals.

This audit includes recommendations on the gas usage reduction.

The audited contract is deployed to the mainnet of Binance Smart Chain: 0x87cb006d1d93c790bab0c8261809c8f25484454b.

HashEx website: https://hashex.org
Request an audit