Logo:
Name: Coast Stable Coin
Ticker Symbol: CST
Network: Pulsechain
Contract Address: 0x600136dA8cc6D1Ea07449514604dc4ab7098dB82
Purpose: The Coast Stablecoin $CST is a 1-to-1 USD-backed PRC-20 token issued exclusively on #PulseChain. $1CST is always redeemable for $1USD in fiat after completing KYC.
Project URL: https://0xcoast.com
Project social media: Twitter, Telegram, Youtube, Instagram
Contract Source Code: Link
Audit(s): NIL

REVIEWED BY: Elmyre

Preface:

This is a complete review of the CST smart contract project based on the available code in https://bafybeicb2hlad6zs4kc4yvn5xbbzti6krjtpoxrysg42d4e5s5oubbipum.ipfs.dweb.link/#/address/0x600136dA8cc6D1Ea07449514604dc4ab7098dB82?tab=contract

This smart contract is for a Backed Stable Coin so “admin keys” are expected. Like most useful smart contracts, the code is complex, so I would advise anyone that is reading this document to also look at other reviews and analysis of this contract! Some issues or security concerns might not be covered here due to my lack of knowledge and understanding of the contract so getting a second opinion is a good thing to keep in mind! This review is based on the deployed version of the code.

Code Review:

The Coast.sol smart contract inherits from two OpenZeppelin contracts:

ERC20.sol (@openzeppelin/contracts/token/ERC20/ERC20.sol).
ERC20Burnable.sol (@openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol).

These are widely used for creating ERC-20 tokens. They provide basic token functionality and the ability to burn tokens.

The contract itself defines multiple variables and functions that allow tokens to be minted, claimed, and managed. The contract itself contains two addresses (named Mon and Stacy) with admin privileges over the contract.

The Constructor initializes the contract with the name “Coast” and symbol “CST“. It sets the Mom address to the contract deployer (with “msg.sender”) and the Stacy address to a specific hard-coded address (0x92A0f014B17ae32Ea3672F2823b2f21a92b81Ea6).

State Variables:
- COAST: A public address variable that is set to the address of the contract itself with “address(this)”.
- Mom: Internal address with the most admin privileges.
- Stacy: Internal address with some admin privileges.
- claiming: Internal Boolean that controls whether claiming is allowed. Set as “true” by default.
- currentVersion: Tracks the version of the claiming system.
- unclaimed: Internal variable to keep track of the unclaimed $CST token amount.
- available: Internal variable to keep track of the amount of CST tokens minted to the contract (COAST) which users can claim.

Mappings:
- claimCoast: Internal mapping that keeps track of how much CST tokens a user (address) can claim at any given time based on the current claiming system version (“claimCoast[currentVersion][userAddress]” = #CST the user can mint).

Modifiers:
- mom_function: Verifies if the function caller is the Mon address, throwing an error if that is not the case.
- stacy_function: Verifies if the function caller is the Mon or Stacy addresses, throwing an error if that is not the case.
- claiming_on: Verifies is the claiming is turned on at this moment based on the value of the claiming state variable. If it isn’t an error will be thrown.

Note: A modifier is defined using the modifier keyword, followed by the modifier’s name, and then a code block. This code block typically contains conditions or checks that need to be satisfied for the function to execute. If the conditions are met, the function will execute normally; otherwise, it will revert with an error before the funtion’s body is executed.

Public Functions:
- Publicly Callable:
  - momFunction: View function that returns the current address for Mon.
  - stacyFunction: View function that returns the current address for
  - decimals: Pure function that returns the number of decimal places for the CST token. It overrides the defined value for ERC20 tokens by setting it to 6.
  - claimable: View function that returns the amount of tokens the caller address ( sender) can claim from the COAST contract. This function can only be called if claiming is enabled (the claiming variable is set as “true”).
  - claim: function allows users to claim their CST tokens. It will be run successfully when claiming is on and the user has any tokens to claim. It transfers tokens from the contract to the user address (the caller address sender) and sets the remaining claiming amount for the same address to zero. Also updates the available and unclaimed state variables to account for the change.

Mom and Stacy Functions (restricted by the Stacy_function modifier):
- claimableIncrease: Increases the amount of CST tokens a given address (_claimer) can claim by a specified amount, updating the necessary state variables and mappings. It requires enough minted CST tokens to already exist to do it.
- claimableDecrease: Decreases the amount of CST tokens a given address (_claimer) can claim by a specified amount, updating the necessary state variables and mappings. If the user has less claimable tokens that the specified amount the function simply sets it to zero.
- claimableZero: Sets the amount of CST tokens a given address (_claimer) can claim to zero, updating the necessary state variables and mappings.

Mom Functions (restricted by the mom_function modifier):
- claimingFunction: View function that returns the current value for the claiming state variable.
- currentVersionFunction: View function that returns the current value for the currentVersion state variable.
- unclaimedFunction: View function that returns the current value for the unclaimed state variable.
- availableFunction: View function that returns the current value for the available state variable.
- claimCoastFunction: View function that returns the amount of tokens a specific address (the _claimer) can claim from the COAST contract. This function can only be called if claiming is enabled (the claiming variable is set as “true”).
- toggleClaiming: Function used to enable or disable the contracts claiming functionality.
- newVersion: Functionused to update the current claiming system version (increases it by one) and sets the unclaimed state variable to zero.
- newStacy: Function to replace the Stacy address with a new one.
- newMom: Function to replace the Mom address with a new one.
- mintCoast: Function that mints a given amount of CST tokens (_mint(COAST, _amount)), updating the available state variable in the process.

Conclusion & Security Concerns:

The contract has owner-only functions (Mom) and functions for a secondary address (Stacy). These functions should be carefully monitored, as they can significantly impact the contract’s behaviour. Any compromise of these addresses could potentially harm the contract and underlying ecosystem. These can also be changed to other addresses by Mom, which, if it is ever the case, should be done carefully.

The contract’s claiming system allows users to claim tokens based on their claimable balance. However, this mechanism heavily relies on trust in the Mom address and the minting it does since it is the only address allowed to be able to do it and can do so indefinitely.

The versioning system for the claiming is used as a key in the claimCoast mapping, which means that, if the version is ever changed by mistake, users will not be able to claim any more tokens, as essentially their claimable values for the new version will be zero. The Mom address would have to manually sort everything out, hopefully in a correct manner. This “feature” would be useful if the goal is to prevent users to claim any more CST tokens from the contract if a new one is created to replace it and its data was previously migrated.

No bugs or other risks were found other than the previously mentioned concerns and the code looks to be functioning as intended.

B9.xyz IS NOT OPTIMIZED TO BE VIEWED USING THE CURRENT RESOLUTION. IF YOU ARE USING A MOBILE PHONE, PLEASE ROTATE AND USE LANDSCAPE MODE.