Eagle Swap Info
EagleWorld is owned and operated by Eagle Swap LLC. It is a non-custodial, multi-chain DeFi and Web3 launch infrastructure platform focused on functional products, liquidity access, and cross-chain network access. EFUN is the official platform token issued for EagleWorld and Eagle Swap LLC platform products. The token is designed for platform utility, access, and ecosystem participation.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner cannot set high fees
The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.
Contract cannot be locked
Owner cannot lock any user funds.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is renounced
The contract does not include owner functions that allow post-deployment modifications.
Contract is not upgradeable
The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Smart Contract Analysis Statement
Contract Analysis
The Eagle Fun (EFUN) contract implements an ERC20 token with a fee-on-sell tax, an auto-liquidity engine, a USDT dividend tracker, EIP-2612 permit support and a cross-chain mint and burn bridge adapter on BNB Smart Chain. The overall design follows common patterns for tax tokens on BSC, but a few areas need attention:
- The bridge contract has unbounded mint and burn authority over the token supply. There is no per-call cap, no per-window cap, no nonce, and no kill-switch at the token layer, so the token inherits the entire trust surface of the bridge and its off-chain relayer set.
- The tax processor performs a chain of external calls to the Pancake router, the WBNB withdraw entry, and a native call to the marketing wallet while balances are being updated. Today the live configuration of an externally owned marketing wallet and a canonical quote asset closes the window, but a future deployment that re-uses this template with a callback-capable wallet would re-open it.
- Every router swap is performed with a zero minimum-out and a deadline equal to the current block, which makes every tax-processing sell a textbook sandwich target. The per-event loss is bounded by the swap-at-amount multiplier, but the leak recurs on each triggering trade.
- Sale-address authorisation falls back to a heuristic that compares the candidate contract's reported owner to the token's own owner. The token's owner has been set to the zero address, so the predicate now accepts any contract whose owner view returns zero. The capability is limited to dividend exemption, but the trust signal of the registry is broken.
Ownership Privileges
The ownership of the contract has been renounced - owner() returns the zero address. As a result almost every onlyOwner setter is permanently unreachable. The remaining authorities are split across immutable addresses and a small set of permissionless functions:
- The immutable bridge address can mint and burn arbitrary amounts of the token through bridgeMint and bridgeBurnFrom.
- The immutable marketing wallet receives marketing payouts and the LP tokens produced by the auto-liquidity flow.
- The QuoteTokenDistributor exposes a single bindSpender call which has already been consumed and locked to the token, so the distributor cannot be re-pointed.
- Anyone can call configureOfficialSaleAddress(es) on a contract that passes the loose self-attestation predicate, which then receives dividend exemption.
- The owner-only functions for fee exemption, transfer whitelist, dividend exemption, swap-at-amount, gas-for-processing, claim wait, minimum dividend balance, early-block protection duration, official-bridge configuration and the liquidity-fee sweep are all permanently disabled by the renouncement.
- transferOwnership and renounceOwnership are also permanently unreachable.
- The bridge cannot be rotated because the address is immutable.
- The dividend tracker is owned by the token contract itself, so its admin surface is constrained by the same renounced ownership.
Security Features
The contract implements several positive security features:
- A hardcoded ceiling of one thousand basis points (ten percent) on the sum of the four fee rates, enforced at construction, with the four fee BPS themselves declared immutable. The live total is four hundred basis points (four percent).
- An anti-sniper early-block window and a trading-enable flag that prevent activity before the team explicitly launches the market, with a whitelist bypass for the token, the bridge, the dividend tracker, the marketing wallet and the deployer.
- A _swapping reentrancy flag around the fee-processing entry points which neutralises the most common reentrancy patterns under the live configuration, combined with deferred-emit failure handling that keeps fees recoverable on a failed swap.
- OpenZeppelin's audited ERC20Permit and EIP-712 implementations for the gas-less approval flow, with the chain-id-aware domain separator that resists cross-chain replay.
Note - This Audit report consists of a security analysis of the Eagle Fun smart contract. This analysis did not include economic analysis of the contract's tokenomics. Moreover, we only audited the main contract for the Eagle Fun team. Other contracts associated with the project, including the external bridge contract, the Pancake router and factory, and the BSC-USD and WBNB tokens, were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
medium Issues | 2 findings
Pending
#1 medium Issue
Router swaps use zero slippage and block.timestamp deadline
Every internal Pancake V2 call passes 0 as amountOutMin and block.timestamp as the deadline. Accepting any output and any block makes every sell-triggered swap a sandwich target. The bound on per-event loss is small because the swap size is capped at swapTokensAtAmount times MAX_SWAP_MULTIPLIER, but the leak recurs on every triggering sell.
