Sylvan Token Info
Revolutionizing DeFi with Sustainable Tokenomics on Binance Smart Chain
Team and KYC Verification
The team has securely submitted their personal information to SolidProof.io for verification.
In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner cannot set high fees
The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.
Contract cannot be locked
Owner cannot lock any user funds.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is not renounced
The owner retains significant control, which could potentially be used to modify key contract parameters.
Contract is not upgradeable
The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Ownership Privileges
- The owner can exempt wallets from fees.
- The owner can remove the exemptions for wallets for fees.
- The owner can manage the fee exemptions list in bulk.
- The owner can emit the exemption count.
- The owner can create a vesting schedule.
- The owner can configure an admin wallet with a specific token allocation for vesting.
- The owner can process the initial token release for an admin wallet.
- The owner can process the monthly vested token release for an admin wallet.
- The owner can process the monthly vested token release for a locked wallet.
- The owner can set or unset an address as an AMM pair.
Note - This Audit report consists of a security analysis of the SylvanToken smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited one token contract for the SylvanToken team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
medium Issues | 3 findings
Resolved
#1 medium Issue
Incorrect Vesting Calculation for Admin Wallets in Public Release Function
The releaseVestedTokens function contains a bug that leads to incorrect vesting calculations for admin wallets, resulting in underpayment and a permanent loss of funds. The proof of this flaw is on line 433, where the function exclusively calls the _calculateLockedWalletRelease helper, which is incorrect for admin schedules. This helper function bases its calculation on schedule.totalAmount—the locked 90% portion of an admin's funds—instead of their total original allocation. This error is further proven by the existence of a separate, correct helper function, _calculateAvailableRelease, which contains the proper logic but is never actually used by this public release function. As a result, any admin release processed through this function will be 10% smaller than intended, causing 9% of the admin's total allocation to become permanently trapped in the contract once the vesting period concludes.
Resolved
#2 medium Issue
Misleading Vesting Schedule Configuration for Admin Wallets
This function is the origin of the admin vesting bug because it creates a flawed and ambiguous data state on the blockchain. The core of the issue is on line 543, where it sets the totalAmount field in the generic VestingSchedule struct to the lockedAmount (90% of the admin's total allocation). This action creates a data "landmine"; it stores a partial amount in a field that other functions later assume represents a total. The public releaseVestedTokens function and its helper, _calculateLockedWalletRelease, then read this misleading value and incorrectly use it as the basis for their 5% monthly release calculation. This directly causes the underpayment of admins and the permanent locking of 9% of their funds.
Resolved
#3 medium Issue
The owner can lock token transfer
The contract grants the owner a significant centralized power: the ability to unilaterally halt all standard token transfers at any time by calling the pauseContract function. This function acts as a global kill switch for trading, preventing all holders from using transfer and transferFrom to move their assets. While this can be a valuable security tool in the event of an exploit, it also introduces a high degree of centralization and trust in the owner. An important nuance is that this pause only affects public transfers; it does not stop the owner from continuing to move tokens via administrative functions like processing vesting releases, meaning the owner's capabilities are not fully suspended during a pause.
low Issues | 1 findings
Resolved
#1 low Issue
Unimplemented Trading Control Mechanism
The contract includes an enableTrading function and a corresponding tradingEnabled state variable, which are intended to act as a control switch to prevent public token transfers until liquidity is established. However, the core logic to enforce this restriction is completely missing from the _transfer function. The contract never actually checks the value of the tradingEnabled flag before allowing a transfer to proceed. Consequently, this feature is non-functional, and public trading is effectively enabled from the moment the contract is deployed, rendering the enableTrading function and its associated variables useless dead code.
informational Issues | 2 findings
Resolved
#1 informational Issue
Unused Library Initialization in Constructor
The contract's constructor initializes the walletData state variable by calling the initializeWallets function from the WalletManager library. However, a review of the entire contract reveals that this walletData variable is never read from, modified, or utilized in any other function after this initial setup. This makes the function call, the associated state variable, and the corresponding library import entirely redundant.
Resolved
#2 informational Issue
Unused Stored Variable and Contradictory Logic Comments
The configureAdminWallet function suffers from two distinct code quality issues that increase gas costs and obscure the contract's intended logic. Firstly, it calculates and stores a monthlyRelease value in the AdminWalletConfig struct, an action that consumes gas, yet this variable is never read or used again in the contract's lifecycle. Secondly, and more critically, the function's comments are self-contradictory, most notably stating that the monthly release is both "5% of total allocation" and "calculated on locked amount." This ambiguity is the likely root cause of the critical vesting bug, as it creates confusion about the true basis for the calculation.