# NeverSwap Security Assessment by [@fbsloXBT](https://twitter.com/fbsloXBT) --- Intro: NeverSwap seems to be a fork of Iron Finance. I am not a professional solidity auditor, this audit is for internal & educational use only, not financial advice, do your own research before investing. --- Docs: https://docs.neverswap.com/ Audited contracts (more info: https://docs.neverswap.com/smart-contract-address): --- - Ever Token (EVE): Stablecoin: https://bscscan.com/address/0x48Ea7cBabc983E4D0d67B8b2578B5eA665f40DFB - NEVER (governance): https://bscscan.com/address/0x1137D5836ef0E0ed9aCc74AeF8ffe2eAf81120b5 - NEVER-BUSD (LPs Token): https://bscscan.com/address/0x5f33ca991dd2362c8187bb71be089b51a7d5414a --- - Farm: https://bscscan.com/address/0x8fb60dd3557c491e04d00a06fdc0618423a3c618 - Timelock: https://bscscan.com/address/0x2e2cb8e50e488ab0695ac1da7c5ec00fb78ea578 - EVE minting: https://bscscan.com/address/0x761B25bC068a047A4A53eB9A12D89519da42aaE0 - Router: https://bscscan.com/address/0x29A3Ea9fE2fc3CF8fd27d42dE4d12f022a25B326 - Factory: https://bscscan.com/address/0x6D29AE56e3dCe38531C100b3A5E7ff61ca30A534 - Collateral oracle: https://bscscan.com/address/0xcBb98864Ef56E9042e7d2efef76141f15731B82f - Price oracle: https://bscscan.com/address/0x442c19cE325025DceDe70bF894cf2C8aC3726fAC --- EVE token: Standard Open-Zeppelin burnable, ownable, and mintable ERC20 contract. The owner is https://bscscan.com/address/0x761b25bc068a047a4a53eb9a12d89519da42aae0 (EVE minting contract), it can mint new tokens. ✅ No vulnerabilities found --- NEVER token: Non-standard ERC20, it has possible anti-whale limits on transactions, the owner can set max transfer amount, with minimum 0.1 NEVER per tx. Whitelisted addresses are excluded. Owner is another contract https://bscscan.com/address/0x8fb60dd3557c491e04d00a06fdc0618423a3c618 (farm contract), owner of which is Timelock (only 12h delay). ✅ No vulnerabilities found --- NEVER-BUSD LP token: Fork of Uniswap LP tokens, looks safe. ✅ No vulnerabilities found --- Farm: Standard yield farming contract (Sushi, Pancakeswap...), no migrator functions, the owner is timelock. It's minting ~0.15 NEVER/block.\ ✅ No vulnerabilities found --- Timelock: Standart timelock, 12h (43200 seconds) delay. Minimum delay is 12h, maximum is 30 days. ✅ No vulnerabilities found --- EVE minting: Oracle is required to get price of BUSD, it's powered by Chainlink. Owner can pause redeeming and minting! Maximum minting and redemption fee is 1%. If share price (NEVER) or stablecoin price ever reaches 0, redemption won't be possible ⚠ Possible issues found --- Router: Fork of Uniswap v2 router. ✅ No vulnerabilities found --- Factory: Fork of Uniswap v2 factory. ✅ No vulnerabilities found --- Collateral oracle: Used to get BUSD price, contract deployed over 130 days ago. Looks like it's Chainlink oracle: https://data.chain.link/bsc/mainnet/crypto-usd/busd-usd ✅ No vulnerabilities found --- Price oracle: Used to get NEVER price. Fork of Uniswap Oracle. ✅ No vulnerabilities found --- ## Summary: Critical issues found: 0 Medium issues found: 1 Price oracle is set to 30 seconds, which reduces the chance of similar collapse. For more info, read: https://nullscientist.medium.com/iron-finance-debacle-was-it-really-a-bank-run-no-dcf95dfcacdf Even if NEVER drops to 0, LP providers in EVE-stablecoin pairs only lose 10.55% of their deposit, since it's 80% backed by BUSD.  ^{Source: https://decentyields.com/impermanent-loss-calculator}