Chronoly

11. May, 2022

1
 Disclaimer 3
Description 5
Project Engagement 5
Logo 5
Contract Link 5
Methodology 7
Used Code from other Frameworks/Smart Contracts (direct imports) 8
Tested Contract Files 9
Source Lines 10
Risk Level 10
Capabilities 11
Inheritance Graph 12
CallGraph 13
Scope of Work/Verify Claims 14
Modi ers and public functions 20
Source Units in Scope 22
Critical issues 23
High issues 23
Medium issues 23
Low issues 23
Informational issues 24
Commented Code exist 24
Audit Comments 24
SWC Attacks 25

2
fi
Disclaimer
SolidProof.io reports are not, nor should be considered, an “endorsement”
or “disapproval” of any particular project or team. These reports are not,
nor should be considered, an indication of the economics or value of any
“product” or “asset” created by any team. SolidProof.io do not cover
testing or auditing the integration with external contract or services (such
as Unicrypt, Uniswap, PancakeSwap etc’...)

SolidProof.io Audits do not provide any warranty or guarantee

regarding the absolute bug- free nature of the technology analyzed,
nor do they provide any indication of the technology proprietors.
SolidProof Audits should not be used in any way to make decisions
around investment or involvement with any particular project. These
reports in no way provide investment advice, nor should be leveraged
as investment advice of any sort.

SolidProof.io Reports represent an extensive auditing process intending to

help our customers increase the quality of their code while reducing the
high level of risk presented by cryptographic tokens and blockchain
technology. Blockchain technology and cryptographic assets present a
high level of ongoing risk. SolidProof’s position is that each company and
individual are responsible for their own due diligence and continuous
security. SolidProof in no way claims any guarantee of security or
functionality of the technology we agree to analyze.

Version Date Description

1.0 11. May 2022 • Layout project

• Automated- /Manual-Security Testing
• Summary

3
Network
Ethereum (ERC20)

Website
https://chronoly.io/

Telegram
https://t.me/Chronolyio

Twitter
https://twitter.com/Chronolyio

Instagram
https://www.instagram.com/chronoly.io/

Discord
https://discord.gg/sNbqSRnj

4
Description
Chronoly is the world’s rst 24/7 watch investment platform that is
making it possible for anyone to fractionally invest in rare and exclusive
timepieces from renowned brands such as Rolex, Patek Philippe, Richard
Mille, Audemars Piguet and many more.

Each NFT watch that we mint is backed by the physical version of the
watch, which is fully insured and stored in one of our secure depositary
vaults. The watch NFT is then broken down into fractions making it easy
for anyone to invest in the watch from as little as $10.

Project Engagement
During the 9th of May 2022, Chronoly Team engaged Solidproof.io to
audit smart contracts that they created. The engagement was technical
in nature and focused on identifying security aws in the design and
implementation of the contracts. They provided Solidproof.io with access
to their code repository and whitepaper.

Logo

Contract Link
v1.0
• https://etherscan.io/address/
0xe23311294467654e0cab14cd32a169a41be5ca8e#code

5
fi
fl
 Vulnerability & Risk Level
Risk represents the probability that a certain source-threat will exploit
vulnerability, and the impact of that event on the organization or system.
Risk Level is computed based on CVSS version 3.0.

Level Value Vulnerability Risk (Required Action)

A vulnerability that
can disrupt the
contract functioning
Immediate action to
Critical 9 - 10 in a number of
reduce risk level.
scenarios, or creates a
risk that the contract
may be broken.

A vulnerability that
affects the desired
outcome when using Implementation of
High 7 – 8.9 a contract, or provides corrective actions as
the opportunity to soon aspossible.
use a contract in an
unintended way.

A vulnerability that
could affect the
Implementation of
desired outcome of
Medium 4 – 6.9
executing the
corrective actions in a
certain period.
contract in a speci c
scenario.

A vulnerability that
does not have a
Implementation of
signi cant impact on
certain corrective
Low 2 – 3.9 possible scenarios for
actions or accepting
the use of the
the risk.
contract and is
probably subjective.

