Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

BNBets Info

www.bnbets.live

The world's first decentralized prediction market platform powered by BNB Chain. Create markets, place bets, and earn from your insights.

BNBets Logo
Onboarded date 14/10/2025

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

49.50
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
0xf4AD...A859
Network
BNB Smart Chain - Mainnet
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2025/10/14
Revision date 2025/10/14

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
  • The owner can create a new prediction market.
  • The market resolver can resolve a market by setting the outcome.
  • The owner can update the market resolver address.

Note - This Audit report consists of a security analysis of the BNBets smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited one token contract for the BNBets team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Findings and Audit result

Critical
High
1
Medium
Low
Optimization
4
Informational
medium Issues | 1 findings

Pending

#1 medium Issue
Single marketResolver Role Creates a Central Point of Failure and Trust
BNBetsMarketFactory.sol
L468-487
Description

The contract's design creates a significant centralized risk by granting the marketResolver address the sole and unchecked authority to determine the outcome of any market. There is no on-chain mechanism, such as an oracle or a dispute process, to verify that the outcome reported by the resolver is truthful and reflects the real-world event. This allows a malicious or compromised resolver to directly manipulate market results for personal gain. They can observe which betting pool has more funds, place a bet on the opposing side, and then declare their side the winner, effectively stealing the larger pool of funds from legitimate users who made correct predictions.

Comments

To eliminate this critical risk, the resolution authority must be decentralized. The most secure and industry-standard solution is to remove the single marketResolver address and integrate a reputable decentralized oracle network, such as Chainlink. The resolveMarket function should be re-architected to be callable only by a trusted oracle contract that retrieves and verifies real-world data from multiple independent sources.

informational Issues | 4 findings

Pending

#1 informational Issue
Floating pragma solidity version.
BNBetsMarketFactory.sol
L20
Description

Adding the constant version of solidity is recommended, as this prevents the unintentional deployment of a contract with an outdated compiler that contains unresolved bugs.

Pending

#2 informational Issue
Direct ERC20 transfer Call without SafeERC20 Wrapper
BNBetsMarketFactory.sol
L424-461
Description

The buyShares function directly calls the transfer function on the WBNB token contract and relies on its boolean return value. While the official WBNB contract is compliant with the ERC20 standard, not all ERC20 tokens are. Some tokens do not return a boolean value on success, which would cause the require statement to fail and revert the transaction. This direct call pattern is not robust and can lead to unexpected failures if the contract were ever to interact with a different or non-standard token.

Comments

It is a security best practice to use OpenZeppelin's SafeERC20 library for all ERC20 token interactions. The direct call wbnb.transfer(...) should be replaced with the library's wrapper function, wbnb.safeTransfer(...). This ensures the contract will function correctly with all variations of ERC20 tokens and improves its overall robustness.

Pending

#3 informational Issue
Lack of Transaction Deadline Parameter for User Protection
BNBetsMarketFactory.sol
L424-461
Description

The buyShares function does not include a deadline parameter to protect users against long-pending transactions. A user might submit a transaction with a low gas fee, causing it to remain pending in the mempool for an extended period. During this delay, the real-world conditions relevant to the bet could change significantly. When the transaction is finally executed, the user's bet is placed under market conditions they did not intend, potentially leading to a financial loss for them. While this is not a vulnerability in the contract's logic, it is a deviation from DeFi best practices that exposes users to risks from network congestion and delayed execution.

Comments

To protect users from this risk, it is recommended to add a deadline parameter (as a uint256 Unix timestamp) to the buyShares function signature. A require(block.timestamp <= deadline, "Transaction expired"); check should be added at the beginning of the function.

Pending

#4 informational Issue
No Fallback Mechanism for marketResolver Inactivity
BNBetsMarketFactory.sol
L230-718
Description

The contract architecture designates the marketResolver as the exclusive authority responsible for resolving markets. The claimWinnings function requires a market to be in a resolved state before any funds can be claimed. There is currently no alternative mechanism to resolve a market if the marketResolver becomes permanently inactive due to loss of private keys, incapacitation, or project abandonment. This creates a single point of failure where the inability of the resolver to act would cause all user funds in all unresolved markets to become permanently and irrecoverably locked within the contract.

Comments

To safeguard user funds against this operational risk, a fallback mechanism should be implemented. It is recommended to introduce a time-locked emergency function, such as refundFromUnresolvedMarket. This function would allow users to reclaim their original stake if a market remains unresolved for a significant, pre-defined period after its official endTime (e.g., 7-14 days). This ensures a trustless path for users to recover their principal investment even if the centralized resolver fails.