Smart contract security analysis88mph
1
Date of audit: 16.12.2020
Quantstamp
External Smart Contract Audit:
The smart contracts were audited by
Ownership structure:
Not found
Suspicious
Functions
Not possible
Contract
Pause
None
Funds Lock
Period
Available
Migration
Function
Available
Minting
Function
Variable
Total
Supply
10% of the minted amount
Team
Reward
(check details below)
Specific for
each contract
Smart
Contract
Ownership
MPH Token MPHMinter•••
MerkleDistributor
The following functions can be called by the owner:
ownerMint(address account, uint256 amount)
transferOwnership(address newOwner)
renounceOwnership()
After the contract deploy, 229,842 MPH tokens were minted into the contract. The mint function is available. The burn function can be
invoked by token holders.
MPHMinter Timelock /
GnosisSafe [1]
•••
•
•
•
•
The contract holds 12.3% of MPH Token at the review time. The following functions can be called by the owner:
renounceOwnership()
transferOwnership(address)
setPoolWhitelist(address, bool) allows EOA owners to add any contract to the
white list
setGovTreasury(address) is applied for receiving tokens minted as governance
rewards
setDevWallet(address) is applied for receiving tokens minted as team rewards.
The rewards rate is defined by the MPHIssuanceModel01 contract
setMPHTokenOwner(address) transfers ownership of the MPH Token contract
to another contract
setMPHTokenOwnerToZero() makes MPH Token fully decentralized and totally
blocks the ability to mint. This could break the staking part of the project, because
it makes minting of the rewards impossible
Smart contract Owner Description
https://certificate.quantstamp.com/full/88-mphhttps://etherscan.io/address/0x8888801af4d980682e47f1a9036e589479e835c5#readContracthttps://etherscan.io/address/0x03577a2151a10675a9689190fe5d331ee7ff2517https://etherscan.io/address/0x8c5ddbb0fd86b6480d81a1a5872a63812099c043#codehttps://etherscan.io/address/0x03577a2151a10675a9689190fe5d331ee7ff2517https://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balanceshttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balances
2Smart contract security analysis
88mph
Vesting
setIssuanceModel(address) sets an address that will calculate the token
amount that will be minted by MPHMinter.
setVesting(address). The current address is set to the contract
The following functions can be called by contracts from the onlyWhitelistedPool list:
mintDepositorReward
takeBackDepositorReward
mintFunderReward
•
•
•••
Vesting decentralized
MPHIssuanceModel01
The contract holds 2.89% of MPH Token and is used for creating vests and withdrawing them. The vest is a little token lock “pool” that unlocks a little portion of tokens to withdraw them each second. User rewards from the MPH Minter contract move here The contract allows to lock the MPH Token and select the period when holders could fully withdraw the token from the contract. The vest period is calculated by in the MPH Minter contract that creates these “vests” when users unstake tokens.
ClonedRewards GnosisSafe [2]
•••
The contract holds 4.6% of MPH Token at the review time.
The owners could install a rewardDistribution address that could call the notifyRewardAmount function used for the reward system. The current address is MPH Minter. The following functions can be called by the owner:
renounceOwnership()
transferOwnership(address)
setRewardDistribution(address)
Rewards Timelock /
GnosisSafe [1]
The contract holds 7.13% of MPH Token at the review time. Functions that can be called by the owner are the same as in the Clone Reward contract.
MerkleDistributor decentralized The contract received 229 842 at the presale stage and holds 0.7% of MPH Token at review time. It was used for the initial token distribution.
MPHIssuanceModel01 GnosisSafe [1]••••••
The following functions can be called by the owner:
setDevRewardMultiplier installs multiplier for the team rewards
setPoolFunderRewardMultiplier
setPoolDepositorRewardTakeBackMultiplier
setPoolFunderRewardVestPeriod
setPoolDepositorRewardVestPeriod
setPoolDepositorRewardMintMultiplier
Timelock GnosisSafe [1] The contract has a 48h delay and acts like a regular EOA address.
https://etherscan.io/address/0x8943eb8f104bcf826910e7d2f4d59edfe018e0e7#codehttps://etherscan.io/address/0x8943eb8f104bcf826910e7d2f4d59edfe018e0e7#codehttps://etherscan.io/address/0x36ad542dadc22078511d64b98aff818abd1ac713#contractshttps://etherscan.io/address/0xd48df82a6371a9e0083fbfc0df3af641b8e21e44https://gnosis-safe.io/app/#/safes/0xfecBad5D60725EB6fd10f8936e02fa203fd27E4b/settingshttps://etherscan.io/address/0x98df8d9e56b51e4ea8aa9b57f8a5df7a044234e1#codehttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://etherscan.io/address/0x8c5ddbb0fd86b6480d81a1a5872a63812099c043#codehttps://etherscan.io/address/0x36ad542dadc22078511d64b98aff818abd1ac713#contractshttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balanceshttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balances
3Smart contract security analysis
88mph
LOW
Total supply:
Is variable as long as:
a) new tokens are minted when users gain rewards
b) the users can burn the tokens
Minting function:
Available
Migration function:
Available. Proxy patterns allow making migration
Team reward %:
Additional 10% of the minted amount is minted and sent to the developer fund
The risk of a quick token dump initiated by the team can be estimated as 2/10
Funds lock period:
None
Lock period for rewards withdrawal:
Unlocking a little portion of tokens to withdraw them each second
The lock period is implemented in the Vesting contract
Possibility to pause the Smart Contracts:
Not available
List of suspicious functions:
Not found
Risk Level
4Smart contract security analysis
88mph
Smart Contracts
Smart Contract
Safety
Code Comments
Audits
Code
Transparency
Development
History
0 1 2 3 4 5
5Smart contract security analysis
88mph
Conclusion
88mph is a DeFi lending protocol, which provides an opportunity to earn fixed interests and participate in
liquidity mining.
The MPH token contract is owned by the MPH minter contract that allows calling a mint function after implementation of the 48h timelock contract. In turn, the timelock contract is owned by the Gnosis Safe
wallet with 2 EOA owners. This fact doesn’t make the project fully decentralized as it isn’t managed by the community in this case. However, any implementations or changes in the code of the smart contracts could
be tracked and users will be warned about them.
It’s important to point out features of the MPHIssuanceModel01 contract. This contract is used for calculating and setting team and depositor rewards. Moreover, it allows setting a period during which the rewards will be
gradually issued every second. Therefore, there is a lock period for the rewards withdrawal.
The total supply is variable as long as new tokens are minted when users gain rewards. There is no fund lock period defined in the smart contracts, meaning users can manage their funds immediately after the staking.
Moreover, there is no possibility to pause the smart contracts: users have constant access to the functionality of the smart contracts.
The risk of a quick token dump, initiated by the team, can be estimated as low, because the EOA owners don’t
have a large share of the token distribution and can call the mint function only through the 48h timelock. But I would recommend users to monitor the timelock with a Telegram bot like @tracktxbot.
No suspicious functions were revealed during the auditing.
The risk level of the 88mph project can be estimated as low.
This analysis is not a financial advice
Conduct your own research before investing
Track updates of yield farming platforms