TRX-IN-BANK AUDIT

 

Address TRON Main Network: TJo5Gw4JDH2PBt31X8Um9rzWMHFJnSJZNL

Conclusion:

In the TrxInBank Smart-Contract were found no vulnerabilities and no backdoors. The code was manually reviewed for all commonly known and more specific vulnerabilities.
So TrxInBank Smart-Contract is safe for use in the main network.

Warnings:

— Owner has 12+1+15=28% of commission fee.
— Referral percent of default referrer (owner) can be increased to 10%.

CRITICAL ISSUES (critical, high severity): 0
Bugs and vulnerabilities that enable theft of funds, lock access to funds without possibility to restore it, or lead to any other loss of funds to be transferred to any party; high priority unacceptable bugs for deployment at mainnet; critical warnings for owners, customers or investors.

ERRORS, BUGS (medium, low severity): 2
Bugs that can trigger a contract failure, with further recovery only possible through manual modification of the contract state or contract replacement altogether;

WARNINGS (any severity): 3
Lack of necessary security precautions; other warnings for owners and users.

OPTIMIZATION POSSIBILITIES (very low severity): 3
Possibilities to decrease cost of transactions and data storage of Smart-Contracts.

NOTES AND RECOMMENDATIONS (very low severity): 9
Tips and tricks, all other issues and recommendations, as well as errors that do not affect the functionality of the Smart-Contract.

ERRORS, BUGS

1. Lack of the zero-address-check (medium severity):
There is no zero-address-check at the constructor and changeOwner function, that could lead to wasting TRX fee to zero address:
require(«address» != address(0));

2. Self-referring (medium severity):
Self-referring is possible for the owner, because of changeOwner function.
Owner can avoid _addr != owner check:
— create deposit from owner,
— transfer ownership to other address,
— create new deposit from previous owner and specify your own address,
— transfer ownership back.

WARNINGS

1. Extra fee:
Direct commission for owner is 12+1=13%. Also there is indirect commission value inside of _refPayout function: extra 15% goes to the owner wallet as match_bonus.
uint256 _allaff = (_amount*15)/(100);
players[owner].match_bonus+=(_allaff);

2. DoS with (Unexpected) revert (low severity):
Owner has possibility to block deposit function (that allows to invest TRX) by reverting the transfer of fee. Note: owner cannot take advantage from this action.

3. Cycles on parallel deposits (very low severity):
If user get more deposits his withdraw transaction going to cost more transaction fee, because the loop on dynamic variable is used in the payoutOf function. The limit of deposits is 100 per one address.

OPTIMIZATION POSSIBILITIES

Note: this comments doesn’t affect the main functionality of the smart-contract and concerns only transaction fees and data storage.

1. There are 8 statistical variables that is not used in the internal logic of smart contract. It increases cost of transaction and can be replaced with events.
uint256 total_invested;
uint256 total_withdrawn;
uint256 total_match_bonus;
uint256 public invested;
uint256 public withdrawn;
uint256 public direct_bonus;
uint256 public match_bonus;
uint256 public total_investors=0;

2. The dividends variable can be set only in the _payout function. It is completely unnecessary function and variable that could be easily removed by changing the structure of withdraw function:
replace
_payout(msg.sender);
to
uint256 payout = this.payoutOf(msg.sender);
if(payout > 0) {
players[_addr].last_payout = uint40(block.timestamp);
}

3. Variables direct_bonus and match_bonus in the struct of Player could be united to one variable.

NOTES AND RECOMMENDATIONS

1. That is better to do not set dynamic variables to some value. Default uint256 value is 0 anyway.
uint256 public total_investors=0;

2. Recommendation to replace:
require(tarifs[_tarif].life_days > 0, «Tarif not found»);
require(_tarif < 4, «Tarif not found»);

3. Recommendation: use memory in the view functions payoutOf (lines 196, 199, 200), getDeposits (lines 223), userInfo (lines 235):
Player storage player = players[_addr];
Player memory player = players[_addr];

4. Recommendation: specify uint type to uint8/uint40/uint256 (lines 214, 222, 251)

5. Recommendation: change the name of parameter indexes to _indexes in the getDeposits function.

6. Recommendation: remove comments at the line 219.

7. There is false comment «Only external call» at the line 232. Some of previous functions above is also only external (like getDeposits).