Pending
#2 medium Issue
Unbounded bridge mint and burn authority
bridgeMint and bridgeBurnFrom are callable only by the immutable bridge address but otherwise impose no limits at all. There is no per-call cap, no per-window cap, no chain-id binding, no nonce or message-hash check, and no pausable guard. The token therefore inherits the entire trust assumption of the bridge contract and the off-chain relayer set. A compromise of the bridge implies the ability to inflate totalSupply arbitrarily, and the attacker can immediately dump the inflated supply into the Pancake pair and drain the USDT side. Burn-side abuse can grief specific holders if a malicious bridge replays a burn message.
low Issues | 12 findings
Pending
#1 low Issue
Single-step ownership transfer and irrevocable renouncement
The token inherits OpenZeppelin v5 Ownable, which exposes a single-step transferOwnership and an unconditional renounceOwnership. The live owner has already been set to the zero address, which means every onlyOwner setter on the contract is permanently unreachable. There is no path to recover authority. Re-using the same template without Ownable2Step keeps the same risk profile for the next deployment.
Pending
#2 low Issue
Redundant approvals around _swapTokensForQuoteAsset
_swapTokensForQuoteAsset zero-approves and then approves the swap amount, then zero-approves again on both the failure and the success branch. The pattern is defensive but costs gas and adds reader load.
Pending
#3 low Issue
Four-hop swap path without a liquidity check
_buildSwapPath constructs a token -> bridgeAsset -> WBNB -> targetToken path whenever neither the bridge asset nor the target is WBNB. For the live configuration the path collapses to two or three hops, so this is dormant. For other configurations the path may not be liquid.
Pending
#4 low Issue
bridgeBurnFrom consumes the holder's allowance against the bridge
bridgeBurnFrom spends the allowance of from -> msg.sender, where msg.sender is the bridge contract. This is the standard pattern for ERC-20 bridges, but it forces every outbound bridger to first call approve on the bridge. Mis-integrations frequently surface here.
Pending
#5 low Issue
_isAuthorizedOfficialSale relies on caller self-attestation
The predicate asks the candidate contract to return its own tokenAddress and owner. A malicious contract can return any values. Combined with the renounced state, where owner is the zero address, the predicate becomes essentially permissionless.
Pending
#6 low Issue
Trapped native balance and bricked sells on a failed native payout
_payoutNative reverts with NativeTransferFailed when the recipient rejects the call. Because the call sits in the middle of _processAccumulatedFees and is reached from _update, a payout failure brings down every sell that triggers the fee processor. The live marketing wallet is an externally owned account so the failure cannot trigger today, but if the wallet were ever replaced with a non-payable contract every sell would revert.
Pending
#7 low Issue
Setters lack upper bounds and timelock
setSwapTokensAtAmount requires a non-zero value but has no upper bound relative to totalSupply, so the original owner could have set it so high the auto-swap never fires, locking accumulated fee tokens inside the contract. setGasForProcessing only checks the constants but not the block gas limit. Since ownership has been renounced the live values are frozen and the issue is moot for this deployment, but the template should be tightened.
Pending
#8 low Issue
Unbounded holder iteration in the auto-claim loop
process walks the _holders array round-robin until gasUsed exceeds the configured budget. Each iteration potentially calls account.call with native value. The array has no upper bound. With six hundred holders the loop completes well inside the budget, but the auto-claim flow is wrapped in try/catch, so once the array grows past the safe limit the catch swallows the failure and auto-claims silently stop.
Pending
#9 low Issue
launchFromSale and configureOfficialSaleAddress authorise via the now-zero owner
_isAuthorizedOfficialSale returns true when the candidate contract's tokenAddress matches and its owner matches this.owner. After ownership renouncement this.owner is the zero address. The predicate then reduces to: the candidate is any contract whose owner view returns the zero address and whose tokenAddress view returns the EFUN token address. This is trivial to satisfy with a freshly deployed dummy. The caller can then permanently add itself to the officialSaleAddresses mapping and gain dividend exemption. The capability is bounded to dividend exemption only, but it dilutes the registry as a trust signal and the trust model is broken.
Pending
#10 low Issue
_collectQuoteTokenDistributorBalance sweeps the entire distributor balance
After every successful sell-triggered swap the token pulls the full quote-asset balance of the QuoteTokenDistributor. The distributor is an externally facing contract, so anyone can transfer USDT to it. The next sell sweeps those donations into the token, where they are split across dividends, liquidity and marketing of that single event. The behaviour is intentional in design but lets external parties redirect donations and skew the per-event dividend rate.
