Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

OpenFundNet Info

presale.openfundtoken.io

OpenFundNet is a decentralized crowdfunding platform built on blockchain. It connects innovators with a global community of funders, while using validators and a milestone-based system to ensure transparency and fairness.

OpenFundNet Logo
Onboarded date 06/05/2025

Team and KYC Verification

The team has securely submitted their personal information to SolidProof.io for verification.

In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

14.28
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2025/05/06
Revision date 2025/05/08

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
  • The owner can update token prices without limits (updatePrice).
  • The owner can toggle sale on/off at any time (updateSale).
  • The owner can change the token being sold mid-sale (updateToken).
  • The owner can modify referral percentages without bounds (updateRefferPercentage).
  • The owner can withdraw any ERC20 tokens from the contract (withdrawToken).
  • The owner can withdraw all raised BNB without timelock (withdrawBNB).

Note - This Audit report consists of a security analysis of the OFNT smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the OFNT team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Findings and Audit result

Critical
High
6
Medium
4
Low
Optimization
1
Informational
medium Issues | 6 findings

Pending

#1 medium Issue
Missing Input Validation in updatePrice Function.
Sale.sol
L507-512
Description

The updatePrice function lacks critical input validation for the usdtPrice parameter, allowing it to be set to zero, unreasonably high values, or drastically different values from the previous price without any restriction. This creates significant economic risks to the token sale, including potential free token distribution, calculation errors, or prohibitively expensive pricing that could disrupt the token sale mechanics. To mitigate this vulnerability, implement bounds checking that ensures the price is always greater than zero, falls below a reasonable maximum threshold, and doesn't change too drastically in a single update (e.g., require(_usdtPrice > 0) and require price changes stay within a reasonable percentage of the previous value).

Pending

#2 medium Issue
Missing 'isContract' check.
Sale.sol
L528-530
Description

The contract lacks a validation check to ensure that specific parameters are contract addresses. Without this check, there is a risk that non-contract addresses (such as externally owned accounts, or EOAs) could be mistakenly set for parameters intended to reference other contracts. This could lead to failures in executing critical interactions within the contract, as EOAs do not support contract-specific functions.

Comments

To mitigate this, implement a validation check to ensure that parameters designated as contract addresses are verified as such. This can be done using Solidity’s Address library function isContract, which checks if an address has associated contract code.

Pending

#3 medium Issue
Missing Input Validation in updateRefferPercentage Function
Sale.sol
L536-539
Description

The updateRefferPercentage function allows the owner to set any arbitrary value for the referral percentage without validation constraints. This is especially concerning as the refferPercentage value directly impacts token distribution calculations in the buy functions where it's used to calculate referral rewards (_referAmount = (_amount.mul(refferPercentage)).div(10000)). Without bounds checks, the owner could potentially set this value excessively high (e.g., >10000), resulting in referral rewards that exceed the principal investment amount, or set it to zero, eliminating referral incentives entirely.

Comments

Implement appropriate validation checks to ensure the referral percentage remains within reasonable bounds. This ensures the referral percentage cannot be set higher than 20% (2000 basis points), protecting the contract's economic model from excessive reward distributions.

Pending

#4 medium Issue
Incorrect Vesting Calculation in Buy Function
Sale.sol
L544-582
L587-613
Description

The buy function erroneously stores payment amounts (USDT/WETH) in vestedBalance mapping instead of token amounts, creating a fundamental mismatch between purchased tokens and vested tokens. Since the claim function uses vestedBalance values to calculate token distributions, users will receive significantly fewer tokens than they purchased (e.g., if 100 USDT buys 1000 tokens, users would only receive 100 tokens through vesting). This critical issue undermines the entire vesting mechanism and would result in substantial financial loss for participants.

Comments

The vesting calculation issue can be fixed by modifying the buy function to store token amounts rather than payment amounts in the vesting system. First, calculate the token amount using the existing calculateToken function. Then, update the vesting balances with these token amounts instead of payment amounts: vestedBalance[msg.sender] += amount where amount is the calculated token amount. Similarly, for referral rewards, calculate the referral token amount as a percentage of the purchased tokens rather than a percentage of the payment: uint256 _referTokenAmount = amount.mul(refferPercentage).div(10000) and then update the referrer's vested balance: vestedBalance[_referrerAddress] += _referTokenAmount. Additionally, the totalVestedAmount tracking should be updated to reflect token amounts rather than payment amounts.

