$BOOMER Contract Audit: An In-depth Analysis of the swapBack() Function

Community takeovers have become a notable trend in the dynamic world of cryptocurrency. Many projects initially deemed failures due to developer abandonment or scams are being revitalized by their communities. These grassroots efforts aim to breathe new life into meme coins and other tokens that investors have already purchased. However, it is essential that a proper audit is conducted prior to or after a community takeover to make sure there are 0 possible exploits in the token contract.

Recent events led to our audit of the $BOOMER token contract. We closely examined it and obtained a third-party audit by Certik. TLDR: The $BOOMER contract is 100% Safe!

This article will detail one of the risks that was highlighted in our Certik report and how it was resolved.

BOO-02 | Initial Token Distribution

Certik Description

All of the 1_000_000_000 ether BOOMER tokens are sent to the contract deployer or one or several externally-owned account (EOA) addresses. This is a centralization risk because the deployer or the owner(s) of the EOAs can distribute tokens without obtaining the consensus of the community. Any compromise to these addresses may allow a hacker to steal and sell tokens on the market, resulting in severe damage to the project.

Certik Recommendation

It is recommended that the team be transparent regarding the initial token distribution process. The token distribution plan should be published in a public location that the community can access. The team should make efforts to restrict access to the private keys of the deployer account or EOAs. A multi-signature (⅔, ⅗) wallet can be used to prevent a single point of failure due to a private key compromise. Additionally, the team can lock up a portion of tokens, release them with a vesting schedule for long-term success, and deanonymize the project team with a third-party KYC provider to create greater accountability.

Boomer Resolution

We provided Certik with detailed documentation of the Initial Token Distribution process and tracked all tokens distributed to the old developer’s accounts, demonstrating that they no longer owned any $BOOMER. See Article: Boomer Initial Token Distribution and Full Exit of Original Developer.

During the resolution process, Certik mentioned that all EOAs associated with the contract and team needed to be secured by a multi-signature wallet. This includes the developer(deployer) wallet, the contract owner wallet, and the marketing wallet. We provided that the contract ownership was renounced and the marketing wallet was secured by a 3/5 multi-signature wallet.

However, this left the original developer(deployer) wallet on the table. Since the previous developer still owned it, we took further steps to explore potential attack vectors — an essential step to ensure safety from potential exploits.

A deep dive into the Token contract shows that the only time the devWallet, owned by the old developer who scammed $BOOMER, is referenced in the swapBack() function.

Understanding the swapBack() Function

The swapBack() function is designed to automate the conversion of tokens held by the token contract into another form, typically Ethereum (ETH). It then transfers the entire Ethereum amount to a designated wallet — in this case, the devWallet owned by the old developer.

This process is normal for tokens that accumulate taxes on buy and/or sale transactions. As the token contract accumulates tokens, the swapBack() function automatically swaps those fees for a more stable currency like Ethereum.

Certik raised a concern about this function because it referenced the original deployer wallet. Additionally, a renounced contract implies that the developer (deployer) wallet is set permanently and cannot be altered.

Why is Boomer Safe?

Upon further analyzing the $BOOMER contract, we observed that the swapBack() function will never be executed fully.

Zooming out, the function is designed to trigger through _transfer() when the following conditions are met:

Snippet from _transfer()

BaseScan snippet of tokenSwapThreshold Value

1. canSwap is set to false but becomes true when the contract’s token balance meets or exceeds the tokenSwapThreshold (5,000,000 $BOOMER).
2. swapEnabled was set to true when trading was opened. It cannot be altered.
3. swapping is set to false by default and changes to true when swapBack is called by a _transfer event, preventing duplicate swapBack() calls.
4. The sender is not the UNISWAP_V2_PAIR: This parameter ensures buy or sell transactions only trigger the swapBack() function once.
5. Neither the sender nor the recipient is excluded from fees: This excludes any addresses that are not part of the transaction tax process from triggering this function since it is associated with tax collection.

Snippet from swapBack()

When the swapBack() function is triggered, the function checks if the contractBalance or totalTokensToSwap is 0. If either is 0, the swapBack() function exits immediately without swapping or transferring any tokens.

To put you at ease, our totalTokensToSwap will always be 0, so the swapBack() function can never proceed further than the above IF statement. Below is a more detailed explanation of why.

Current Status of the $BOOMER Contract

$BOOMER Balance of 0xcdE172dc5ffC46D228838446c57C1227e0B82049

Many Boomers generously donated their $BOOMER to the official CA. The contract balance is currently at 90,920.33262564 $BOOMER. These are considered burned as the contract is renounced.

Current Status of taxedTokens

BaseScan Snippet of taxedTokens Value

The total taxedTokens is 0, meaning totalTokensToSwap is 0, so the swapBack() function exits without doing anything.

Snippet from _transfer()

Additionally, the taxedTokens value can never change since we have 0 tax on buy and sell transactions, and the renounced contract ownership prevents us from changing the tax settings.

Thus, even if swapBack() is called, it will never execute the “swap and transfer all ETH to the devWallet” part of the code.

Example Scenario

Let’s consider a scenario where the swapBack() function is forcefully triggered. Suppose many real boomers accidentally transfer $BOOMER to the contract address over time, causing the $BOOMER balance of the contract to reach 4.9 million. Then, the old developer or a bad actor comes up with a plan to try and drain the 4.9 million $BOOMER and any ETH on the contract. The old developer buys 100,000 $BOOMER and transfers it to the contract address, meeting the 5,000,000 $BOOMER threshold and triggering the swapBack() function.

However, by design, before any operations occur within the function, an IF statement catches this attempt and exits the function immediately since the taxedTokens value equals zero. $BOOMER IS SAFE!

Conclusion

After thorough analysis and third-party auditing by Certik, the $BOOMER token contract has proven to be secure and resilient. The detailed review and implementation of safeguards ensure that potential vulnerabilities, particularly those associated with the original developer, are effectively mitigated.

With the rise of community takeovers (CTOs) in the cryptocurrency space, it is crucial that contracts undergo rigorous audits to identify and resolve any security issues. The $BOOMER contract serves as a prime example of how diligent auditing and transparent practices can restore confidence and stability in projects initially affected by developer misconduct. By prioritizing security and transparency, the $BOOMER community has successfully revitalized the project, paving the way for future growth and trust.

Disclaimer: The content provided here is not financial advice. Its purpose is to educate and contribute to the vision of BoomerOnBase in onboarding the next 10,000,000 boomers to @base. Please conduct your research and consult with a financial advisor before making any investment decisions.

Engaging with the Boomer Community

To take the next step in your crypto journey, immerse yourself in the vibrant Boomer community through various channels:

1. Telegram: Join the Boomer Telegram group to connect with like-minded individuals, share insights, and stay updated on the latest developments in the crypto sphere.
2. YouTube: Dive into Boomer’s YouTube channel for educational content, tutorials, and interviews with industry experts, empowering you with knowledge and inspiration to navigate the crypto landscape.
3. Social Media: Follow Boomer on Twitter, Instagram, and Facebook to engage with the community and participate in discussions.

By actively engaging with the Boomer community, you can unlock a wealth of resources, support, and camaraderie on your journey towards crypto enlightenment.

Follow @BoomerOnBase on X for more insights.

Or visit us at https://baseboomer.com/ to learn more