Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • phpt
  • [SCA] PHPT / Token / Dec2023
PHPT logo

PHPT

Audit name:

[SCA] PHPT / Token / Dec2023

Date:

Jan 3, 2024

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We thank PHPT for allowing us to conduct a Smart Contract Security Assessment. This document outlines our methodology, limitations, and results of the security assessment.

The Philippines Peso Token (PHPT) is a revolutionary stablecoin project with a singular mission: to simplify digital Philippine Peso transactions, empowering Filipinos globally to seamlessly engage in the world of cryptocurrencies.

titlecontent
PlatformEVM
LanguageSolidity
TagsERC20, Exchange, Upgradable
Timeline19/12/2023 - 12/01/2024
Methodologyhttps://hackenio.cc/sc_methodology

    Last Review Scope

    Repositoryhttps://github.com/PHPT-COM/PHPToken/tree/476400faa7e15a2823cdf0ce569ad4052946104e
    Commit476400faa7e15a2823cdf0ce569ad4052946104e

    Last Review Scope

    Repositoryhttps://github.com/PHPT-COM/PHPToken/tree/v2
    Commit7569bc818936dc89069e1076183fd29009540e8e
    Repository 2https://github.com/PHPT-COM/phpt-swap/tree/main
    Commit 249219ee3b0f497cf7602132ffeb6ffe96add9e28

    Audit Summary

    Total9.3/10
    Security Score

    10/10

    Test Coverage

    80%

    Code Quality Score

    10/10

    Documentation Quality Score

    10/10

    10Total Findings
    10Resolved
    0Accepted
    0Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for PHPT
    Audited ByTurgay Arda Usman, Kornel Światłowski
    Approved ByPrzemyslaw Swiatowiec
    Websitehttps://phpt.com/
    Changelog12/01/2024 - Second Review

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for PHPT
      Audited By
      Turgay Arda Usman, Kornel Światłowski
      Approved By
      Przemyslaw Swiatowiec
      Website
      https://phpt.com/
      Changelog
      12/01/2024 - Second Review

    System Overview

    PHPT (Philippines Peso Token)is a stablecoin modeled after the proven stability of Tether (USDT) and crafted as a BEP-20 token on the Binance Smart Chain Network. It has the following contracts:

    • PHPT  — an ERC-20 token with the blacklist functionality.

    • Blacklist — Blacklisting functionality.

    • ExchangeV4   — The contract that allows one to exchange PHTP and USDT.

    Privileged roles

    • The owner of the contract can modify the exchange rates and ratios between USDT and PHPT.

    • The watcher can modify the exchange rates between USDT and PHPT.

    • The owner can pause or unpause the contracts.

    • The Blacklist admin can modify an account's blacklist status.

    Executive Summary

    Documentation quality

    The total Documentation Quality score is 10 out of 10.

    • Functional requirements are provided .

    • Technical description is  provided.

    Code quality

    The total Code Quality score is 10 out of 10.

    • The code  follows best practices and style guides

    • The development environment is configured.

    Test coverage

    Code coverage of the project is 89.58% (branch coverage) for the swap repository and 0.0% (branch coverage) for the token repository.

    • Deployment and basic user interactions are covered with tests.

    • Negative test case coverage is missed.

    • Interactions by several users are not tested thoroughly.

    • The token repository lacks tests

    Security score

    Upon auditing, the code was found to contain 0 critical, 0 high, 2 medium, and 1 low severity issues, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the customer's smart contract yields an overall score of 9.3. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Risks

    The owner can withdraw USDT or PHPT from the Exchange.sol contract at any time.

    The USDT token has 6 decimals and the PHPT has 18 decimals. This decimal difference is being handled in the related ratio and coefficient owner-controlled state variables by converting them to Wei. However, it is a possibility that the contract owner can set wrong values which can cause decimal-related precision problems.

    The relative price between USDT and PHPT is being controlled in a centralized manner by the owner.

    Findings

    Code
    Title
    Status
    Severity
    F-2023-0251Owner can Frontrun the User Exchange Transaction
    fixed

    Medium
    F-2023-0211Rates and Coefficients Setters Could be Frontrunned
    fixed

    Medium
    F-2023-0203Missing Checks for Zero Address
    fixed

    Low
    F-2024-0396Testing features
    fixed

    Observation
    F-2023-0209 Out-of-Gas Error Due to Excessive Loop Iterations
    fixed

    Observation
    F-2023-0208Events Emitted Inside Loops
    fixed

    Observation
    F-2023-0206Missing Events
    fixed

    Observation
    F-2023-0201Redundant Imports
    fixed

    Observation
    F-2023-0200Public Functions That Should Be External
    fixed

    Observation
    F-2023-0199Floating Pragma
    fixed

    Observation
    1-10 of 10 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/PHPT-COM/PHPToken/tree/476400faa7e15a2823cdf0ce569ad4052946104e
    Commit476400faa7e15a2823cdf0ce569ad4052946104e
    Repositoryhttps://github.com/PHPT-COM/phpt-swap
    Commitfa9d86b5f72a67ecad0b35914f1ccac06ade21607774ec061348ff22c7fdc761
    Whitepaperhttps://phpt.com/assets/PHPT%20Whitepaper-REWFlWEA.pdf
    RequirementsNot provided
    Technical RequirementsNot provided

    Contracts in Scope

    contracts
    PhptokenV2.sol - contracts/PhptokenV2.sol
    common
    Blacklist.sol - contracts/common/Blacklist.sol
    phpt-swap-contracts-main
    contracts
    ExchangeV4.sol - phpt-swap-contracts-main/contracts/ExchangeV4.sol

    Disclaimer