Connect your wallet

Audit Report


  • Security Score :  9/10
  • Tags :  ROI, yield farm
  • Address :  0xC7EF12b20a9F02FAbE9cfA7CC46917469068F478
  • Blockchain :   BNB Smart Chain
  • Website :


Gold Digger is a yield farm (or ROI dApp) decentralized application where investors deposit funds to get periodic earnings. Even though the contract refers to itself as a miner, it does not use a sub-token and acts as a fairly simple ROI dApp.

It's recommended that users review this report in its entirety to fully understand the application's fundamentals and risks.

We found a critical security issue allowing any user to drain the contract balance, and was resolved by the deployer team shortly.


  1. The audit focuses on the smart contract deployed on BNB Smart Chain and is the only contract associated with the project.
  2. The audit does not cover any off-chain components or systems associated with the contract.
  3. The audit does not cover any user interfaces or user experience associated with the contract.
  4. The audit does not cover any legal or regulatory compliance of the contract.


This is a basic ROI dApp where users can invest BNB, accumulate earnings as gold and pickaxe, reinvest one or the other (which gives flexibility to investment management), and withdraw as BNB. The maximum deposit value per investor depends on how much time has gone since the launch date (or first deposit of the contract).

The first deposit initiates the contract and defines the launch date of the contract.

Fees (on deposit):

  • 30% as pickaxe (equivalent to 3% when converted as BNB) to owner-related account (0xaAb5cf19B0D0002221C5723c5616a09F434fc036).
  • 5% as BNB to owner-related account (0xaAb5cf19B0D0002221C5723c5616a09F434fc036).

Gold & Pickaxe:

  • Gold is 1 BNB = 1 Gold.
  • Pickaxe is 0.1 BNB = 1 Pickaxe.


  • The referrer's account address is defined once on deposit.
  • Referrer and referrer of referrer may get affiliate percentage, respectively 4% for the first and 1% for the second as BNB based on the deposited value, and 60% & 15% as pickaxe (or respectively 6% & 1.5%).

Interest rate:

  • Starts at 2.7% daily.
  • Can increase to up to 3.7% by maxing out referrals; to reach that number, investors must have referred 123 new investors.

Maximum deposit value:

  • up to 7 days since launch: 0.5 BNB.
  • 7 to 14 days since launch: 1 BNB.
  • 14 to 21 days since launch: 2 BNB.
  • 21 to 28 days since launch: 4 BNB.
  • 28 to 35 days since launch: 8 BNB.
  • 35 to 42 days since launch: 16 BNB.
  • 42 days since launch: 1,000,000 BNB.

Compounding (reinvest):

  • Investors can use pickaxe to reinvest, with a conversion rate of 1 pickaxe = 0.1 BNB.
  • Investors can use gold to reinvest; with a conversion rate of 1 gold = 1 BNB.


[CPFC-1] null address referrer allows infinite earnings RESOLVED
[CPFI-1] total investors incorrect incrementation INFORMATIVE

CPFC-1: On HireMiner(), the investor's percentage increases to the initial interest rate, but increases indefinitely if no referrer is set, allowing the TVL to be drained by any user. This issue was fixed by the deployer team.

CPFI-1: On deposit, the number of total investors increases by 1, but does not check if the depositor has already deposited in the past, thus the increase does not reflect the actual number of investor, but rather the number of deposits. Since this is only for statistics, this is considered as informative and harmless.


[CPUT-1] deposit OK
[CPUT-2] withdraw OK
[CPUT-3] compounding OK
[CPUT-4] referrals OK
[CPUT-5] interest rate OK

Unit testing was conducted to verify possible exploits, validate the logic, and ensure it aligns with the project's fundamentals. It was done so successfully.


There is no privilege. On deployment, ownership is renounced.


Calling _msgSender() is only useful to take into consideration gas-free metadata transactions, which is not of use with such a smart contract. If anything, it adds 22,000 gas each time it is called, which increases the gas cost significantly as it is repeatedly called in multiple functions, instead of msg.sender.

Repeated direct mapping entry updates without using storage pointers significantly increase gas cost.

Msg.sender == tx.origin protection is used in most functions of the contract; while it improves the security of the contract, it effectively breaks interoperability by preventing other smart contracts from interacting with GoldDigger. This can be left as is with no issue however as it is still a nice security feature.

There is a loss of precision by a magnitude of 1000 because of a reverse operation order on percentage computation, on feepickaxe inside _traverseTree(), feepickaxe on HireMiner(), and a magnitude of 10,000,000,000 inside of checkReward(), this would reduce expected earnings so that is only a technical detail.

We recommend a maximum earnings accumulation cutoff to improve solvency of the game theory behind the contract and a maximum value withdrawn.