ELN

ELON (ELN) Token — Security Audit Report

Automated static analysis via Slither v0.11.5 · Slither by Trail of Bits

Date
May 7, 2026
Auditor
Slither v0.11.5 (Trail of Bits)
Network
Polygon Mainnet (Chain 137)
Solidity
^0.8.20 / OpenZeppelin 5.x
Contracts Analysed
3 (Token, Presale, Staking)

Scope

ContractAddress (Polygon)Purpose
ElonToken.sol0x1C9E2222…F48c ↗ERC-20 token, 1B fixed supply, no mint
ElonPresale.sol0x1CBB0F…42aC ↗Presale — accepts USDT + POL via Chainlink oracle
ELNStaking.solPending deploymentStaking — 20% APY, 7-day cooldown, no mint
PASS

No critical or high-severity vulnerabilities found in custom contract logic.
All flagged items are either informational, false positives, or mitigated by existing guards.

0
Critical
0
High
1
Medium
3
Low
8
Informational

Findings

M-01 · Medium

Reentrancy in buyWithPol() — State Update Order

Slither flagged a potential reentrancy: the refund call address(msg.sender).call{value: refundPol}() (line 119) occurs before _record() updates totalRaised and contributions (line 123).

Mitigation: The presale contract inherits OpenZeppelin's ReentrancyGuard and the buyWithPol() function is decorated with nonReentrant, which prevents any reentrant call from executing. Additionally, the refunded amount is strictly capped to the buyer's own over-payment — an attacker cannot use this path to drain funds.

Status: Mitigated by nonReentrant guard

L-01 · Low

Unused return values from Chainlink latestRoundData()

roundId and answeredInRound are destructured but not used for full staleness validation in one code path. The primary _polPrice() path does validate staleness (block.timestamp - upd <= ORACLE_STALENESS).

Status: Low risk — primary price path fully validated

L-02 · Low

Uninitialized local variable oraclePrice in presaleInfo()

The oraclePrice variable in presaleInfo() is declared but conditionally assigned — it defaults to 0 in Solidity if the oracle is stale. This is only used for off-chain display, not for any transfer or fund calculation.

Status: Informational only — no fund risk

L-03 · Low

Block timestamp dependency

block.timestamp is used for presale end-time checks and oracle staleness. On Polygon, block timestamps can be marginally manipulated by validators (~15 seconds). The oracle staleness window is 300 seconds (5 min), making microsecond manipulation inconsequential.

Status: Accepted risk — industry standard practice

Informational

#DescriptionVerdict
I-01Dead code in OpenZeppelin's Context.sol (_msgData(), _contextSuffixLength())OZ library — acceptable
I-02Unused _burn() in OZ ERC20 base (burn not used in ELN by design)By design — no burn function
I-03Pragma version warnings from OZ interfaces using broad >=0.4.16OZ library — not project code
I-04Inline assembly in SafeERC20OZ standard — audited separately
I-05Multiple pragma versions across OZ dependenciesOZ library — not project code
I-06ElonToken: _burn dead code warningNo burn function exposed — intentional
I-07ELNStaking: unused return value on ERC20 transfer()Uses SafeERC20 wrapper — reverts on failure
I-08Reentrancy in finalize() event orderingEvent only — no state manipulation possible

Positive Security Properties

PropertyStatus
No mint() function — total supply permanently fixed at 1,000,000,000 ELN✓ Confirmed
No pause() or blacklist() function — non-custodial✓ Confirmed
No transfer tax — transfer() is standard ERC-20✓ Confirmed
Presale contract uses nonReentrant on all fund-moving functions✓ Confirmed
Staking contract uses nonReentrant on all fund-moving functions✓ Confirmed
Staking: owner cannot withdraw staked principal✓ Confirmed
Presale: Chainlink oracle with 5-minute staleness check✓ Confirmed
All contracts use OpenZeppelin v5 as base — industry standard✓ Confirmed
Source code verified and public on Polygonscan✓ Confirmed

Methodology

This report was generated using Slither v0.11.5, the industry-standard open-source static analysis framework for Solidity developed by Trail of Bits. Slither was run with 101 detectors against all three custom contracts. OpenZeppelin v5 libraries were included as dependencies and their findings are noted as informational only, as OZ is an independently audited and battle-tested library.

This automated analysis complements but does not replace a full manual audit. A professional manual audit by SolidProof or equivalent is recommended prior to mainnet staking launch.