Skip to content

MEFAI-BSC-0x45E57907058c707a068100De358BA4535b18E2F3.md

Latest commit

 

History

History
228 lines (160 loc) · 8.34 KB

MEFAI-BSC-0x45E57907058c707a068100De358BA4535b18E2F3.md

File metadata and controls

228 lines (160 loc) · 8.34 KB

Security Audit Report: META FINANCIAL AI (MEFAI) - BNB Smart Chain

Report Information

Field Value
Audit Firm Mefai Security Research
Report Date 2026-03-25
Contract Address 0x45E57907058c707a068100De358BA4535b18E2F3
Chain BNB Smart Chain (BSC)
Language Solidity v0.8.23
Audit Type Smart Contract + Token
Mefai Security Score 94/100
Overall Risk LOW

1. Contract Overview

Field Value
Contract Name CertifiedSecureToken
Token Name META FINANCIAL AI
Token Symbol MEFAI
Compiler Solidity v0.8.23+commit.f704f362
Optimization Enabled, 200 runs
License MIT
Verified Yes (BscScan)
Proxy No - not upgradeable
Total Supply 1,000,000,000 (fixed, no minting possible)
Fee 1% on non-excluded transfers (immutable, cannot be changed)
Team Wallet 0x0ffc542542b5b841d4d11917948b360c0fe73244 (immutable)
Ownership RENOUNCED - verified on-chain (owner = 0x0000000000000000000000000000000000000000)

2. Security Assessment Summary

Risk Rating

Severity Count
Critical 0
High 0
Medium 0
Low 3
Informational 5

Overall Risk: LOW

3. Architecture Analysis

The contract inherits from OpenZeppelin's ERC20 and Ownable (v5.x). Architecture is clean and straightforward:

  • Fixed supply: 1 billion tokens minted at construction. No mint function exists - supply can never increase.
  • Fee mechanism: 1% transfer fee defined as constant - cannot be modified by anyone, ever.
  • Team wallet: Declared immutable - fee destination cannot be changed after deployment.
  • Ownership: RENOUNCED (verified on-chain via owner() returning zero address). No admin functions can be called.
  • No proxy: Contract is not upgradeable. Code is permanent.
  • BNB rejection: receive() reverts, preventing accidental BNB sends.

Dependency chain: OpenZeppelin v5 ERC20 → Ownable → CertifiedSecureToken

4. Security Checklist

Check Status Details
Ownership SAFE Renounced - owner() returns zero address. No admin functions callable.
Minting SAFE No mint function. Fixed 1B supply forever.
Fee Immutability SAFE FEE_PERCENT is constant (1%). Cannot be changed by anyone.
Team Wallet SAFE immutable - set once in constructor, cannot be redirected.
Proxy/Upgrade SAFE No proxy pattern. Contract code is permanent.
Reentrancy SAFE No external calls before state changes.
Overflow/Underflow SAFE Solidity 0.8.23 built-in protection.
Flash Loan Vectors N/A No oracles, no leverage mechanics.
Centralization SAFE Ownership renounced - no admin can modify anything.
Fee Exclusion List FROZEN excludeFromFee() requires onlyOwner. Owner is zero address - list is permanently frozen.

5. Findings

Finding #1: transferFrom Ordering Pattern (Low)

Severity: Low Status: Not Exploitable

The transferFrom() override performs the transfer before checking allowance. This is a Checks-Effects-Interactions pattern deviation. However:

  • The entire transaction reverts atomically if allowance is insufficient
  • No external calls exist between transfer and check
  • Not exploitable in current or any future state (contract is not upgradeable)
function transferFrom(address sender, address recipient, uint256 amount) public override returns (bool) {
    _validateTransfer(sender, recipient, amount);
    _transferWithFee(sender, recipient, amount);  // transfer first
    uint256 currentAllowance = allowance(sender, _msgSender());
    require(currentAllowance >= amount, "ERC20: insufficient allowance");  // check after
    _approve(sender, _msgSender(), currentAllowance - amount);
    return true;
}

Since the contract is non-upgradeable, no future modification can introduce exploitability.

