CryptoInu

29. January, 2022

1
 Disclaimer 3

Description 5

Project Engagement 5

Logo 5

Contract Link 5

Methodology 7

Used Code from other Frameworks/Smart Contracts (direct imports) 8

Tested Contract Files 9

Source Lines 10

Risk Level 10

Capabilities 11

Inheritance Graph 12

CallGraph 13

Scope of Work/Verify Claims 14

Modi ers and public functions 20

Source Units in Scope 21

Critical issues 22

High issues 22

Medium issues 22

Low issues 22

Informational issues 23

Commented Code exist 23

Audit Comments 23

SWC Attacks 24

2
fi
Disclaimer
SolidProof.io reports are not, nor should be considered, an “endorsement”
or “disapproval” of any particular project or team. These reports are not,
nor should be considered, an indication of the economics or value of any
“product” or “asset” created by any team. SolidProof.io do not cover
testing or auditing the integration with external contract or services (such
as Unicrypt, Uniswap, PancakeSwap etc’...)

SolidProof.io Audits do not provide any warranty or guarantee

regarding the absolute bug- free nature of the technology analyzed,
nor do they provide any indication of the technology proprietors.
SolidProof Audits should not be used in any way to make decisions
around investment or involvement with any particular project. These
reports in no way provide investment advice, nor should be leveraged
as investment advice of any sort.

SolidProof.io Reports represent an extensive auditing process intending to

help our customers increase the quality of their code while reducing the
high level of risk presented by cryptographic tokens and blockchain
technology. Blockchain technology and cryptographic assets present a
high level of ongoing risk. SolidProof’s position is that each company and
individual are responsible for their own due diligence and continuous
security. SolidProof in no way claims any guarantee of security or
functionality of the technology we agree to analyze.

Version Date Description

1.0 29. January 2022 • Layout project

• Automated- /Manual-Security Testing
• Summary

Network
Binance Smart Chain (BEP20)

Website
https://cabcd.org/

Telegram
https://t.me/cryptoinu_main

Twitter
https://twitter.com/CryptoInu_ABCD

Github
https://github.com/cryptoinu-abcd

Medium
https://medium.com/@crypto_inu

 Description
Crypto Inu is an immersive multiplayer board game with 3D and VR
modes that incorporates metaverse real estate investment where players
own, sell, trade, and collect NFT assets.

Project Engagement
During the 27th of January 2022, CryptoInu Team engaged Solidproof.io
to audit smart contracts that they created. The engagement was
technical in nature and focused on identifying security aws in the design
and implementation of the contracts. They provided Solidproof.io with
access to their code repository and whitepaper.

Logo

Contract Link
v1.0
• https://bscscan.com/address/
0xa0cc3a881aef241d6cb3b7db3168bd26094560be#code

fl

 Vulnerability & Risk Level

Risk represents the probability that a certain source-threat will exploit
vulnerability, and the impact of that event on the organization or system.
Risk Level is computed based on CVSS version 3.0.

Level Value Vulnerability Risk (Required Action)

A vulnerability that
can disrupt the
contract functioning
Immediate action to
Critical 9 - 10 in a number of
reduce risk level.
scenarios, or creates a
risk that the contract
may be broken.

A vulnerability that
affects the desired
outcome when using Implementation of
High 7 – 8.9 a contract, or provides corrective actions as
the opportunity to soon aspossible.
use a contract in an
unintended way.

A vulnerability that
could affect the
Implementation of
desired outcome of
Medium 4 – 6.9
executing the
corrective actions in a
certain period.
contract in a speci c
scenario.

A vulnerability that
does not have a
Implementation of
signi cant impact on
certain corrective
Low 2 – 3.9 possible scenarios for
actions or accepting
the use of the
the risk.
contract and is
probably subjective.

A vulnerability that
have informational An observation that
Informational 0 – 1.9 character but is not does not determine a
effecting any of the level of risk
code.

6
fi
fi

 Auditing Strategy and Techniques

Applied
Throughout the review process, care was taken to evaluate the repository
for security-related issues, code quality, and adherence to speci cation
and best practices. To do so, reviewed line-by-line by our team of expert
pentesters and smart contract developers, documenting any issues as
there were discovered.

Methodology
The auditing process follows a routine series of steps:
1. Code review that includes the following:
i) Review of the speci cations, sources, and instructions provided to SolidProof
to make sure we understand the size, scope, and functionality of the smart
contract.
ii) Manual review of code, which is the process of reading source code line-by-
line in an attempt to identify potential vulnerabilities.
iii) Comparison to speci cation, which is the process of checking whether the
code does what the speci cations, sources, and instructions provided to
SolidProof describe.

2. Testing and automated analysis that includes the following:

i) Test coverage analysis, which is the process of determining whether the test
cases are actually covering the code and how much code is exercised when
we run those test cases.
ii) Symbolic execution, which is analysing a program to determine what inputs
causes each part of a program to execute.

3. Best practices review, which is a review of the smart contracts to improve ef ciency,
effectiveness, clarify, maintainability, security, and control based on the established
industry and academic practices, recommendations, and research.

