Smart contract security analysis88mph

1

Date of audit: 16.12.2020

Quantstamp

External Smart Contract Audit:

The smart contracts were audited by

Ownership structure:

Not found

Suspicious

Functions

Not possible

Contract

Pause

None

Funds Lock

Period

Available

Migration

Function

Available

Minting

Function

Variable

Total

Supply

10% of the minted amount

Team

Reward

(check details below)

Specific for

each contract

Smart

Contract

Ownership

MPH Token MPHMinter•••

MerkleDistributor

The following functions can be called by the owner:

ownerMint(address account, uint256 amount)

transferOwnership(address newOwner)

renounceOwnership()

After the contract deploy, 229,842 MPH tokens were minted into the contract. The mint function is available. The burn function can be

invoked by token holders.

MPHMinter Timelock /

GnosisSafe [1]

•••

•

•

•

•

The contract holds 12.3% of MPH Token at the review time. The following functions can be called by the owner:

renounceOwnership()

transferOwnership(address)

setPoolWhitelist(address, bool) allows EOA owners to add any contract to the

white list

setGovTreasury(address) is applied for receiving tokens minted as governance

rewards

setDevWallet(address) is applied for receiving tokens minted as team rewards.

The rewards rate is defined by the MPHIssuanceModel01 contract

setMPHTokenOwner(address) transfers ownership of the MPH Token contract

to another contract

setMPHTokenOwnerToZero() makes MPH Token fully decentralized and totally

blocks the ability to mint. This could break the staking part of the project, because

it makes minting of the rewards impossible

Smart contract Owner Description

https://certificate.quantstamp.com/full/88-mphhttps://etherscan.io/address/0x8888801af4d980682e47f1a9036e589479e835c5#readContracthttps://etherscan.io/address/0x03577a2151a10675a9689190fe5d331ee7ff2517https://etherscan.io/address/0x8c5ddbb0fd86b6480d81a1a5872a63812099c043#codehttps://etherscan.io/address/0x03577a2151a10675a9689190fe5d331ee7ff2517https://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balanceshttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balances

2Smart contract security analysis

88mph

Vesting

setIssuanceModel(address) sets an address that will calculate the token

amount that will be minted by MPHMinter.

setVesting(address). The current address is set to the contract

The following functions can be called by contracts from the onlyWhitelistedPool list:

mintDepositorReward

takeBackDepositorReward

mintFunderReward

•

•

•••

Vesting decentralized

MPHIssuanceModel01

The contract holds 2.89% of MPH Token and is used for creating vests and withdrawing them. The vest is a little token lock “pool” that unlocks a little portion of tokens to withdraw them each second. User rewards from the MPH Minter contract move here The contract allows to lock the MPH Token and select the period when holders could fully withdraw the token from the contract. The vest period is calculated by in the MPH Minter contract that creates these “vests” when users unstake tokens.

ClonedRewards GnosisSafe [2]

•••

The contract holds 4.6% of MPH Token at the review time.

The owners could install a rewardDistribution address that could call the notifyRewardAmount function used for the reward system. The current address is MPH Minter. The following functions can be called by the owner:

renounceOwnership()

transferOwnership(address)

setRewardDistribution(address)

Rewards Timelock /

GnosisSafe [1]

The contract holds 7.13% of MPH Token at the review time. Functions that can be called by the owner are the same as in the Clone Reward contract.

MerkleDistributor decentralized The contract received 229 842 at the presale stage and holds 0.7% of MPH Token at review time. It was used for the initial token distribution.

MPHIssuanceModel01 GnosisSafe [1]••••••

The following functions can be called by the owner:

setDevRewardMultiplier installs multiplier for the team rewards

setPoolFunderRewardMultiplier

setPoolDepositorRewardTakeBackMultiplier

setPoolFunderRewardVestPeriod

setPoolDepositorRewardVestPeriod

setPoolDepositorRewardMintMultiplier

Timelock GnosisSafe [1] The contract has a 48h delay and acts like a regular EOA address.

https://etherscan.io/address/0x8943eb8f104bcf826910e7d2f4d59edfe018e0e7#codehttps://etherscan.io/address/0x8943eb8f104bcf826910e7d2f4d59edfe018e0e7#codehttps://etherscan.io/address/0x36ad542dadc22078511d64b98aff818abd1ac713#contractshttps://etherscan.io/address/0xd48df82a6371a9e0083fbfc0df3af641b8e21e44https://gnosis-safe.io/app/#/safes/0xfecBad5D60725EB6fd10f8936e02fa203fd27E4b/settingshttps://etherscan.io/address/0x98df8d9e56b51e4ea8aa9b57f8a5df7a044234e1#codehttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://etherscan.io/address/0x8c5ddbb0fd86b6480d81a1a5872a63812099c043#codehttps://etherscan.io/address/0x36ad542dadc22078511d64b98aff818abd1ac713#contractshttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balanceshttps://etherscan.io/address/0x4027d912a19e3cd540fb580af6a9088eac738566#codehttps://gnosis-safe.io/app/#/safes/0x56f34826Cc63151f74FA8f701E4f73C5EAae52AD/balances

3Smart contract security analysis

88mph

LOW

Total supply:

Is variable as long as:

a) new tokens are minted when users gain rewards

b) the users can burn the tokens

Minting function:

Available

Migration function:

Available. Proxy patterns allow making migration

Team reward %:

Additional 10% of the minted amount is minted and sent to the developer fund

The risk of a quick token dump initiated by the team can be estimated as 2/10

Funds lock period:

None

Lock period for rewards withdrawal:

Unlocking a little portion of tokens to withdraw them each second

The lock period is implemented in the Vesting contract

Possibility to pause the Smart Contracts:

Not available

List of suspicious functions:

Not found

Risk Level

4Smart contract security analysis

88mph

Smart Contracts

Smart Contract

Safety

Code Comments

Audits

Code

Transparency

Development

History

0 1 2 3 4 5

5Smart contract security analysis

88mph

Conclusion

88mph is a DeFi lending protocol, which provides an opportunity to earn fixed interests and participate in

liquidity mining.

The MPH token contract is owned by the MPH minter contract that allows calling a mint function after implementation of the 48h timelock contract. In turn, the timelock contract is owned by the Gnosis Safe

wallet with 2 EOA owners. This fact doesn’t make the project fully decentralized as it isn’t managed by the community in this case. However, any implementations or changes in the code of the smart contracts could

be tracked and users will be warned about them.

It’s important to point out features of the MPHIssuanceModel01 contract. This contract is used for calculating and setting team and depositor rewards. Moreover, it allows setting a period during which the rewards will be

gradually issued every second. Therefore, there is a lock period for the rewards withdrawal.

The total supply is variable as long as new tokens are minted when users gain rewards. There is no fund lock period defined in the smart contracts, meaning users can manage their funds immediately after the staking.

Moreover, there is no possibility to pause the smart contracts: users have constant access to the functionality of the smart contracts.

The risk of a quick token dump, initiated by the team, can be estimated as low, because the EOA owners don’t

have a large share of the token distribution and can call the mint function only through the 48h timelock. But I would recommend users to monitor the timelock with a Telegram bot like @tracktxbot.

No suspicious functions were revealed during the auditing.

The risk level of the 88mph project can be estimated as low.

This analysis is not a financial advice

Conduct your own research before investing

Track updates of yield farming platforms