8. The code has some minor text typos (“tarif” instead of “tariff” etc).

9. The code has some stylistic misfits (lack of spaces and tabs etc).

INDEPENDENT DESCRIPTION OF THE SMART-CONTRACT FUNCTIONALITY:

The TrxInBank smart-contract provides the opportunity to invest any amount of TRX (from 10 TRX) in the contract and get the certain return on investment, if the contract balance has enough funds for payment.You can create a deposit by calling the “deposit” function and attaching the certain amount of TRX to the transaction (from 10 TRX inclusive).Each subsequent deposit is kept separately in the contract, in order to maintain the payment amount for each deposit.

The conditions of investment:

Tariff index               0                              1                              2                              3
Period, days           35                            20                            15                             8
ROI, %                    210                          140                           135                          116

One must specify chosen tariff at the moment of investment.
Withdrawals of dividends are available at any time.
Withdrawal by the user is performed by calling the “withdraw” function from the address the deposit was made.
All accruals are summed up and available for withdrawal at any time, i.e. it does not matter at what point the user decides to withdraw the dividends.

Owner commission:

Part of the invested funds is sent to two addresses:
[dev_comission] — 12%.
[sm_commission] – 1%.

Part of the invested funds is available to withdraw to the owner:
[owner match_bonus] – 15%.

Referral program:

Four-level referral program: in the “invest” function, you can specify the address of the referrer. As a result, the referrer will get opportunity to withdraw % of the investor’s deposit according to the following table:

Referrel level                    1                              2                              3                              4
Percentage, %                5                              3                               1                              1

Requirements for the referrer: you can not specify a wallet that have not had at least one contribution in the smart contract.
The referrer is specified once at the time of first deposit and is assigned to the user without the possibility of changing.
If user has provided the correct referrer he gets “invitee” bonus available to withdraw: 0.5% of investment.
If no referrer or invalid referrer was given the user gets default referrer: owner
The referrers will get their bonuses, from each subsequent deposit of user in the future.
Note: owner, as default referrer, can have his own referrers or even implement self-referring (see ERRORS AND BUGS).

Functions:

Write contract (call of these function changes state and requires tx fee payed):

1. deposit – make an invesment (index of tariff, referrer address)
2. withdraw – withdraw available dividends
3. changeOwner — transfer ownership (available only to the owner)

Read contract (call of these function doesn’t require tx fee payed):

Constant:
1. tarifs – tafiff info (period days, ROI percent)
2. ref_bonuses – referral percents
3. sm_commission – direct comission percent to the sm address
4. dev_comission – direct comission percent to the owner wallet
5. sm – sm_commission wallet

Changeable:
6. getCount – amount of deposits of user
7. getDeposits – deposits info of user
8. payoutOf – dividends available to withdraw
9. players — userInfo
10. total_investors – amount of users
11. withdrawn – total withdrawn
12. invested – total invested
13. match_bonus – total referral bonuses
14. direct_bonus – total invitee percent (cashback)
15. owner – owner address (changeable)
16. contractInfo
17. userInfo

Disclaimer

This audit is not a call to participate in the project and applies only to the Smart-Contract code at the specified address.
If you have any questions or are interested in developing/auditing of Smart-Contracts, please contact us and we will consult you.

Telegram: @gafagilm
E-mail: info@grox.solutions

Articles. Public audits

TronGuru AUDIT

Audit of the TronGuru Smart-Contract

Read more

Trony AUDIT

Audit of the Trony Smart-Contract

Read more

TRONies AUDIT

Security audit of the TRONies smart-contract

Read more

TronEx3 AUDIT

Security audit of the TronEx3 smart-contract

Read more

TronMatrix AUDIT

Security audit of the TronMatrix smart-contract

Read more

TRONPROM AUDIT

Security audit of the TRONPROM smart-contract

Read more

TRX-IN-BANK AUDIT

Security audit of the TRX-IN-BANK smart-contract

Read more

TRONex Audit

Security audit of the TRONex smart-contract

Read more

Tokens

Token is a certain unit of value in the blockchain...

Read more

ICO (CrowdSale)

ICO – Initial Coin Offering or initial coin placement, by...

Read more

ERC20 standard issues

Despite the widespread use, the standard of token ERC20 has...

Read more

ApproveAndCall function for ERC20

Due to one of the known problems of ERC20 EventHandling...

Read more

Example of Smart Contract operation

Since the idea of Smart Contracts was mostly spread in...

Read more

Application of Smart Contracts

Smart contract technologies are still new and it is possible...

Read more

Audit of «Neuromachine Eternal»

Public Audit of NRM Smart Contract

Read more
Load more
To close