Mocktail Finance

MOKToken
Security Assessment

April 27th, 2021

Audited By:
Angelos Apostolidis @ CertiK
angelos.apostolidis@certik.org
Reviewed By:
Alex Papageorgiou @ CertiK
alex.papageorgiou@certik.org
 Disclaimer

CertiK reports are not, nor should be considered, an "endorsement" or "disapproval" of any
particular project or team. These reports are not, nor should be considered, an indication of
the economics or value of any "product" or "asset" created by any team or project that
contracts CertiK to perform a security review.

CertiK Reports do not provide any warranty or guarantee regarding the absolute bug-free
nature of the technology analyzed, nor do they provide any indication of the technologies
proprietors, business, business model or legal compliance.

CertiK Reports should not be used in any way to make decisions around investment or
involvement with any particular project. These reports in no way provide investment advice,
nor should be leveraged as investment advice of any sort.

CertiK Reports represent an extensive auditing process intending to help our customers
increase the quality of their code while reducing the high level of risk presented by
cryptographic tokens and blockchain technology.

Blockchain technology and cryptographic assets present a high level of ongoing risk.
CertiK's position is that each company and individual are responsible for their own due
diligence and continuous security. CertiK's goal is to help reduce the attack vectors and the
high level of variance associated with utilizing new and consistently changing technologies,
and in no way claims any guarantee of security or functionality of the technology we agree
to analyze.

What is a CertiK report?

A document describing in detail an in depth analysis of a particular piece(s) of source
code provided to CertiK by a Client.
An organized collection of testing results, analysis and inferences made about the
structure, implementation and overall best practices of a particular piece of source
code.
Representation that a Client of CertiK has completed a round of auditing with the
intention to increase the quality of the company/product's IT infrastructure and or
source code.
 Overview

Project Summary

Project Name Mocktail Finance - MOKToken

Description A typical BEP-20 implementation with enhanced features.

Platform Ethereum, Binance Smart Chain; Solidity, Yul

Codebase GitHub Repository

Commits 1. 2ddd824c238849f02dd7867e24d4dad5db1bd1e0

Audit Summary

Delivery Date April 27th, 2021

Method of Audit Static Analysis, Manual Review

Consultants Engaged 2

Timeline March 30th, 2021 - April 27th, 2021

Vulnerability Summary

Total Issues 4

Total Critical 0

Total Major 0

Total Medium 0

Total Minor 1

Total Informational 3
 Executive Summary

Certik was tasked with auditing the codebase of the Mocktail Finance MOKToken smart
contract located live at 0x23A1c4025Aa5Dc7f876530bEb76346b99d50C3AA.

After our engagement, the Mocktail Finance team opted to re-deploy the MOKToken smart
contract at 0xca69c118fa550387794d48900a866891217e5c9f.

The MOKToken contract is based on a known smart contract, hence inheriting all the
vulnerabilities of the original.

Our findings mainly refer to optimizations and Solidity coding standards. Hence, the issues
identified pose no threat to the safety of the contract's safety.
 System Analysis

The contract owner can arbitrarily burn tokens from any address while also having the
ability to mint any amount to a specific address, increasing the system centralization.
 Files In Scope

ID Contract Location

MTN MokToken.sol MokToken.sol

File Dependency Graph

Finding Summary

25%

Minor
Informational

75%
Manual Review Findings

ID Title Type Severity Resolved

MTN- Partial `burn` Volatile Code Minor

01M Functionality

MTN- Contract Layout Coding Style Informational

02M

MTN- Ambiguous State Volatile Code Informational

03M Variable
Static Analysis Findings

ID Title Type Severity Resolved

MTN- State Variable Coding Style Informational

01S Naming
 MTN-01M: Partial burn Functionality

Type Severity Location

Volatile Code Minor MOKToken.sol L681-L683

Description:

The burn() function does not handle the delegates correctly.

Recommendation:

We advise to extend the burning mechanism by moving the delegates to the zero address.

Alleviation:

The development team opted to consider our references and extended the burn()
functionality as proposed.
 MTN-02M: Contract Layout

Type Severity Location

Coding Style Informational MOKToken.sol L675-L865

Description:

The MOKToken contract layout does not conform with the Solidity order of layout
conventions.

Recommendation:

We advise to follow the Solidity conventions and change the contract layout

Alleviation:

The development team opted to consider our references and changed the contract layout,
closely following the Solidity conventions.
 MTN-03M: Ambiguous State Variable

Type Severity Location

Volatile Code Informational MOKToken.sol L690

Description:

The _alloc state variable remains after being initialized upon construction.

Recommendation:

We advise to add descriptive documentation in the form of in-line comments about the
purpose of the linked variable.

Alleviation:

The development team opted to consider our references and removed the redundant state
variable.
 MTN-01S: State Variable Naming

Type Severity Location

Coding Style Informational MOKToken.sol L690

Description:

The _alloc state variable does not conform with the Solidity naming conventions.

Recommendation:

We advise to follow the Solidity conventions and remove the underscore ( _ ) prefix from a
public variable.

Alleviation:

The development team acknowledged this exhibit, but opted to remove the redundant
state variable.
Appendix

Finding Categories

Volatile Code

Volatile Code findings refer to segments of code that behave unexpectedly on certain edge
cases that may result in a vulnerability.

Coding Style

Coding Style findings usually do not affect the generated byte-code and comment on how
to make the codebase more legible and as a result easily maintainable.