SafeMars Certik Full Audit — Complete!

Fellow martians,

We are pleased to announce that Certik has now completed the Full Audit of SafeMars: funds are SAFU! 💪

The audit reveals:

  • NO (zero) critical issues 🎉
  • 1 (one) major issue (although it’s actually a good thing, read below to find out why)
  • Several minor issues (of no consequence to the actual working smart contract)

The audit has been a long time coming. We requested it back in May and was scheduled to be delivered in June, but due to some internal Certik issues it was delayed until now. Still, we are thrilled to have finally gotten it and be able to share it with you.

Audit results

The audit reveals 1 (one) major issue, specifically: as you know SafeMars taxes each transaction and a percentage of that tax is automatically added to the liquidity pool.

Liquidity pools recap

  • anyone can add liquidity to it (in the form of a SafeMars/BNB pair of tokens)
  • when adding liquidity, you get back a “ticket” (in the form of a LP token) with which you can remove liquidity later if you want

The way the SafeMars contract works is, whenever it auto-adds liquidity, the “ticket” (LP token) goes to the SafeMars deployer (i.e. us). Certik highlights in the audit that this is a potential security risk as we could use this “ticket” to remove liquidity later.

HOWEVER, as you might remember from our countless Twitter posts, Medium articles and blockchain evidence: we used to BURN those “tickets” 🔥 i.e. we CANNOT remove liquidity. Since we didn’t have the “tickets” liquidity was locked forever in the Pancakeswap V1 liquidity pool.

Now…we did this for a long time (months) and it was a good thing. However, at some point Pancakeswap introduced a V2, which has DIFFERENT liquidity pools. Since we had burned all our “tickets” to the V1 liquidity pool, we could not rug, but we also could not move the liquidity from V1 to V2. As a result, we advised everyone to keep trading in V1 until we think of a solution…and we found it. Funny enough, it has to do with why the Certik finding is actually…

…a good thing

…however, as the result of a proposal and community vote we DO NOT burn those “tickets” anymore. Instead, we use them to MOVE liquidity from V1 to V2, like so:

  1. Contract auto-adds liquidity to V1, we get the “ticket” (LP tokens) 🎫
  2. We use the “ticket” to remove the newly added liquidity from V1 (and ONLY the newly added liquidity, we CANNOT remove the old/locked on, that will stay in V1 FOREVER!)
  3. We add this liquidity to V2 💧
  4. We BURN the “ticket” (LP tokens) so that the newly added liquidity is locked forever in Pancakeswap V2 🔥

This means that every NEW liquidity that gets auto-added to V1 will get moved (manually, by us) to V2. Over time, the V2 pool should grow, hopefully matching or surpassing the V1 pool. Again, we CANNOT remove OLD V1 liquidity, only newly added liquidity.

So, it’s a good thing because we can ONLY do this as a result of getting the “ticket” from the contract. Which means that the issue Certik highlighted actually helps us in moving liquidity from Pancakeswap V1 to V2.