| Field | Value |
|---|---|
| Audit Firm | Mefai Security Research |
| Report Date | 2026-03-25 |
| Contract Address | 0xc269d59a0d608ea0bd672f2f4616c372d8554444 |
| Chain | BNB Smart Chain (BSC) |
| Language | Solidity |
| Audit Type | Smart Contract + Token |
| Deployment | Four.Meme Launchpad |
| Mefai Security Score | 91/100 |
| Overall Risk | LOW |
This report represents a point-in-time security assessment conducted by Mefai Security Research. The findings and recommendations contained herein are based on the information available and the state of the codebase at the time of the audit. This report does not constitute a guarantee that the audited system is free of vulnerabilities or defects. No part of this report should be considered as investment advice, an endorsement, or a recommendation regarding the security of any project, token, or protocol.
Mefai Security Research assumes no liability for any losses, damages, or adverse consequences resulting from the use of or reliance on this report. The responsibility for implementing fixes and maintaining security lies solely with the project team.
| Field | Value |
|---|---|
| Token Name | ClipX |
| Token Symbol | ClipX |
| Decimals | 18 |
| Total Supply | 1,000,000,000 (fixed) |
| Verified Source | Yes (BscScan) |
| Proxy | No - not upgradeable |
| Ownership | RENOUNCED - verified on-chain (owner() = 0x0000000000000000000000000000000000000000) |
| Deployment | Four.Meme Launchpad (standard factory init() pattern) |
| Contract BNB Balance | 0 BNB |
| Contract Token Balance | ~823 ClipX |
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 2 |
| Informational | 5 |
The contract demonstrates strong security practices. Ownership is renounced, LP tokens are 100% burned, no minting capability exists, and the contract is not upgradeable. All admin-gated functions are permanently disabled.
The contract was deployed via the Four.Meme launchpad, which uses a standard factory pattern with an init(string,string,uint256) initializer. This is the standard deployment method for all Four.Meme tokens - the factory deploys identical, audited bytecode for every token launched through the platform.
- Fixed supply: 1 billion tokens minted during
init(). No mint function exists - supply can never increase. - Ownership: RENOUNCED (verified on-chain via
owner()returning zero address). No admin functions can be called. - No proxy: Contract is not upgradeable. EIP-1967 and EIP-1822 proxy slots are empty. Code is permanent.
- Standard Four.Meme contract: Uses the platform's audited ERC20 + Ownable base with transfer mode system (standard for the launchpad).
| Function | Selector | Type |
|---|---|---|
name() |
0x06fdde03 |
Standard ERC20 |
symbol() |
0x95d89b41 |
Standard ERC20 |
decimals() |
0x313ce567 |
Standard ERC20 |
totalSupply() |
0x18160ddd |
Standard ERC20 |
balanceOf(address) |
0x70a08231 |
Standard ERC20 |
transfer(address,uint256) |
0xa9059cbb |
Standard ERC20 |
transferFrom(address,address,uint256) |
0x23b872dd |
Standard ERC20 |
approve(address,uint256) |
0x095ea7b3 |
Standard ERC20 |
allowance(address,address) |
0xdd62ed3e |
Standard ERC20 |
increaseAllowance(address,uint256) |
0x39509351 |
Standard ERC20 |
decreaseAllowance(address,uint256) |
0xa457c2d7 |
Standard ERC20 |
owner() |
0x8da5cb5b |
Ownable |
renounceOwnership() |
0x715018a6 |
Ownable |
transferOwnership(address) |
0xf2fde38b |
Ownable |
init(string,string,uint256) |
0x2eabc917 |
Four.Meme Initializer |
_mode() |
0xc5c03af3 |
Four.Meme Transfer Mode |
setMode(uint256) |
0xd72dd3b4 |
Four.Meme Mode Setter (onlyOwner) |
MODE_NORMAL() |
0x3af3d783 |
Constant - Returns 0 |
MODE_TRANSFER_RESTRICTED() |
0x1c8fc2c0 |
Constant - Returns 1 |
MODE_TRANSFER_CONTROLLED() |
0x32be6330 |
Constant - Returns 2 |
| Check | Status | Details |
|---|---|---|
| Ownership | SAFE | Renounced - owner() returns zero address. All onlyOwner functions permanently disabled. |
| Minting | SAFE | No mint function. Fixed 1B supply forever. init() is locked (onlyOwner = zero address + initialized flag). |
| Proxy/Upgrade | SAFE | No proxy pattern. EIP-1967 and EIP-1822 slots empty. Contract code is permanent. |
| Reentrancy | SAFE | Standard ERC20 implementation, no external calls before state changes. |
| Overflow/Underflow | SAFE | Solidity 0.8.x built-in protection. |
| Centralization | SAFE | Ownership renounced - no admin can modify anything. |
| LP Security | SAFE | All LP tokens burned to dead address. Liquidity is permanently locked. |
| Source Verification | SAFE | Verified on BscScan. |
| Attribute | Value |
|---|---|
| Severity | Low |
| Type | DeFi Integration |
| Status | By Design |
Description:
Some DeFi protocols that don't handle fee-on-transfer tokens may experience accounting discrepancies. Users should set appropriate slippage on DEX swaps. This is a known characteristic of the Four.Meme token standard - not a vulnerability.