Pending

#5 medium Issue
No Slippage Protection in buyWithBNB Function
Sale.sol
L587-613
Description

The buyWithBNB function calculates token amounts based on current BNB/token exchange rates at transaction execution time without allowing users to specify a minimum acceptable amount. This creates significant risk during volatile market conditions or high network congestion, where users might receive far fewer tokens than expected when their transaction executes. Without slippage protection, users have no guarantee about the minimum tokens they'll receive for their BNB, potentially resulting in unfavorable executions that still succeed rather than reverting when prices move against them.

Comments

Implement a slippage protection mechanism by adding a minTokensExpected parameter to the function: function buyWithBNB(uint256 amount, address _referrer, uint256 minTokensExpected) public payable. After calculating the actual token amount, verify it meets the user's minimum requirement: require(_amount >= minTokensExpected, "Slippage too high");.

Pending

#6 medium Issue
No Verification that Vesting is Complete in claim Function
Sale.sol
L726-737
Description

The claim function only performs basic timing checks (saleEndTime > 0 and block.timestamp >= saleEndTime) to determine if tokens can be claimed, but lacks comprehensive verification that the vesting schedule has been properly initialized and configured. Without validating that all vesting parameters are properly set, there's a risk that claims could begin prematurely or with incorrect parameters. This is particularly concerning given that the vestedPeriod is set to a testing value of 5 minutes and there's no explicit function to properly initialize the vesting schedule when transitioning from the sale to vesting phase.

Comments

Enhance the claim function with additional checks to verify that vesting has been properly configured: require that vestedPeriod is set to a reasonable production value, ensure saleEndTime was set through the proper channel (not just manually modified), and consider implementing a dedicated function to transition from sale to vesting phase that sets all parameters correctly. Additionally, consider implementing an explicit vesting state variable to track whether the contract is in pre-sale, active sale, or vesting mode.

low Issues | 4 findings

Pending

#1 low Issue
Remove safemath library
Sale.sol
L107-318
Description

The compiler version above 0.8.0 has the ability to control arithmetic overflow/underflow. It is recommended to remove the unwanted code in order to avoid high gas fees.

Pending

#2 low Issue
No Price Change Limits
Sale.sol
L507-512
Description

There are no restrictions on how drastically the price can change between updates. This allows for arbitrary price manipulation that could harm users. The function directly sets usdtPrice = _usdtPrice without checking how much it differs from the previous value.

Pending

#3 low Issue
No Input Validation for Amount
Sale.sol
L544-582
Description

The function accepts any non-zero amount without minimum or maximum limits. No validation like require(_amount > minPurchase && _amount < maxPurchase) is present in the function.

Comments

It is recommended to add the necessary purchase limit for the amount in the contract.

Pending

#4 low Issue
Redundant Token Calculation in Buy Function
Sale.sol
L544-582
Description

The buy function contains a redundant and costly calculation by calling the calculateToken function twice with the same parameters. The function first calculates the token amount with amount = calculateToken(_amount, _pay) and later repeats this exact calculation when storing buyer information: buyerInfo[saleCounter] = buyer(msg.sender, _amount, calculateToken(_amount, _pay), _pay). This redundancy unnecessarily increases gas costs, especially problematic since calculateToken performs expensive operations including external calls to the Uniswap router for price calculations.

Comments

Store the result of the first calculation and reuse it when setting buyer information. Replace the redundant call with the stored value: buyerInfo[saleCounter] = buyer(msg.sender, _amount, amount, _pay).

informational Issues | 1 findings

Pending

#1 informational Issue
Floating pragma solidity version
Sale.sol
L10
Description

Adding the constant version of solidity is recommended, as this prevents the unintentional deployment of a contract with an outdated compiler that contains unresolved bugs.