4. Speci c, itemized, actionable recommendations to help you take steps to secure

your smart contracts.

7
fi

fi

fi

fi

fi
fi
Used Code from other Frameworks/Smart
Contracts (direct imports)
Imported packages:

 Tested Contract Files

This audit covered the following les listed below with a SHA-1 Hash.

A le with a different Hash has been modi ed, intentionally or otherwise,

after the security review. A different Hash could be (but not necessarily)
an indication of a changed condition or potential vulnerability that was
not within the scope of this review.

v1.0

9
fi

fi

fi

 Metrics
Source Lines
v1.0

Risk Level
v1.0

10

Capabilities
Components
Version Contracts Libraries Interfaces Abstract

1.0 2 2 1 1

Exposed Functions
This section lists functions that are explicitly declared public or payable.
Please note that getter methods for public stateVars are not included.

Version Public Payable

1.0 30 0

Version External Internal Private Pure View

1.0 10 47 13 10 20

State Variables
Version Total Public

1.0 17 4

Capabilities
Has
Solidity Experim Can Uses Destroya
Version Versions ental Receive Assembl ble
observed Features Funds y Contract
s

1.0 yes

^0.6.1
(2 asm
2 blocks)

11

 Inheritance Graph
v1.0

12

 CallGraph
v1.0

13

 Scope of Work/Verify Claims

The above token Team provided us with the les that needs to be tested
(Github, Bscscan, Etherscan, les, etc.). The scope of the audit is the main
contract (usual the same name as team appended with .sol).

We will verify the following claims:

1. Correct implementation of Token standard
2. Deployer cannot mint any new tokens
3. Deployer cannot burn or lock user funds
4. Deployer cannot pause the contract
5. Overall checkup (Smart Contract Security)

Correct implementation of Token standard

Function Description Exist Tested Veri ed

TotalSupply
provides information about the total
token supply ✓ ✓ ✓
BalanceOf
provides account balance of the
owner's account ✓ ✓ ✓
executes transfers of a speci ed
Transfer number of tokens to a speci ed
address
✓ ✓ ✓
executes transfers of a speci ed
TransferFrom number of tokens from a speci ed
address
✓ ✓ ✓
allow a spender to withdraw a set
Approve number of tokens from a speci ed
account
✓ ✓ ✓
Allowance
returns a set number of tokens from
a spender to the owner ✓ ✓ ✓

14
fi
fi
fi
fi
fi
fi
fi

fi

 Write functions of contract

v1.0

15

Deployer cannot mint any new tokens

Name Exist Tested Status

Deployer cannot mint - - -

Max / Total Supply 100.000.000.000.000

16

 Deployer cannot burn or lock user funds

Name Exist Tested Status

Deployer cannot lock ✓ ✓ ✘

Deployer cannot burn - - -
Comments:
v1.0
• Deployer can lock user funds by setting _maxTxAmount to 0
• Deployer lock selling in 10 seconds period

17

Deployer cannot pause the contract

Name Exist Tested Status

Deployer cannot pause - - -

18

 Overall checkup (Smart Contract Security)

Tested Veri ed

✓ ✓
Legend
Attribute Symbol

Ver ed / Checked ✓
Partly Veri ed ⚑
Unveri ed / Not checked ✘
Not available -

19
fi
fi
fi
fi

fi

 Modi ers and public functions

v1.0

Comments
• Deployer can set following state variables without any limitations
• _maxTxAmount

• Everybody can call re ect function

Please check if an OnlyOwner or similar restrictive modi er has been

forgotten.

20

fi

fl

fi

 Source Units in Scope

v1.0

Legend
Attribute Description

Lines total lines of the source unit

normalized lines of the source unit (e.g. normalizes functions

nLines
spanning multiple lines)

normalized source lines of code (only source-code lines; no

nSLOC
comments, no blank lines)

Comment Lines lines containing single or block comments

a custom complexity score derived from code statements that

Complexity Score are known to introduce code complexity (branches, loops, calls,
external interfaces, ...)

21

 Audit Results

AUDIT PASSED
Critical issues
No critical issues

High issues
No high issues

Medium issues
No medium issues

Low issues
Issue File Type Line Description

#1 Main Contract doesn’t - We recommend to import all

import npm packages packages from npm directly
from source (like without atten the contract.
OpenZeppelin etc.) Functions could be modi ed
or can be susceptible to
vulnerabilities

#2 Main A oating pragma is set 7 The current pragma Solidity

directive is „“^0.6.12””.

#3 Main Missing Zero Address 682 Check that the address is not
Validation (missing- zero
zero-check)

#4 Main Local variables 566, 478 Rename the local variables

shadowing that shadow another
component

#5 Main Missing Events 513 Emit an event for critical

Arithmetic parameter changes

22
fl
fl

fi

 Informational issues
Issue File Type Line Description

#1 Main State variables that 440, 438, Add the `constant`

could be declared 439, 443 attributes to state variables
constant (constable- that never change
states)

#2 Main Functions that are not 345, 305, Remove unused functions
used 315, 330,
340, 252,
279, 14, 212,
228

#3 Main NatSpec - If you start to comment your

documentation code, also comment all other
missing functions, variables etc.