| Attribute | Value |
|---|---|
| Severity | Low |
| Type | Transparency / Metadata |
| Status | Open |
Description:
The token does not have a logo/icon registered on BscScan, and BscScan token profile information (website, social links, description) is not filled in. While this has no security impact, it reduces visibility and trust for users verifying the token through block explorers.
Recommendation:
Submit a token information update request to BscScan to add a logo, website, and social media links.
| Attribute | Value |
|---|---|
| Severity | Informational |
| Type | Positive Security Feature |
| Status | Verified On-Chain |
Description:
owner() returns 0x0000000000000000000000000000000000000000. All onlyOwner functions are permanently disabled including setMode(), init(), and transferOwnership(). No admin actions are possible.
| Attribute | Value |
|---|---|
| Severity | Informational |
| Type | Positive Security Feature |
| Status | Verified On-Chain |
Description:
PancakeSwap V2 pair: 0x19Ae1813d020302E624Bd4a02703e0241264baF8
| Metric | Value |
|---|---|
| LP Total Supply | ~59,397 |
| LP at Dead Address | ~59,397 (100%) |
| Reserve (WBNB) | ~103.92 WBNB |
| Reserve (ClipX) | ~53,206,511 ClipX |
All LP tokens have been sent to the dead address (0x...dEaD), making the liquidity permanently locked. This eliminates the rug-pull vector of LP removal.
| Attribute | Value |
|---|---|
| Severity | Informational |
| Type | Positive Security Feature |
| Status | Verified On-Chain |
Description:
EIP-1967 implementation slot and EIP-1822 UUPS slot are both empty (zero). The contract is not upgradeable. Deployed bytecode is permanent.
| Attribute | Value |
|---|---|
| Severity | Informational |
| Type | Positive Security Feature |
| Status | Verified On-Chain |
Description:
No mint() function exists in the contract. The init() initializer (which minted the initial supply) is permanently locked behind onlyOwner and an initialization flag. Total supply is fixed at 1,000,000,000 ClipX forever.
| Attribute | Value |
|---|---|
| Severity | Informational |
| Type | Positive Security Feature |
| Status | Verified On-Chain |
Description:
The Four.Meme standard transfer mode system is permanently set to MODE_NORMAL (0). The setMode() function requires onlyOwner, and ownership is renounced. No transfer restrictions can ever be applied.
| Category | Status | Notes |
|---|---|---|
| Reentrancy | SAFE | Standard ERC20, no external calls before state changes |
| Integer Overflow | SAFE | Solidity 0.8.x built-in protection |
| Access Control | SAFE | Ownership renounced - no admin functions callable |
| Front-Running | Standard | Standard ERC20 approve race condition - not specific to this contract |
| Flash Loan | N/A | No oracles or leverage mechanics |
| Proxy/Upgrade | SAFE | Not upgradeable |
| Centralization | SAFE | Ownership renounced |
| Supply Inflation | SAFE | No mint function, fixed 1B supply |
| LP Rug Pull | SAFE | All LP tokens burned |
| Category | Check | Result | Score |
|---|---|---|---|
| Ownership & Access Control | owner() = zero address |
Renounced | 20/20 |
| Supply & Minting | No mint() function, fixed 1B |
No minting possible | 20/20 |
| Liquidity & LP Security | All LP burned to dead address | Permanently locked | 20/20 |
| Code & Program Safety | Verified source, Four.Meme standard, 0 medium+ findings | Clean | 15/15 |
| Fee & Transfer Mechanics | Standard Four.Meme transfer logic, no fee manipulation possible | Standard | 13/15 |
| Transparency & Metadata | Verified source, but no token logo, no BscScan profile info (website, socials, description missing) | Partial | 3/10 |
| TOTAL | 91/100 |
Scoring methodology: SCORING.md
This contract demonstrates strong security practices:
- Ownership renounced - no admin functions can be called
- LP 100% burned - liquidity permanently locked, rug-pull impossible
- No minting - fixed supply, no inflation
- No proxy - code cannot be changed
- Transfer mode locked - permanently set to Normal
- Standard Four.Meme contract - widely deployed and tested bytecode
- Solidity 0.8.x - built-in overflow protection
There are no critical, high, or medium severity findings. The two low-severity findings are non-exploitable observations. Five informational findings are positive security features.
