TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner cannot set high fees
The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.
Contract cannot be locked
Owner cannot lock any user funds.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is not renounced
The owner retains significant control, which could potentially be used to modify key contract parameters.
Contract is not upgradeable
The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Ownership Privileges
- The owner can set the burn fee percentage up to 5%.
- The owner can exclude/include wallets in burn fees.
- The owner can add/remove wallets in the blacklist mapping.
- The owner can pause/unpause the token transfer.
- The owner can set the max transfer amount to any arbitrary value, excluding zero.
- The owner can withdraw the BNB from the contract.
- The owner can recover tokens from the contract.
Note - This Audit report consists of a security analysis of the BullBucket smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited one token contract for the BullBucket team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
critical Issues | 1 findings
Resolved
#1 critical Issue
transferOwnership Function is Unusable Due to Infinite Recursion
The transferOwnership function within the contract is critically flawed due to an infinite recursion bug. The function is designed to override the parent contract's behavior to add a check that prevents transferring ownership to a blacklisted address. However, instead of calling the parent contract's function to execute the ownership change, it mistakenly calls itself. This creates an infinite loop, causing any attempt to transfer ownership to fail by running out of gas. As a result, this core administrative function is unusable, and the contract ownership is permanently locked to the original deploying address.
medium Issues | 4 findings
Resolved
#1 medium Issue
Owner Can Effectively Block Transfers by Setting a Low Maximum Transfer Amount
The setMaxTransferAmount function grants the contract owner the authority to limit the number of tokens that can be moved in a single transaction. While the function correctly ensures the amount is greater than zero, it does not enforce a reasonable minimum threshold. A malicious or compromised owner could exploit this by setting the maximum transfer amount to a trivial value, such as 1 wei. This action would cause all economically meaningful transactions to fail because they would exceed the allowed limit, effectively halting token transfers and trapping user funds. This gives the owner a subtle but powerful mechanism to freeze the token ecosystem, similar in effect to the pause functionality.
Resolved
#2 medium Issue
Owner Can Unilaterally Freeze All Token Transfers
The contract grants the owner the ability to pause all core token functionalities at any moment. When activated, this feature blocks all transfers, approvals, and other key interactions with the token, effectively freezing the assets of every holder. While intended as a security measure for emergencies, this mechanism is a powerful tool of centralized control. It gives a single entity the unilateral power to halt all market activity and lock user funds indefinitely. This concentration of power poses a significant risk, as a malicious or compromised owner could abuse the function to manipulate the market or hold user assets hostage.
Resolved
#3 medium Issue
Owner Can Impose Exorbitant Transaction Fees up to 50%
The setBurnFeePercentage function gives the contract owner the unilateral power to impose a burn fee of up to 50% on every token transfer. This is a significant centralization risk, as it allows a single entity to control a critical aspect of the token's economy. A malicious or compromised owner could set the fee to the maximum level, which would make trading or using the token prohibitively expensive. Such an action would severely penalize token holders, deter market activity, and effectively act as a "soft-lock" on user funds by making them too costly to move. This powerful feature requires complete trust in the owner's intentions and security.
Resolved
#4 medium Issue
The owner can blacklist wallets.
The contract includes a mechanism that allows the owner to blacklist any arbitrary wallet address. Once blacklisted, the affected wallet is prevented from transferring tokens. This introduces a significant centralization and censorship risk, as the contract owner could—intentionally or unintentionally—restrict token holders from accessing or moving their assets for an indefinite period. Such unilateral control compromises user trust, limits decentralization, and may negatively impact the token’s utility and market behavior.
informational Issues | 1 findings
Resolved
#1 informational Issue
Floating pragma solidity version.
Adding the constant version of solidity is recommended, as this prevents the unintentional deployment of a contract with an outdated compiler that contains unresolved bugs.