Muhdo Hub logo

Muhdo Hub

Audit name:

[SCA] Muhdo Hub / DNA-Token / Dec2024

Date:

Jan 2, 2025

Table of Content

Introduction

Audit Summary

System Overview

Potential Risks

Findings

Appendix 1. Definitions

Appendix 2. Scope

Appendix 3. Additional Valuables

Disclaimer

Introduction

We express our gratitude to the Muhdo Hub team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Muhdo is AI-driven health ecosystem empowers you to stake, earn, and access tailored wellness products based on your unique genetic makeup.

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Muhdo Hub
    Audited By
    Seher Saylik
    Approved By
    Ataberk Yavuzer
    Website
    https://www.muhdohub.com/
    Changelog
    18/12/2024 - Preliminary Report
    Changelog
    02/01/2025 - Final Report
    Platform
    Ethereum
    Language
    Solidity
    Tags
    ERC-20,  Exchange-Based Tokens, Liquidity
    Methodology
    https://hackenio.cc/sc_methodology

Audit Summary

13Total Findings
5Resolved
8Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are not provided.

  • Technical description is not provided.

Code quality

  • The code contains some gas-inefficient usages.

  • The development environment is not configured.

Test coverage

Code coverage of the project is 0% (branch coverage) as no tests were provided.

System Overview

Mundi Hub is an ERC20 token contract with the following contracts:

muhdo-token  — DNA contract that is a custom  ERC20 implementation that provides a token named "Muhdo Hub" with the symbol "DNA". It includes standard ERC20 functionalities alongside additional features for liquidity management, transaction taxes, and trading restrictions.

  1. Transaction Tax Mechanism:

    • A buy tax and sell tax, both initially set to 5%, are applied to transactions involving the Uniswap pair:

      • Buy tax: Applies when tokens are bought via the Uniswap pool.

      • Sell tax: Applies when tokens are sold back to the Uniswap pool.

    • Tax proceeds are stored in the contract itself and can be swapped for ETH via the function swapTokensForEth.

  3. Liquidity Management:

    • Liquidity Addition: The owner can enable trading by calling enableTrading, which:

      • Sets up the Uniswap pair for the token and WETH.

      • Adds liquidity to the Uniswap pool using the owner’s tokens and ETH provided in the transaction.

    • Liquidity Removal: The owner can remove ETH from the contract using removeETH.

  5. Trading Restrictions:

    • Includes limits on transactions and wallet balances:

      • _maxTxn: Limits the maximum amount that can be transferred in a single transaction (1% of the total supply initially).

      • _maxWallet: Limits the maximum token balance a wallet can hold (1% of the total supply initially).

Privileged roles

  • The owner of the muhdo-token  contract can:

    • remove the _maxTxn and _maxWallet limits

    • update excluded addresses

    • reduce the taxes

    • enable trading

    • renounce ownership

    • transfer ownership

Potential Risks

This contract is restricted to the Ethereum network due to the hardcoded address of the UniswapV2Router02, limiting its functionality on other EVM-compatible chains.

If renounceOwnership() is called accidentally, the contract will become ownerless. This creates a significant risk as the contract would no longer have any administrative oversight.

Findings

Code
Title
Status
Severity
F-2024-7781
Hardcoded Slippage Values(0) in Uniswap Swap Functions
Accepted

Medium
F-2024-7784
Use Of transfer or send Instead Of call To Send Native Assets
Fixed

Low
F-2024-7782
Interactions With AMMs Do Not Use Deadlines For Operations
Accepted

Low
F-2024-7797
Replace Ownable with Ownable2Step for Safer Ownership Transfers
Accepted

Observation
F-2024-7788
Custom Errors in Solidity for Gas Efficiency
Accepted

Observation
F-2024-7785
Use increaseAllowance()/decreaseAllowance() Instead Of approve()/safeApprove()
Accepted

Observation
F-2024-7796
Typographical Errors in Function and Event Names
Fixed

Observation
F-2024-7791
Public Functions Not Called Internally Should Be Declared External
Fixed

Observation
F-2024-7790
Unneeded Initializations Of Integer Variable To 0.
Accepted

Observation
F-2024-7789
Unnecessary Initialization of Boolean Variables to false
Fixed

Observation
1-10 of 13 findings

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

  • Scope Details

    Repository
    https://github.com/muhdo-hub/dna-token
    Commit
    ca4417047eb7b5b2f08b4d1ccf7d51237ffeba60, Retest: 8f1b1190d4bed392c04a7244a686b5faef271dc7
    Deployed address
    0x7d3e4165fd7d8590fb2a415a550f7bdece5c4f52 (Ethereum Mainnet)
    Whitepaper
    N/A
    Requirements
    N/A
    Technical Requirements
    N/A

Assets in Scope

muhdo-token.sol - muhdo-token.sol

Appendix 3. Additional Valuables

Verification of System Invariants

During the audit of Muhdo Hub, Hacken followed its methodology by performing fuzz-testing on the project's main functions. Foundry , a tool used for fuzz-testing, was employed to check how the protocol behaves under various inputs. Due to the complex and dynamic interactions within the protocol, unexpected edge cases might arise. Therefore, it was important to use fuzz-testing to ensure that several system invariants hold true in all situations.

Fuzz-testing allows the input of many random data points into the system, helping to identify issues that regular testing might miss. A specific Echidna fuzzing suite was prepared for this task, and throughout the assessment, 3 invariants were tested over 50,000 runs. This thorough testing ensured that the system works correctly even with unexpected or unusual inputs.

  • Invariant

    Total supply should not change when multiple transfers executed

    Test Result

    Passed

    Run Count

    50k

    Invariant

    Maximum buy limit should not be exceeded

    Test Result

    Passed

    Run Count

    50k

    Invariant

    Maximum wallet amount should not be exceeded

    Test Result

    Passed

    Run Count

    50k

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Disclaimer