This contract is safe for token holders. The deployer has taken all recommended steps: renounced ownership, burned LP tokens, and deployed via an established launchpad with proven contract code.
| Metric | Value | Source |
|---|---|---|
| DEX | PancakeSwap V2 | Factory verification |
| Pair Address | 0x19Ae1813d020302E624Bd4a02703e0241264baF8 |
On-chain |
| Token0 (WBNB) | 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c |
On-chain |
| Token1 (ClipX) | 0xc269d59a0d608ea0bd672f2f4616c372d8554444 |
On-chain |
| Reserve (WBNB) | ~103.92 | On-chain |
| Reserve (ClipX) | ~53,206,511 | On-chain |
| LP Total Supply | ~59,397 | On-chain |
| LP Burned | ~59,397 (100%) | On-chain - dead address |
| Price (USD) | ~$0.001259 | DexScreener |
| Liquidity (USD) | ~$133,978 | DexScreener |
| Pair Created | 2025-11-17 | DexScreener |
| ID | Title | Severity | Status |
|---|---|---|---|
| F-001 | Fee-on-Transfer DeFi Integration Note | Low | By Design |
| F-002 | Missing Token Logo and BscScan Metadata | Low | Open |
| F-003 | Ownership Renounced | Informational | Positive |
| F-004 | LP Tokens Burned | Informational | Positive |
| F-005 | Not a Proxy Contract | Informational | Positive |
| F-006 | No Mint Function | Informational | Positive |
| F-007 | Transfer Mode Permanently Locked | Informational | Positive |
| Severity | Description |
|---|---|
| Critical | Direct loss of funds, complete protocol takeover, or irreversible systemic damage. Exploitation requires minimal effort or can be automated. Immediate remediation required before any deployment or continued operation. |
| High | Significant risk to user funds, protocol integrity, or availability. Exploitation is feasible with moderate effort or under specific but realistic conditions. Must be resolved before mainnet deployment. |
| Medium | Conditional risk requiring specific circumstances, user interaction, or a combination of factors to exploit. Material impact if triggered. Should be addressed before mainnet deployment. |
| Low | Minor issues, best practice deviations, or theoretical risks with low probability and limited impact. Recommended to fix but not deployment-blocking. |
| Informational | Code quality observations, gas optimizations, documentation gaps, or architectural suggestions. No direct security impact. |
All findings were verified via direct BSC RPC calls. Key verifications:
# Owner verification
cast call 0xc269d59a0d608ea0bd672f2f4616c372d8554444 "owner()(address)" --rpc-url https://bsc-dataseed.binance.org/
# Returns: 0x0000000000000000000000000000000000000000
# Mode verification
cast call 0xc269d59a0d608ea0bd672f2f4616c372d8554444 "_mode()(uint256)" --rpc-url https://bsc-dataseed.binance.org/
# Returns: 0 (MODE_NORMAL)
# Total supply
cast call 0xc269d59a0d608ea0bd672f2f4616c372d8554444 "totalSupply()(uint256)" --rpc-url https://bsc-dataseed.binance.org/
# Returns: 1000000000000000000000000000 (1B * 10^18)
# LP burned verification
cast call 0x19Ae1813d020302E624Bd4a02703e0241264baF8 "balanceOf(address)(uint256)" 0x000000000000000000000000000000000000dEaD --rpc-url https://bsc-dataseed.binance.org/
# Returns: ~59396969616568150000000 (100% of LP supply)
# EIP-1967 proxy check
cast storage 0xc269d59a0d608ea0bd672f2f4616c372d8554444 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc --rpc-url https://bsc-dataseed.binance.org/
# Returns: 0x0 (not a proxy)
# Re-initialization test (reverts - ownership renounced)
cast call 0xc269d59a0d608ea0bd672f2f4616c372d8554444 "init(string,string,uint256)" "TEST" "TEST" 1000000000000000000 --from 0x0000000000000000000000000000000000000001 --rpc-url https://bsc-dataseed.binance.org/
# Reverts: "Ownable: caller is not the owner"| Tool | Version | Purpose |
|---|---|---|
| BSC RPC (Direct) | N/A | On-chain state verification |
| Bytecode Selector Extraction | Custom | Function interface discovery |
| OpenChain Signature Database | N/A | Function selector resolution |
| DexScreener API | N/A | Market data and pair verification |
| PancakeSwap V2 Factory | On-chain | Pair address verification |
| Manual review | N/A | Architecture and security analysis |
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-03-25 | Mefai Security Research | Initial report |
Mefai Security Research
- Web: mefai.io
- GitHub: github.com/mefai-dev
This report was prepared by Mefai Security Research. All on-chain data verified via direct BSC RPC calls on 2026-03-25. Unauthorized distribution or modification of this document is prohibited without prior written consent.