Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

RobotCat Info

robocat.me

Inspired by legendary tokens like Doge, Pepe, Shiba Inu and DogWifHat, RoboCat steps in as the defender and unifier of the meme coin universe. Combining the agility of a cat with the unstoppable power of a machine, RoboCat's mission is simple yet powerful: to protect and connect them all. RoboCat is not just another meme coin riding the wave of internet culture. Fast, fearless and armed with razor-sharp claws of steel and a heart of gold, RoboCat is here to build an empire where innovation, fun, fellowship and protection reign supreme. Get ready for the future of meme coins!

RobotCat Logo
Onboarded date 20/01/2025

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

52.92
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Rust / Solana
Onboard date 2025/01/20
Revision date 2025/01/20

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is upgradeable

The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
  • The functions create_presale, update_phase, and update_presale can only be executed by the designated authority, granting them control over presale setup and parameter adjustments.
  • The withdrawal functions withdraw_sol and withdraw_token require the claim authority, ensuring that only authorized parties can extract funds.

The audited smart contract is a presale system built using Anchor on the Solana blockchain. It facilitates token purchases using SOL, USDT, or USDC, manages multiple presale phases with dynamic pricing, integrates with Chainlink for price feeds, and handles token claims and withdrawals. The contract follows standard Anchor practices, using PDAs for state management and associated token accounts to streamline token handling.

Throughout the review, the contract’s structure and use of Anchor conventions have been sound. However, several potential improvements were identified:

  • Arithmetic Safety: Many state updates across functions (e.g., updating sold amounts, user contributions) rely on unchecked arithmetic operations. It is recommended to use checked arithmetic to prevent potential overflows when handling large token amounts.
  • Input Validation: Some functions (such as update_phase and update_presale) lack comprehensive validation of inputs, such as phase boundaries and price parameters. Enforcing stricter validation can prevent logical inconsistencies and ensure data integrity.
  • Chainlink Data Verification: When utilizing Chainlink price feeds, additional checks on data freshness and validity can safeguard against stale or manipulated price information.
  • Seed Array Construction: Clarifications in constructing signer seeds for CPIs (Cross-Program Invocations) are advised for better readability and to minimize errors.
  • Authority Constraints: The contract properly restricts sensitive operations to designated authorities, but ensuring robust key management and potentially implementing multi-signature controls could further enhance security.

No critical security vulnerabilities were discovered; the contract is functionally sound but would benefit from the recommended enhancements. The audit focused on a security analysis without exhaustive functional or unit testing. The findings emphasize best practices to strengthen reliability, particularly around arithmetic operations and input validation.

Note - This Audit report consists of a security analysis of the smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, only one contract associated with the project was audited. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Findings and Audit result

Critical
High
Medium
Low
Optimization
2
Informational
medium Issues | 4 findings

Resolved

#1 medium Issue
Arithmetic Overflow in State Updates
buy_tokens.rs
L45
L47
L48
L60
L61
L62
Description

Several arithmetic operations (sums) update state fields without explicit overflow checks. While the use of larger intermediate types (e.g., u128) mitigates some risks during calculations, the final casts and cumulative state updates to u64 fields can overflow if extremely large values are processed. Overflowing these counters could lead to incorrect state behavior or potential exploits.

Comments

Use checked arithmetic methods (e.g., checked_add) or Anchor's built-in arithmetic checks where applicable to ensure that additions do not overflow. If an overflow condition is detected, return an error gracefully.

Resolved

#2 medium Issue
Unvalidated Chainlink Price Data
buy_tokens.rs
L31-36
Description

The function fetches SOL price data from a Chainlink feed. However, it does not validate the following: Price Validity, Data Freshness, Unexpected Values. Without these checks, the system relies completely on the integrity and timeliness of the Chainlink feed, leaving room for potential exploitation if the data feed is manipulated or outdated.

Comments

Implement sanity checks on the fetched price and timestamp, eg. Verifying that sol_price > 0, checking that the timestamp is within an acceptable range from the current time and applying bounds to the price to reject values that fall outside expected market conditions

Resolved

#3 medium Issue
Arithmetic Overflow in State Updates
claim_token.rs
L22
Description

The code updates state variables by adding the claim_amount without checking for overflow. If presale_info.t_p_claim_amount is near the maximum value of u64 and a large claim occurs, this addition could overflow, causing incorrect state changes or unexpected behavior.

Comments

Use checked arithmetic (e.g., .checked_add()) to safely perform these updates. If an overflow is detected, return a relevant error.

