Navigation

Connect your wallet

Audit Report

BNB ALL STARS
  • Security Score :  9/10
  • Tags :   ROI, yield farm
  • Address :  0x229EB38D9F66ed6E5AefC89c57Ceea8DdA07aE25
  • Blockchain :  BNB Smart Chain
  • Website :   https://bnb-allstars.com

EXECUTIVE SUMMARY

BNB All Stars is a ROI dApp where new investors pays out rewards to old investors. If new deposits stops, daily interest rewards may not be paid out anymore.

The base daily interest rate is 1.5% but can be higher by utilizing the referral system. Referrals pay rewards up to 3 levels of upline referrers plus the direct referrer.

It's recommended that users review this report in its entirety and the whitepaper of the project to fully understand the application's fundamentals and risks.

This type of application is fundamentally a form of gambling, so users should research thoroughly before participating.

Whitepaper: whitepaper

The source code lacks gas optimization, but the deployer team has improved this aspect following our suggestions. Additionally, the security flaws that were identified have been fixed by the deployer team.

SCOPE

  1. The audit focuses on the smart contract deployed on BNB Smart Chain, which is the sole smart contract associated with this project.
  2. The audit does not cover any off-chain components or systems associated with the contract.
  3. The audit does not cover any user interfaces or user experience associated with the contract.
  4. The audit does not cover any legal or regulatory compliance of the contract.

FUNDAMENTALS

Users deposit funds into the smart contract and accumulate daily interest up to a maximum return of 365% on their invested amount. However, the maximum total payout per account is capped at either 200 BNB or 365% of the deposited amount.

There is a referral structure that rewards existing users for bringing in new participants. Referrers must either be the projectManager address or an address that has already deposited funds into the contract.

Each account is able to join up to 6 teams maximum. By joining multiple teams, users can earn additional interest based on the team balances. This incentive encourages users to participate in multiple referral teams for higher returns.

Withdrawals and compounding interest are restricted to once every 24 hours per account. Additionally, if the mandatory reinvestment feature is enabled, three compounding cycles must occur before an account is allowed to make a withdrawal. After a withdrawal happens, three more reinvest cycles are required before the next withdrawal is allowed.

Users can airdrop BNB directly to another user's account. This transfers BNB from the sender to the recipient.

Users also have the option to airdrop BNB to an entire team. The airdropped amount gets divided evenly between team members. The sender can choose to exclude the team owner from receiving a share if desired.

This airdrop functionality enables users to transfer funds to other accounts or distribute to a team as a form of bonus or gift. The divides between team members make it easy to reward an entire group.

Daily interest rate: 1.5%. Currency: BNB. Referral rewards:

  • direct referral: 5% on deposits,
  • downline referrals: total of 30% or 20% based on interest rate payouts:
    • n = 1: 5% (modifiable to 10% by projectManager, can't modify it again afterwards),
    • n = 2: 5% (modifiable to 10% by projectManager, can't modify it again afterwards),
    • n = 3: 5% (modifiable to 10% by projectManager, can't modify it again afterwards).

Fees (on deposit & withdrawal): 10%:

  • project: 1% (to projectManager),
  • marketing: 9% (split among multiple accounts).

Withdrawal fees (on top of base fees): up to 50%:

  • 0% if payout is smaller than 1% of TVL,
  • 5% if payout is greater than 1% of TVL,
  • 10% if payout is greater than 2% of TVL,
  • 15% if payout is greater than 3% of TVL,
  • 20% if payout is greater than 4% of TVL,
  • 25% if payout is greater than 5% of TVL,
  • 30% if payout is greater than 6% of TVL,
  • 35% if payout is greater than 7% of TVL,
  • 40% if payout is greater than 8% of TVL,
  • 45% if payout is greater than 9% of TVL,
  • 50% if payout is greater than 10% of TVL,
  • this fee only changes the payout to the investor from what other fees are based on (the 10% mentioned earlier), thus remains in the contract.

FINDINGS

INTERACTION SEVERITY
[CPFI-1] denial of service on referral teams INFORMATIONAL

CPFI-1: While theoretically the contract's team structure could enable a denial of service attack by rapidly joining teams to fill block gas limits, the financial cost of such an attack is prohibitive. To join a team requires a minimum deposit amount, making it economically infeasible for an attacker to create enough teams to meaningfully impact gas usage or disrupt the network. Given the financial barriers involved, the risk of a denial of service through team member spam is minimal and not a material concern.

Other issues were identified and fixed by the deployer team.

UNIT TESTS

INTERACTION RESULT
[CPUT-1] deployment OK
[CPUT-2] basic interactions (deposits / compound / reinvest) OK
[CPUT-3] mandatory compounds OK
[CPUT-4] min/max deposits OK
[CPUT-5] 5x max reinvest OK
[CPUT-6] referral / upline / downline OK
[CPUT-7] fees on deposits & withdrawal OK
[CPUT-8] standard investment strategy OK

Unit testing was conducted to verify the proper execution of the smart contract and its functions. The tests simulated usage scenarios and interactions with the contract by comparing the expected theoretical output to the actual returns from executing the code, and were all executed successfully.

PRIVILEGES

  1. projectManager
  • Is the first depositor.
  • Can enable or disable the airdrop feature.
  • Can set downline referral payout (only once) to 10%, 10%, and 10% of interest payouts.
  • Can enable or disable mandatory reinvests to withdraw.

RECOMMENDATIONS

Significant gas savings could be achieved by refactoring inefficient O(n) algorithms that are overused throughout the code. Defining static array sizes where possible, such as for the marketingWallet array, would also reduce gas costs. Storing related data, like marketingBasis and marketingWallet, in a single array of structs rather than separate arrays is a more efficient data structure.

Addressing these multiple areas for improvement provides an opportunity to demonstrate strong capabilities in optimized, production-quality smart contract development. Doing so will enhance gas efficiency, code clarity, and overall quality.

The deployer team has improved the optimization of the smart contract following our suggestions.