HashEx was commissioned by the ThunderSwap team to perform an audit of ThunderSwap smart contracts. The audit was conducted between April 22 and April 27, 2021.

The audited code is located in ThunderSwap github repository. The audit was performed after the commit 2d93d57. The same code is deployed to Binance Smart Chain (BSC) at the addresses of 0xf6135FCb4A0F469DcBb3e6D83520Dc21825A0001 , 0x6FCC6a77ee6F383395c630EEDe1EE928dFF4E331 .

The documentation is available on docs.thunderswap.finance.

The purpose of this audit was to achieve the following:● Identify potential security issues with smart contracts.● Formally check the logic behind given smart contracts.

Information in this report should be used to understand the risk exposure of smart contracts, and as a guide to improve the security posture of smart contracts by remediating the issues that were identified. We found out that the code is a fork of PancakeSwap, which is a fork of Uniswap for Binance Smart Chain (BSC). An audit for Uniswap is available [1]. For this reason we focused on the unaudited parts of code, as well as modifications made by ThunderSwap.

Implementation of ERC20 token standard with additional permission functionality. Allows the unlimited token allowance if set to uint(-1). The same as PancakeERC20.

The same as PancakeFactory.

The same as PancakePair.

Same as PancakeRouter (copy of UniswapV2Router02, supports deflationary tokens).

The same as PancakeSwap’s.

ThunderSwapERC20.sol lacks increaseApproval() and decreaseApproval() functions. These functions mitigate frontrun attacks on the approve function if a user wants to alter previously approved amounts in one transaction (see [2]).

The fees values in the code and docs are the same as in PancakeSwap. It must be noted that there is a discrepancy in PancakeSwap’s documentation regarding the actual fees values. According to documentation [3], a swap fee of 0.2% is distributed as follows:● 0.17% (5⁄6 of the fee) returns to liquidity pools in the form of a fee reward for liquidity providers;● 0.03% (1⁄6 of the fee) is sent to the Treasury. ThunderSwapPair L109 sets the fee distribution as 3⁄4 to 1⁄4 or 0.15% and 0.05%.

Update: documentation on the site [3] was updated according to the values set in the code (0.15% to the liquidity pools and 0.05% to the ThunderSwap Treasury).

No low severity issues were introduced with changes in the forked code.

Audited contracts are a copy of the PancakeSwap. No high severity issues were found. Inconsistency in the distribution of the fees between documentation and actual values in the code was found. It’s caused by the source of the forked code (PancakeSwap).Update: documentation on the site [3] was updated according to the actual values set in the code.

It must be noted that the audited contracts fork only part of PancakeSwap repositories that implement basic DEX functionality. The farming, timelock, governance, and other functionality that present in the forked repositories weren’t audited.

HashEx website: https://hashex.orgLinkedIn https://www.linkedin.com/in/dmitrymishunin/