A vulnerability that
have informational An observation that
Informational 0 – 1.9 character but is not does not determine a
effecting any of the level of risk
code.

6
fi
fi
 Auditing Strategy and Techniques
Applied
Throughout the review process, care was taken to evaluate the repository
for security-related issues, code quality, and adherence to speci cation
and best practices. To do so, reviewed line-by-line by our team of expert
pentesters and smart contract developers, documenting any issues as
there were discovered.

Methodology
The auditing process follows a routine series of steps:
1. Code review that includes the following:
i) Review of the speci cations, sources, and instructions provided to SolidProof
to make sure we understand the size, scope, and functionality of the smart
contract.
ii) Manual review of code, which is the process of reading source code line-by-
line in an attempt to identify potential vulnerabilities.
iii) Comparison to speci cation, which is the process of checking whether the
code does what the speci cations, sources, and instructions provided to
SolidProof describe.

2. Testing and automated analysis that includes the following:

i) Test coverage analysis, which is the process of determining whether the test
cases are actually covering the code and how much code is exercised when
we run those test cases.
ii) Symbolic execution, which is analysing a program to determine what inputs
causes each part of a program to execute.

3. Best practices review, which is a review of the smart contracts to improve ef ciency,
effectiveness, clarify, maintainability, security, and control based on the established
industry and academic practices, recommendations, and research.

4. Speci c, itemized, actionable recommendations to help you take steps to secure

your smart contracts.

7
fi
fi
fi
fi
fi
fi
Used Code from other Frameworks/Smart
Contracts (direct imports)
Imported packages:

8
 Tested Contract Files
This audit covered the following les listed below with a SHA-1 Hash.

A le with a different Hash has been modi ed, intentionally or otherwise,

after the security review. A different Hash could be (but not necessarily)
an indication of a changed condition or potential vulnerability that was
not within the scope of this review.

v1.0

9
fi
fi
fi
Metrics
Source Lines
v1.0

Risk Level
v1.0

10
Capabilities
Components
Version Contracts Libraries Interfaces Abstract

1.0 3 3 5 1

Exposed Functions
This section lists functions that are explicitly declared public or payable.
Please note that getter methods for public stateVars are not included.

Version Public Payable

1.0 91 5

Version External Internal Private Pure View

1.0 73 71 4 16 33

State Variables
Version Total Public

1.0 37 22

Capabilities
Has
Solidity Experim Can Uses Destroya
Version Versions ental Receive Assembl ble
observed Features Funds y Contract
s

1.0 yes
0.8.13 yes (1 asm
blocks)

Uses EC
Low- Deleg New/
Transfer Hash Rec
Version Level ateCa Create/
s ETH Function ove
Calls ll Create2
s r
11
 1.0 yes yes

Inheritance Graph
v1.0

12
CallGraph
v1.0

13
 Scope of Work/Verify Claims
The above token Team provided us with the les that needs to be tested
(Github, Bscscan, Etherscan, les, etc.). The scope of the audit is the main
contract (usual the same name as team appended with .sol).

We will verify the following claims:

1. Correct implementation of Token standard
2. Deployer cannot mint any new tokens
3. Deployer cannot burn or lock user funds
4. Deployer cannot pause the contract
5. Overall checkup (Smart Contract Security)

Correct implementation of Token standard

ERC20

Function Description Exist Tested Veri ed

TotalSupply
Provides information about the total
token supply ✓ ✓ ✓
BalanceOf
Provides account balance of the
owner's account ✓ ✓ ✓
Executes transfers of a speci ed
Transfer number of tokens to a speci ed
address
✓ ✓ ✓
Executes transfers of a speci ed
TransferFrom number of tokens from a speci ed
address
✓ ✓ ✓
Allow a spender to withdraw a set
Approve number of tokens from a speci ed
account
✓ ✓ ✓
Allowance
Returns a set number of tokens
from a spender to the owner ✓ ✓ ✓

