Vectous Smart Contract Audit: A Human-Centric Overview
Introduction
EtherAuthority conducted a comprehensive security audit of the Vectous Token smart contract—implemented in Solidity on the Binance Smart Chain (BSC) and operating under the ERC‑20 standard. At its core, Vectous offers token-related functions such as NewEntry, EntryAction, CollectEntryProfit, loan operations, and profit collection pathways.
Audit Approach & Methodology
EtherAuthority combined automated tools like Slither, Solhint, and Remix IDE with in-depth manual analysis to uncover both surface-level and nuanced code issues. Their layered approach ensured a robust examination of logic, control flow, and potential attack vectors.
Key Findings at a Glance
- Security Rating: “Poor Secured”
The audit defined that the contract retains owner (admin) control, compromising decentralization and heightening the risk if the owner’s key is compromised. - Vulnerabilities Identified:
- Critical (2):
- Faulty require statements in functions like EntryAction, NewEntry_fromProfits, and CollectEntryProfit, resulting in assignment (=) rather than comparison (==), which breaks logic.
- Failures in updateFinishedLoan and CollectEntryProfit due to negative values from internal functions (calc_starting_section and calcMDP) causing “out-of-bounds” reverts.
- High (1):
- In the _newEntry function, the dev fee is subtracted twice, leading to incorrect amount calculations being passed to users.
- Low and Informational:
- Duplicated code in EntryAction branches.
- Numerous require statements lack descriptive error messages—making debugging harder.
- The included SafeMath library is redundant (Solidity ≥0.8 auto-checks overflow).
- Conflicting error messages (e.g. loan return rate stated as ≥3% in messages, but logic calculates 2%).
- Critical (2):
Recommendations for Improvement
EtherAuthority provided clear remediation steps:
- Replace = with == in conditional checks.
- Correct calculation logic in updateFinishedLoan, _newEntry, and similar functions.
- Remove duplicated code, add meaningful error messages, and eliminate redundant libraries like SafeMath.
- Clarify error messages to align with actual business logic.
They also strongly advised relinquishing owner privileges post-deployment to restore decentralization.
Conclusion
With two critical, one high, and several lesser-severity issues, EtherAuthority concluded that the smart contract is not ready for mainnet deployment. They emphasize that their audit, while thorough, doesn’t guarantee future-proof security—encouraging additional layers such as bug bounty programs.
Cyber defense starts here—EtherAuthority has your back. Reach us anytime at contact@etherauthority.io
Audit Report in PDF: Vectous Smart Contract Audit-Report
Discover more: Twitter | Website | GitHub | Telegram | Facebook | YouTube | Fiverr