Finding #2: Fee-on-Transfer DeFi Integration Note (Low)

Severity: Low Status: By Design

The 1% fee means DeFi protocols that don't handle fee-on-transfer tokens may experience accounting discrepancies. This is a known characteristic of fee tokens - not a vulnerability. Users should set appropriate slippage on DEX swaps.

Finding #3: Mixed Error Handling Style (Low)

Severity: Low Status: Cosmetic

The contract mixes legacy require strings with OpenZeppelin v5 custom errors. No functional impact.

Finding #4: Fee Percentage is Immutable (Informational - Positive)

Severity: Informational Status: Positive Security Feature

FEE_PERCENT is constant (1%). It cannot be changed after deployment by anyone, including the deployer. This eliminates the common "fee increase" rug vector.

Finding #5: Team Wallet is Immutable (Informational - Positive)

Severity: Informational Status: Positive Security Feature

teamWallet is immutable. Fee destination cannot be redirected. This eliminates the "fee redirect" attack vector.

Finding #6: Ownership Renounced (Informational - Positive)

Severity: Informational Status: Positive Security Feature

owner() returns 0x0000000000000000000000000000000000000000. All onlyOwner functions are permanently disabled:

  • excludeFromFee() - cannot be called
  • transferOwnership() - cannot be called
  • renounceOwnership() - already executed

The fee exclusion list is permanently frozen in its current state. No address can ever be added or removed.

Finding #7: No Burn Function (Informational)

Severity: Informational Status: By Design

No public burn function exists. Supply is permanently fixed at 1 billion tokens.

Finding #8: BNB Receive Protection (Informational - Positive)

Severity: Informational Status: Positive Security Feature

The receive() function reverts with a custom error, preventing accidental BNB sends to the contract.

6. Vulnerability Assessment Matrix

Category Status Notes
Reentrancy SAFE No external calls before state changes
Integer Overflow SAFE Solidity 0.8.23 built-in protection
Access Control SAFE Ownership renounced - no admin functions callable
Front-Running Standard Standard ERC20 approve race condition - not specific to this contract
Flash Loan N/A No oracles or leverage mechanics
Proxy/Upgrade SAFE Not upgradeable
Centralization SAFE Ownership renounced
Fee Manipulation SAFE Fee is constant (1%), wallet is immutable
Supply Inflation SAFE No mint function

7. Mefai Security Score

94/100 - LOW RISK

Category Check Result Score
Ownership & Access Control owner() = zero address Renounced 20/20
Supply & Minting No mint() function, fixed 1B No minting possible 20/20
Liquidity & LP Security LP on PancakeSwap Verified 16/20
Code & Program Safety Solidity 0.8.23, OZ v5, 0 medium+ Clean 15/15
Fee & Transfer Mechanics FEE_PERCENT is constant (1%) Fixed, immutable 13/15
Transparency & Metadata Verified on BscScan, active site Full transparency 10/10
TOTAL 94/100

Scoring methodology: SCORING.md

This contract demonstrates strong security practices:

  1. Ownership renounced - no admin functions can be called
  2. Fee is constant - cannot be increased or decreased
  3. Team wallet is immutable - cannot be redirected
  4. No minting - fixed supply, no inflation
  5. No proxy - code cannot be changed
  6. OpenZeppelin v5 - well-audited base contracts
  7. Solidity 0.8.23 - built-in overflow protection

There are no critical, high, or medium severity findings. The three low-severity findings are non-exploitable code style observations. Five informational findings are positive security features.

This contract is safe for token holders. The deployer has taken all recommended steps: renounced ownership, used immutable fee parameters, and built on audited OpenZeppelin contracts.

Report by Mefai Security Research | 2026-03-25 | On-chain verification via BSC RPC