14
fi
fi
fi
fi
fi
fi
fi
fi
Write functions of contract
v1.0

15
Deployer cannot mint any new tokens
Name Exist Tested Status

Deployer cannot mint - - -

Max / Total Supply 1000000000

16
Deployer cannot burn or lock user funds
Name Exist Tested Status

Deployer cannot lock ✓ ✓ ✘

Deployer cannot burn ✓ ✓ ✓
Comments:
v1.0
• Owner can lock user funds by
• Setting max tx amount to 0

• Tokens
• will be burned while tx

17
Deployer cannot pause the contract
Name Exist Tested Status

Deployer cannot pause - - -

18
 Overall checkup (Smart Contract Security)
Tested Veri ed

✓ ✓
Legend
Attribute Symbol

Ver ed / Checked ✓
Partly Veri ed ⚑
Unveri ed / Not checked ✘
Not available -

19
fi
fi
fi
fi
fi
 Modi ers and public functions
v1.0

Comments
• Deployer can set following state variables without any limitations
• maxTxAmount
• lotteryEligibilityLimit
• numTokensSellToAddToLiquidity
20
fi
• Deployer can enable/disable following state variables
• _isExcludedFromFee
• swapAndLiquifyEnabled

• Deployer can set following addresses

• rewardAddress
• marketingaddress

• Existing Modi ers

• onlyOwner
• lockTheSwap

• Owner has the functionality to select a winner by random for the live
lottery. Address must own more than the lottery eligibility limit which
can be set by the owner without any limitations to take a place in the
lottery. The owner can call selectWinner function anytime.

Please check if an OnlyOwner or similar restrictive modi er has been

forgotten.

21
fi
fi
Source Units in Scope
v1.0

Legend
Attribute Description

Lines total lines of the source unit

normalized lines of the source unit (e.g. normalizes functions

nLines
spanning multiple lines)

normalized source lines of code (only source-code lines; no

nSLOC
comments, no blank lines)

Comment Lines lines containing single or block comments

a custom complexity score derived from code statements that

Complexity Score are known to introduce code complexity (branches, loops, calls,
external interfaces, ...)

22
 Audit Results

AUDIT PASSED
Critical issues
No critical issues

High issues
No high issues

Medium issues
No medium issues

Low issues
Issue File Type Line Description

#1 Main Contract doesn’t - We recommend to import all

import npm packages packages from npm directly
from source (like without atten the contract.
OpenZeppelin etc.) Functions could be modi ed
or can be susceptible to
vulnerabilities

#2 Main Missing Zero Address 519, 524 Check that the address is not
Validation (missing- zero
zero-check)

#3 Main State variable visibility 438 It is best practice to set the

is not set visibility of state variables
explicitly

#4 Main State variables 462 Rename the state variables

shadowing that shadow another
component

#5 Main Missing Events 548, 553, Emit an event for critical

Arithmetic 536 parameter changes

23
fl
fi
 Informational issues
Issue File Type Line Description

#1 Main State variables that 422-432 Add the `constant`

could be declared attributes to state variables
constant (constable- that never change
states)

#2 Main Misspelling See Change following words:

description
- recieve L556
- swaping L556

Make sure to change it

everywhere else as well.

Commented Code exist

There are some instances of code being commented out in the following
les that should be removed:

File Line Comment

Main 469 //uniswapv3 router =

0xE592427A0AEce92De3Edee1F18E0157C05861564

Recommendation
Remove the commented code, or address them properly.

Audit Comments
We recommend you to use the special form of comments (NatSpec
Format, Follow link for more information https://docs.soliditylang.org/en/
v0.5.10/natspec-format.html) for your contracts to provide rich
documentation for functions, return variables and more. This helps
investors to make clear what that variables, functions etc. do.