Commented Code exist

There are some instances of code being commented out in the following
les that should be removed:

Line Comment

195 // assert(a == b * c + a % b); // There is no case in which this doesn't hold

Recommendation
Remove the commented code, or address them properly.

Audit Comments
29. January 2022:
• Re ect cannot be called if address is excluded
• Read whole report for more information

23
fi
fl

SWC Attacks
ID Title Relationships Status

SW Unencrypted CWE-767: Access to Critical

C-1 Private Data Private Variable via Public PASSED
36 On-Chain Method

SW
Code With No
C-1 CWE-1164: Irrelevant Code PASSED
Effects
35

Message call
SW
with CWE-655: Improper
C-1 PASSED
hardcoded Initialization
34
gas amount

Hash
Collisions With
SW
Multiple CWE-294: Authentication
C-1 PASSED
Variable Bypass by Capture-replay
33
Length
Arguments

SW
Unexpected
C-1 CWE-667: Improper Locking PASSED
Ether balance
32

SW Presence of
C-1 unused CWE-1164: Irrelevant Code PASSED
31 variables

Right-To-Left-
SW Override CWE-451: User Interface (UI)
C-1 control Misrepresentation of Critical PASSED
30 character Information
(U+202E)

SW
Typographical CWE-480: Use of Incorrect
C-1 PASSED
Error Operator
29

SW DoS With
CWE-400: Uncontrolled
C-1 Block Gas PASSED
Resource Consumption
28 Limit

24

 Arbitrary
SW
Jump with CWE-695: Use of Low-Level
C-1 PASSED
Function Type Functionality
27
Variable

SW Incorrect
CWE-696: Incorrect Behavior
C-1 Inheritance PASSED
Order
25 Order

Write to
SW
Arbitrary CWE-123: Write-what-where
C-1 PASSED
Storage Condition
24
Location

SW
Requirement CWE-573: Improper Following
C-1 PASSED
Violation of Speci cation by Caller
23

SW Lack of Proper CWE-345: Insuf cient

C-1 Signature Veri cation of Data PASSED
22 Veri cation Authenticity

Missing
SW Protection CWE-347: Improper
C-1 against Veri cation of Cryptographic PASSED
21 Signature Signature
Replay Attacks

Weak Sources
SW of
CWE-330: Use of Insuf ciently
C-1 Randomness PASSED
Random Values
20 from Chain
Attributes

SW
Shadowing CWE-710: Improper Adherence NOT
C-11
State Variables to Coding Standards PASSED
9

SW Incorrect
CWE-665: Improper
C-11 Constructor PASSED
Initialization
8 Name

SW CWE-347: Improper
Signature
C-11 Veri cation of Cryptographic PASSED
Malleability
7 Signature

25
fi
fi
fi
fi
fi
fi
fi
 SW CWE-829: Inclusion of
Timestamp
C-11 Functionality from Untrusted PASSED
Dependence
6 Control Sphere

SW Authorization
CWE-477: Use of Obsolete
C-11 through PASSED
Function
5 tx.origin

CWE-362: Concurrent
SW Transaction Execution using Shared
C-11 Order Resource with Improper PASSED
4 Dependence Synchronization ('Race
Condition')

SW CWE-703: Improper Check or

DoS with
C-11 Handling of Exceptional PASSED
Failed Call
3 Conditions

SW Delegatecall CWE-829: Inclusion of

C-11 to Untrusted Functionality from Untrusted PASSED
2 Callee Control Sphere

Use of
SW
Deprecated CWE-477: Use of Obsolete
C-11 PASSED
Solidity Function
1
Functions

SW
Assert CWE-670: Always-Incorrect
C-11 PASSED
Violation Control Flow Implementation
0

SW Uninitialized
CWE-824: Access of
C-1 Storage PASSED
Uninitialized Pointer
09 Pointer

SW State Variable
CWE-710: Improper Adherence
C-1 Default PASSED
to Coding Standards
08 Visibility

SW CWE-841: Improper
C-1 Reentrancy Enforcement of Behavioral PASSED
07 Work ow

SW Unprotected
CWE-284: Improper Access
C-1 SELFDESTRUC PASSED
Control
06 T Instruction
26
fl
 SW Unprotected
CWE-284: Improper Access
C-1 Ether PASSED
Control
05 Withdrawal

SW Unchecked
CWE-252: Unchecked Return
C-1 Call Return PASSED
Value
04 Value

SW CWE-664: Improper Control of

Floating NOT
C-1 a Resource Through its
Pragma PASSED
03 Lifetime

SW Outdated
CWE-937: Using Components
C-1 Compiler PASSED
with Known Vulnerabilities
02 Version

SW Integer
CWE-682: Incorrect
C-1 Over ow and PASSED
Calculation
01 Under ow

SW Function
CWE-710: Improper Adherence
C-1 Default PASSED
to Coding Standards
00 Visibility

27
fl
fl
28