Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

Ape Express Info

ape.express

Ape Express represents an innovative protocol to overcome the obstacles project initiators encounter during token launch. This protocol allows creators to instantly launch a token that aligns with their project's specific needs.

Ape Express Logo
Onboarded date 12/12/2025

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

3.42
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2025/12/15
Revision date 2025/12/15

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
  • There are no ownership privileges in this contract.

Note - This Audit report consists of a security analysis of the TokenStaking smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the Ape Express team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Findings and Audit result

Critical
High
3
Medium
Low
Optimization
1
Informational
medium Issues | 3 findings

Pending

#1 medium Issue
Re-entrancy Vulnerabilities in stake and withdraw Functions
TokenStaking.sol
L95-128
L130-147
Description

The TokenStaking contract contains critical re-entrancy vulnerabilities in its core stake and withdraw functions, stemming from a consistent failure to adhere to the Checks-Effects-Interactions security pattern. In both functions, the contract performs external token transfers via the _claimReward or safeTransfer calls before it updates the user's principal stake amount (userInfo.amount and totalShares). This creates a dangerous intermediate state where a user's internal balance has not yet been reduced, but an external call has been made. An attacker using a malicious token contract (e.g., ERC777 or a custom token with transfer hooks) can exploit this by re-entering the function after receiving funds but before their balance is updated. This allows the attacker to repeatedly call the withdraw function, draining their principal stake multiple times and stealing funds from the contract's total pool.

Comments

To eliminate these critical vulnerabilities, both the stake and withdraw functions must be immediately refactored to strictly follow the Checks-Effects-Interactions pattern. All state changes that modify a user's balance or share count must be performed before any external safeTransfer or _claimReward calls are made. By updating the internal accounting (the "Effects") before the external call (the "Interaction"), any re-entrant call will correctly fail at the initial balance check, completely neutralizing the attack vector and securing user funds.

Pending

#2 medium Issue
Precision Loss Leads to Permanent Burning of Rewards
TokenStaking.sol
L149-164
Description

The depositRewards function is critically vulnerable to an attack that allows for the permanent destruction of reward funds. The function's logic first takes custody of the depositor's tokens and only afterward calculates the reward distribution. This calculation, (received * precision) / totalShares, is susceptible to precision loss via integer division. A malicious actor can use a flash loan to temporarily and massively inflate totalShares, deliberately forcing the result of this division to round down to zero. Because the tokens have already been transferred, they become permanently trapped and unclaimable within the contract, as the dividendsPerShare metric is never updated to account for their existence. This allows an attacker to cheaply and effectively burn any pending reward deposit, constituting a severe denial-of-service attack on the protocol's core incentive mechanism.

Comments

To neutralize this vulnerability, the function must be reordered to validate the distribution calculation before taking custody of the funds. The function should first calculate the potential dividendsToAdd based on the input amount. It must then use a require statement to ensure this calculated value is greater than zero, reverting the transaction if the reward is too small to be distributed among the current stakers. Only after this check has passed should the function proceed to transfer the tokens (_transferIn) and apply the state changes.

Pending

#3 medium Issue
Incompatibility with Fee-on-Transfer Tokens Leads to Contract Insolvency
TokenStaking.sol
L193-210
Description

The TokenStaking contract's accounting model is incompatible with deflationary or fee-on-transfer ERC20 tokens. While the _transferIn function correctly measures the actual amount of tokens received after an input fee is taken, the withdraw function does not account for output fees. It attempts to transfer the user's exact share balance, but a fee is taken from this amount during the transfer. This creates a small but persistent discrepancy where the contract's internal accounting of its liabilities (totalShares) decreases by the full amount, while its actual token balance decreases by a smaller amount.

Comments

This architectural flaw will cause a gradual and permanent trapping of funds within the contract, eventually leading to insolvency where the contract's liabilities exceed its assets. To mitigate this, the protocol must either explicitly forbid the use of fee-on-transfer tokens in its documentation and technical specifications, or the entire accounting system must be redesigned. A robust solution would involve tracking user shares and the contract's total token balance separately and calculating withdrawal amounts based on a user's proportional ownership of the contract's real-time balance, thus accounting for both deposit and withdrawal fees.

informational Issues | 1 findings

Pending

#1 informational Issue
Unused Ownable Import
TokenStaking.sol
L5
Description

This is not a vulnerability but constitutes dead code. It increases the file size and can be confusing to future developers or auditors, who might spend time looking for ownership controls that do not exist. This indicates that the contract is intended to be fully decentralized and ownerless after deployment, which is a significant (and positive) design choice that should be clearly documented.

Comments

Remove the unused import "./lib/Ownable.sol"; statement on line 5 for code clarity and to reduce clutter.