Drip Network — What is hiding deeply behind the project and why all holders’ funds may be lost.
Vidma Security team researched the codebase of Drip’s project and found the “red flag”. This article will explain why the community should be alarmed.
About Drip Network
The DRIP Token was launched in April 2021. The official token of the DRIP Network is DRIP (BEP-20) which was deployed on Binance Smart Chain (0x20f663cea80face82acdfa3aae6862d246ce0333)
According to Drip’s whitepaper, this is the first-ever deflationary daily ROI platform with 1% daily return on investment.
Whitepaper — https://drip.community/docs/DRIP_LIGHTPAPER_v0.8_Lit_Version.pdf
On the website, Drip describes its project as follows:
"DRIP Network is the latest project developed by Forex_Shark, BB and team.
The official token of the DRIP Network is DRIP (BEP-20) on the Binance Smart blockchain (BSC) that captures value by being scarce, deflationary, censorship resistant, and by being built on a robust, truly decentralized blockchain.
The recommended exchange for trading DRIP is the Fountain contract which can be found directly on the platforms website under the “swap” tab, as it allows us to waive the initial 10% tax on buys and provides the lowest prices and highest liquidity, resulting in less slippage for larger trades."
Information that is missing.
Checking CoinMarketCap we noted a link to their Twitter account, website, Telegram, and the whitepaper. The description of the project is absent.
The average trading volume is $100k. Self-Reported Circulating Supply 100,000.00 DRIP and the total supply is 1,000,000. Most of the data about this project on CoinMarketCap is unverified or “self-reported”.
On the DRIP Token Network official website, you would not be able to find any information about the project team, only links to Twitter and Telegram accounts. That’s not saying that the project is untrustful, as we have plenty of cases in the crypto world where the team is anonymous. However, after finding the “red flag” described in the further sections of this article, the fact of the anonymous team should be considered as the first alarm.
Is the project audited?
After some research, Vidma team was able to find the “audit report”.
The pdf. doc is available by this link — Slither-Technical-Audit-DRIP-Network-v7.
The first thing that alarmed us is that the “audit report” was provided by Slither. And that is the second alarm. Slither is not an auditing firm, it’s a Solidity static analysis framework. This tool is used for surface analysis of the contracts for known solidity vulnerabilities and such a report cannot be considered an audit (it’s just a small part of a comprehensive audit).
Hence, the project is unaudited. Slither is a tool, not an auditor.
“Red Flag” found in the codebase
The “Slither” technical audit report impulses us to dive deeper into the codebase. And here comes the main thing. The aforementioned alarms are nothing serious compared to the “red flag” found in the codebase.
Vidma team found a fancy logic in their token contract. Function mint() allows an address which is in the whitelist to mint any amount of tokens while minting is not finished.
So, DRIP token has only two restrictions to prevent minting:
- The minter should be in the whitelist
- Minting should not be finished
Let’s check the first point. In the code snippet below you can see that the owner of the DRIP token can add any address to the whitelist and therefore allow them to mint new tokens.
By checking the owner address (0xe8e9720e39e13854657c165CF4eB10b2dfE33570) we noted that it’s EOA and on May-31–2022 this account added to whitelist new address (0xd6d9beec250645cc53c475c96e450ef3902ea9b79cf9538fab9f734243c712c0 new version of DRIP Faucet)
Let’s investigate the second restriction (the second point mentioned above). Checking the contracts on BscScan, we can state that minting currently is not finished.
Minting can be finished by the owner or when the target supply will be achieved. In this case target supply is 2²⁵⁶-1 which is way greater than the current total supply of a little over a million tokens.
Currently main pool on pancekeswap for DRIP token is DRIP/BUSD with more than 4 M BUSD inside (0xa0feB3c81A36E885B6608DF7f0ff69dB97491b58).
Here’s a link to the PancakeSwap pool — https://pancakeswap.finance/info/pool/0xa0feb3c81a36e885b6608df7f0ff69db97491b58
According to the facts explained above, we have a major concern that the owner of the contract can add himself or any other address to the whitelist and mint any desired amount of tokens. Thus, the owner would be able to withdraw 99.99% of BUSD from the PancakeSwap pool. In such a case all holders’ funds will be lost.
That’s the main “red flag” found in the codebase. On top of that, the anonymous team and the “technical audit” by Slither are adding fuel to the flames. If the codebase were under the real 3rd party auditor, such an issue found would be marked as “critical”.
By this review, we are not stating that Drip Network is a scam project. The main goal of this investigation is to highlight the potential risk of fund loss which is likely to happen based on the facts explained above. We encourage all the users to think twice before investing in projects with such a risk.