Pending
#11 low Issue
Cross-function reentrancy surface in _update and _processAccumulatedFees
_update performs three back-to-back super._update writes interleaved with _processAccumulatedFees. The fee processor in turn calls the Pancake router, the WBNB withdraw entry, and the native call to the marketing wallet. The _swapping flag is flipped before and after each external call but is only consulted by the early-exit in _update, so cross-function reentrancy paths through the dividend tracker, claimDividends or external callbacks on the marketing wallet are still reachable mid-flow. Under the current immutable configuration the marketing wallet is an externally owned account and the quote asset is BSC-USD, so neither has a callback path and the risk is latent. A future deployment with a callback-capable marketing wallet or a malicious WBNB clone would re-open the window.
Pending
#12 low Issue
Dividend payout sizing uses raw balanceOf deltas
_processAccumulatedFees and the downstream helpers read IERC20(quoteAsset).balanceOf(address(this)) before and after the swap, then treat the delta as the amount received. An attacker who donates the quote asset between blocks inflates the delta and changes the dividend, liquidity and marketing split of the next sell. This is the mirror image of the previous finding and lets an attacker boost a known holder's dividend share at low cost.
optimization Issues | 6 findings
Pending
#1 optimization Issue
Storage slot packing for trade-block counters
startTradeBlock is stored as uint256 even though BSC block numbers fit in uint64. Packing it with earlyBlockProtectionDuration in a single slot lowers the gas cost of the trading-protection check, which runs on every taxed transfer.
Pending
#2 optimization Issue
earlyBlockProtectionDuration could be immutable
The value is mutable but the use-case effectively freezes it at deploy time. Promoting it to immutable saves an SLOAD on every trade-time check.
Pending
#3 optimization Issue
Pack the four fee BPS into a single struct
burnFeeBps, dividendFeeBps, liquidityFeeBps and marketingFeeBps each occupy 16 bits and would fit together in one slot. Packing them into a struct or a uint64 reduces the storage reads on every taxed transfer from four to one.
Pending
#4 optimization Issue
Wrap proven-safe BPS math in unchecked
Every taxed transfer computes four fee shares. Each multiplication is provably safe given the BPS cap, so the overflow checks can be skipped to save roughly 150 gas per sell.
Pending
#5 optimization Issue
Mix of require strings and custom errors
The constructor and a few setters still use require with string reasons. Custom errors are cheaper to deploy and cheaper to revert with.
Pending
#6 optimization Issue
_buildSwapPath allocates a fresh array every call
_buildSwapPath and _buildQuoteToTargetPath build a new memory array on every invocation. For the live configuration the path is fixed, so caching it at construction removes the allocation cost from the fee-processing loop.
informational Issues | 8 findings
Pending
#1 informational Issue
Missing NatSpec on the public surface
External and public functions have no doc comments. Events are emitted but not documented. Magic constants have descriptive names but no rationale.
Pending
#2 informational Issue
Unused import QuoteTokenDistributor
The QuoteTokenDistributor type is imported but never used in the file. Foundry's lint pass and the static analysers flag the import as dead.
Pending
#3 informational Issue
Magic numbers in the constructor
Three magic numbers appear inline in the constructor when seeding the dividend tracker minimum balance, the swap-at threshold, and the gas-for-processing budget. Naming them makes the intent obvious to readers and to future maintainers.
Pending
#4 informational Issue
_unwrapQuoteAsset silently returns zero when called with a non-WBNB quote
The helper returns zero when the quote asset is not WBNB. The single live caller handles the no-op correctly, but a future caller may assume an unwrap actually happened. Documenting the precondition reduces the risk of mis-use.
Pending
#5 informational Issue
Several state-changing events are missing useful indexed fields
Events such as DividendProcessSettingsUpdated, TradingEnabled and EarlyBlockProtectionDurationUpdated have no indexed fields. Off-chain indexers that want to filter by operator or by value cannot do so cheaply.
Pending
#6 informational Issue
setEarlyBlockProtectionDuration has no upper bound
The setter accepts any uint256 for the early-block protection window. A very large value would block all non-whitelisted transfers for an unbounded number of blocks. The function is onlyOwner, and ownership is currently renounced, so the value cannot change any more. For future deployments the absence of an upper bound is still a footgun.
Pending
#7 informational Issue
Tracker settings change without a token-layer event
setDividendClaimWait and setMinimumTokenBalanceForDividends forward to the LaunchpadDividendTracker but do not emit any event from the token contract itself. The tracker emits its own events, but indexers that filter only on the token address miss the change.
Pending
#8 informational Issue
Zero-checks missing on several constructor arguments
allowedUsdt_, rewardToken_ (when not the sentinel), quoteTokenDistributor_ (when required) and dexRouter_ (when fees are non-zero) are validated only indirectly through downstream require checks. marketingWallet_ is only validated when marketingFeeBps_ is non-zero. A deploy with marketingFeeBps_ at zero and a mis-typed marketing wallet would lock the address to zero forever.