Resolved

#4 medium Issue
Arithmetic Overflow in State Updates
deposit_token.rs
L71
L73
L74
L89
L90
L91
L93
L94
L95
Description

Similar to previous instructions, this function performs multiple arithmetic operations on state fields without explicit overflow checks. All these updates may overflow if the values become sufficiently large. Overflowing counters can lead to incorrect contract behavior or be exploited to manipulate presale statistics

Comments

Use checked arithmetic methods (e.g., .checked_add()) when updating these fields. If an overflow occurs, handle it gracefully by returning an appropriate error to prevent state corruption.

low Issues | 6 findings

Resolved

#1 low Issue
Lack of Sanity Checks on Price Calculation
deposit_token.rs
L64-66
Description

The function calculates the number of tokens to purchase based on the deposited amount for USDT or USDC. This calculation is done without validating.

Comments

Validate that presale_info.price_nums[phase] != 0 before performing the division. Consider adding bounds checks or handling for unexpected precision loss if exact token amounts are critical.

Resolved

#2 low Issue
Lack of Phase Validation Boundaries
update_phase.rs
L6-16
Description

The update_phase function sets the presale phase without validating the provided phase against expected bounds (e.g., ensuring it does not exceed PHASE_LENGTH). While other parts of the program check if phase >= PHASE_LENGTH to halt certain operations, allowing arbitrary phase values could lead to unexpected behavior or logical inconsistencies elsewhere in the program. For example, setting a phase value far beyond the intended range could effectively end the presale prematurely or cause confusion in phase management.

Comments

Add validation to ensure that the phase input is within an acceptable range, such as 0 <= phase < PHASE_LENGTH, before updating presale_info.phase. Define and use a specific error variant (e.g., InvalidPhase) in your error handling to capture this scenario.

Resolved

#3 low Issue
Lack of Input Validation
update_presale.rs
L7-37
Description

The function directly assigns all provided parameters to the presale_info state without any validation. There is no validation on the new values, such as ensuring that the price_nums array elements are non-zero (to avoid future division-by-zero issues) or that the token mint addresses and Chainlink IDs are valid or meet certain criteria. Also, updating the authority fields without additional checks could lead to unexpected loss of control if the new keys are incorrect.

Comments

Implement sanity checks on critical parameters where applicable.

Resolved

#4 low Issue
Unrestricted Update Timing and Conditions
update_presale.rs
L7-37
Description

The function does not restrict when or under what conditions the presale details can be updated. This means that updates can occur at any time, potentially even during an active presale, which might conflict with business rules or expected user experiences. Also, there is no check on the presale phase or status, so updates could change important parameters (like prices, allocations, or authorities) mid-presale without safeguards.

Comments

Depending on business logic: Implement checks to restrict updates during critical phases of the presale or after it has started.

Resolved

#5 low Issue
Authority Constraint Expression
withdraw_sol.rs
L46
Description

This pattern assumes that presale_info.claim_authority is an account with a .key() method. However, if claim_authority is a Pubkey field (and not an account), using .key() on it might be unnecessary or incorrect. The intended check is likely to compare the signer's key directly to the stored Pubkey

Comments

Adjust the constraint to directly compare the signer's key with the stored Pubkey if claim_authority is a Pubkey

Resolved

#6 low Issue
Authority Constraint Syntax
withdraw_token.rs
L95-98
Description

If presale_info.claim_authority is a Pubkey field (and not an account), using .key() on it is incorrect. This syntax suggests that claim_authority is an account, but if it's actually a stored Pubkey, the comparison should not use .key()

Comments

Adjust the constraint to directly compare the signer's key with the stored Pubkey if claim_authority is a Pubkey

informational Issues | 3 findings

Resolved

#1 informational Issue
Potential Precision Loss or Rounding Errors
buy_tokens.rs
L38
L39
L40
Description

The calculation of the token amount uses integer arithmetic involving division, which can lead to rounding errors. Division operations truncate fractional parts, potentially causing a loss of precision in the number of tokens allocated to the buyer. This behavior is often acceptable in financial contracts, but should be clearly understood and intended.

Comments

If precise distribution is required, consider using algorithms or data types that handle fractional tokens or adjust calculations to minimize rounding errors.

Pending

#2 informational Issue
Single Instance Restriction Due to Constant Seed
create_presale.rs
L64-70
Description

The account for PresaleInfo is initialized using a constant seed (PRESALE_SEED) without any additional entropy. This implies that only one PresaleInfo account can exist at a time under this seed. If the business logic expects multiple concurrent presales or multiple distinct presale configurations, this approach will not allow it, as any subsequent attempt to create another presale with the same seed would fail.

Comments

If multiple concurrent presales or distinct presale instances are required, consider using a more dynamic seed (e.g., including a unique identifier, timestamp, or a user-provided nonce) to allow creation of multiple accounts. If a single presale is intentional, document this behavior clearly.

Pending

#3 informational Issue
Lack of Parameter Validation
create_presale.rs
L8-46
Description

All parameters passed into create_presale are directly stored into the presale_info state without further validation. While this is common for initialization functions where the authority controls input, it may be beneficial to check certain parameters.

Comments

Implement sanity checks for critical parameters if necessary, depending on business requirements. Ensure that downstream logic (e.g., during token purchases) can gracefully handle any unusual or edge-case values set during initialization.