BuzzFun streamlines token creation and trading across Ethereum and Abstract Chain.
Its all-in-one stack comprises:
Custom deployer for ERC-20 “Beast” and “Retarded” tokens with built-in taxes, liquidity locks, and XP reward logic.
Bonding-curve AMM that sells the first 500 million tokens, migrates liquidity to Uniswap V2, then hands trading over to the pool.
Live community chat & moderation hooks to fuel post-launch engagement.
Why Did They Need an Audit?
With cubic bonding-curve maths, automated liquidity migration, and self-service token factories, a single mis-calculation could trap funds or over-reward insiders. BuzzFun engaged Three Sigma for an unbiased review of price maths, migration safety, and fee-tax logic before main-net launch.
Scope of the Engagement
Audit Date: 2025-01-20
Language: Solidity
Type: Code Audit
Results and Findings
Key Critical Issues
1 M-token granularity burns ~47 % of every fractional trade
Description: Truncation in buy() / sell() forced users to pay for tokens that were silently discarded. Curve re-written to 18-dec-linear + micro-cubic maths; million-step rounding removed.
Resolution: Bonding-curve math overhauled: per-wei linear term and micro-granular cubic term (1 e6) replace the old million-step function; all million-token truncations removed from buy()/sell() and ethForN().
Notable High-Severity Issues:
No refund for final buyer
Description: Over-payments above max supply were eaten by the contract. buy() now computes exact supply cap and refunds the surplus ETH.
Resolution: solveForN() now rounds up to the exact supply cap; buy() calculates surplus ETH, adjusts fee, and refunds the excess to the purchaser atomically.
Liquidity migration DoS via pre-created pair
Description: Anyone could deploy the Uniswap pair first, causing the migration to revert and freezing funds. Pair creation moved to token constructor so it can’t be front-run.
Resolution: Uniswap pair is created in each token’s constructor; addLiquidity() now only adds liquidity to the pre-existing pair, eliminating the front-run revert vector.
Notable Medium-Severity Issues:
Missing slippage guards in AMM-like trades
Description: Users could be sandwiched. buy() / sell() accept minTokens / minETH params and helper view functions were added.
Resolution: Both buy() and sell() accept user-supplied minTokens / minETH parameters; view helpers added so front-ends can compute safe minima before submitting a transaction.
Blockchain security isn't optional.
Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
In conclusion
After resolving the rounding bug, refund logic, and liquidity-migration DoS, BuzzFun’s contracts uphold predictable pricing and secure fund flows from bonding-curve launch to Uniswap pool trading. Remaining low-severity nits (LP-token burn vs treasury, front-running for _swapBack, etc.) are tracked for the public release.
With these fixes in place, BuzzFun is primed to deliver a friction-free launch experience while safeguarding creators, traders, and the broader community.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
