Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

Community Grocery Store (CGS) Info

www.communitygrocerystore.com

Community Grocery Store (CGS) empowers communities to fight back against the rising cost of living. By connecting consumers directly with local growers, our innovative app eliminates costly intermediaries, dramatically cutting grocery bills. With AI-driven insights, blockchain security, and transparent pricing, CGS ensures fresh, affordable food becomes accessible to everyone, fostering economic resilience and sustainability within your community.

Community Grocery Store (CGS) Logo
Onboarded date 12/06/2025

Team and KYC Verification

The team has securely submitted their personal information to SolidProof.io for verification.

In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

29.60
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2025/06/12
Revision date 2025/06/12

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Token transfer can be locked

Owner can lock user funds with owner functions.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
  • The presale admin can set vesting schedule parameters in the contract.
  • The presale admin can update vesting schedule parameters in the contract.
  • The presale admin can pause the presale operations.
  • The presale admin can unpause the presale operations.
  • The presale admin can withdraw ERC20 tokens from the contract.
  • The presale admin can change the treasury address.
  • The presale admin can set the vesting contract address.
  • The presale admin can add payment tokens with exchange rates.
  • The presale admin can remove payment tokens from the contract.
  • The owner can grant and revoke presale admin roles.

Note - This Audit report consists of a security analysis of the Community Grocery Store smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the Community Grocery Store team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Findings and Audit result

Critical
High
5
Medium
Low
Optimization
1
Informational
medium Issues | 5 findings

Pending

#1 medium Issue
Missing VESTING_CREATOR_ROLE Assignment
Presale.sol
L96-113
Description

The Presale contract constructor fails to establish necessary VESTING_CREATOR_ROLE permissions with the vesting contract, rendering the entire presale non-functional. This causes unpausePresale() to always fail when validating required roles, preventing presale activation. Additionally, the buy() function cannot execute addVestingSchedule() calls due to missing permissions. The root cause is improper deployment coordination where the vesting contract grants creator roles only to its deployer, having no knowledge of the presale contract address during initialization.

Comments

Implement coordinated three-phase deployment: deploy vesting contract, deploy presale contract, then grant VESTING_CREATOR_ROLE to presale address via vestingContract.grantRole(). Add post-deployment validation, consider factory deployment patterns, enhance constructor with role verification, and establish comprehensive integration testing to prevent similar initialization oversights.

Pending

#2 medium Issue
Admin Can Withdraw Presale Tokens
Presale.sol
L133-142
Description

The withdrawERC20 function allows administrators to withdraw any ERC20 token from the contract, including the presale tokens that should be reserved exclusively for buyers who have purchased them. This creates a critical vulnerability where malicious or compromised admins can drain all presale tokens, leaving buyers unable to receive their vested tokens through the vesting contract. The function lacks proper validation to distinguish between administrative tokens (like accidentally sent tokens) and the core presale tokens that represent buyer commitments. This completely breaks the contract's fundamental promise of token delivery after purchase.

Comments

Add explicit validation in withdrawERC20 to prevent withdrawal of the presale token by checking require(withdrawTokenAddress != tokenAddress, "Cannot withdraw presale tokens"). Consider implementing separate withdrawal functions for different token types, add multi-signature requirements for any withdrawal operations, implement timelock mechanisms for critical admin functions, and establish comprehensive monitoring to detect unauthorized withdrawal attempts.

Pending

#3 medium Issue
Unrestricted Vesting Parameter Changes During Active Presale Operations
Presale.sol
L115-131
Description

The setVestingScheduleParameters function allows administrators to modify vesting duration and cliff parameters without requiring presale pause, creating unfair conditions where different buyers receive different vesting terms within the same presale round. The function accepts zero values for vesting duration, completely breaking the vesting mechanism by making tokens immediately claimable. Additionally, when cliff equals duration, it creates binary vesting where all tokens unlock simultaneously rather than gradually, potentially causing market disruption. The lack of reasonable upper bounds validation allows setting extreme durations that could effectively burn tokens by locking them for unreasonable periods.

Comments

Add require(isPresalePaused, PresaleIsNotPaused()) to prevent changes during active presale. Implement minimum duration validation require(vestingDuration > 0, "Duration must be greater than zero") and maximum bounds checking require(vestingDuration <= MAX_VESTING_DURATION, "Duration too long"). Add cliff-duration relationship validation to prevent binary vesting scenarios and ensure gradual token release as intended.

Pending

#4 medium Issue
Missing 'isContract' check.
Presale.sol
L180-187
L189-195
Description

The contract lacks a validation check to ensure that specific parameters are contract addresses. Without this check, there is a risk that non-contract addresses (such as externally owned accounts, or EOAs) could be mistakenly set for parameters intended to reference other contracts. This could lead to failures in executing critical interactions within the contract, as EOAs do not support contract-specific functions.

Comments

Implement a validation check to ensure that parameters designated as contract addresses are verified as such. This can be done using Solidity’s Address library function isContract, which checks if an address has associated contract code.

Pending

#5 medium Issue
External Calls Enable Reentrancy Attacks in Token Purchase Function
Presale.sol
L204-283
Description

The buy function makes multiple external calls (transferFrom, approve, addVestingSchedule) before updating internal state (presaleTokensSold), violating the Checks-Effects-Interactions pattern. This allows malicious payment tokens to reenter the contract during transferFrom execution and call buy again before the first transaction completes. The reentrant call bypasses token availability checks since presaleTokensSold hasn't been updated yet, enabling attackers to drain more presale tokens than they paid for. A malicious admin could add a weaponized ERC20 token as payment method, or attackers could exploit existing tokens with callback mechanisms.

Comments

Implement OpenZeppelin's ReentrancyGuard by adding nonReentrant modifier to the buy function. Follow Checks-Effects-Interactions pattern by updating presaleTokensSold before any external calls. Consider using pull-over-push payment pattern where users approve tokens and contract pulls them atomically with vesting creation.

informational Issues | 1 findings

Pending

#1 informational Issue
Floating pragma solidity version.
Presale.sol
L2
Description

Adding the constant version of solidity is recommended, as this prevents the unintentional deployment of a contract with an outdated compiler that contains unresolved bugs.