11. May 2022:

• Read whole report for more information

24
fi
SWC Attacks
ID Title Relationships Status

SW Unencrypted CWE-767: Access to Critical

C-1 Private Data Private Variable via Public PASSED
36 On-Chain Method

SW
Code With No
C-1 CWE-1164: Irrelevant Code PASSED
Effects
35

Message call
SW
with CWE-655: Improper
C-1 PASSED
hardcoded Initialization
34
gas amount

Hash
Collisions With
SW
Multiple CWE-294: Authentication
C-1 PASSED
Variable Bypass by Capture-replay
33
Length
Arguments

SW
Unexpected
C-1 CWE-667: Improper Locking PASSED
Ether balance
32

SW Presence of
C-1 unused CWE-1164: Irrelevant Code PASSED
31 variables

Right-To-Left-
SW Override CWE-451: User Interface (UI)
C-1 control Misrepresentation of Critical PASSED
30 character Information
(U+202E)

SW
Typographical CWE-480: Use of Incorrect
C-1 PASSED
Error Operator
29

SW DoS With
CWE-400: Uncontrolled
C-1 Block Gas PASSED
Resource Consumption
28 Limit

25
 Arbitrary
SW
Jump with CWE-695: Use of Low-Level
C-1 PASSED
Function Type Functionality
27
Variable

SW Incorrect
CWE-696: Incorrect Behavior
C-1 Inheritance PASSED
Order
25 Order

Write to
SW
Arbitrary CWE-123: Write-what-where
C-1 PASSED
Storage Condition
24
Location

SW
Requirement CWE-573: Improper Following
C-1 PASSED
Violation of Speci cation by Caller
23

SW Lack of Proper CWE-345: Insuf cient

C-1 Signature Veri cation of Data PASSED
22 Veri cation Authenticity

Missing
SW Protection CWE-347: Improper
C-1 against Veri cation of Cryptographic PASSED
21 Signature Signature
Replay Attacks

Weak Sources
SW of
CWE-330: Use of Insuf ciently
C-1 Randomness PASSED
Random Values
20 from Chain
Attributes

SW
Shadowing CWE-710: Improper Adherence NOT
C-11
State Variables to Coding Standards PASSED
9

SW Incorrect
CWE-665: Improper
C-11 Constructor PASSED
Initialization
8 Name

SW CWE-347: Improper
Signature
C-11 Veri cation of Cryptographic PASSED
Malleability
7 Signature

26
fi
fi
fi
fi
fi
fi
fi
 SW CWE-829: Inclusion of
Timestamp
C-11 Functionality from Untrusted PASSED
Dependence
6 Control Sphere

SW Authorization
CWE-477: Use of Obsolete
C-11 through PASSED
Function
5 tx.origin

CWE-362: Concurrent
SW Transaction Execution using Shared
C-11 Order Resource with Improper PASSED
4 Dependence Synchronization ('Race
Condition')

SW CWE-703: Improper Check or

DoS with
C-11 Handling of Exceptional PASSED
Failed Call
3 Conditions

SW Delegatecall CWE-829: Inclusion of

C-11 to Untrusted Functionality from Untrusted PASSED
2 Callee Control Sphere

Use of
SW
Deprecated CWE-477: Use of Obsolete
C-11 PASSED
Solidity Function
1
Functions

SW
Assert CWE-670: Always-Incorrect
C-11 PASSED
Violation Control Flow Implementation
0

SW Uninitialized
CWE-824: Access of
C-1 Storage PASSED
Uninitialized Pointer
09 Pointer

SW State Variable
CWE-710: Improper Adherence NOT
C-1 Default
to Coding Standards PASSED
08 Visibility

SW CWE-841: Improper
C-1 Reentrancy Enforcement of Behavioral PASSED
07 Work ow

SW Unprotected
CWE-284: Improper Access
C-1 SELFDESTRUC PASSED
Control
06 T Instruction
27
fl
 SW Unprotected
CWE-284: Improper Access
C-1 Ether PASSED
Control
05 Withdrawal

SW Unchecked
CWE-252: Unchecked Return
C-1 Call Return PASSED
Value
04 Value

SW CWE-664: Improper Control of

Floating
C-1 a Resource Through its PASSED
Pragma
03 Lifetime

SW Outdated
CWE-937: Using Components
C-1 Compiler PASSED
with Known Vulnerabilities
02 Version

SW Integer
CWE-682: Incorrect
C-1 Over ow and PASSED
Calculation
01 Under ow

SW Function
CWE-710: Improper Adherence
C-1 Default PASSED
to Coding Standards
00 Visibility

28
fl
fl
29