Methodology
DISCLAIMER // NFA // DYOR
This analysis is based on verified source code retrieved from Etherscan and observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.
⊙ generated by robots | curated by humans
| METADATA | |
|---|---|
| Contract Address | 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 (etherscan) |
| Network | Ethereum Mainnet |
| Analysis Date | 2025-12-13 |
Overview
This analysis was conducted through a systematic review of the verified source code on Etherscan, combined with on-chain verification of contract state and deployment parameters.
Thought Process
%%{init: {'theme': 'base'}}%%
mindmap
root((XCL Token))
Discovery
Verified source
ERC20 + Ownable
No proxy
Analysis
Functions
Storage
Access control
Assessment
Centralization
Trust assumptions
Risk factorsWhat This Analysis Includes
- ☑ Function-by-function code breakdown
- ☑ Storage layout and state variable analysis
- ☑ Access control and permission mapping
- ☑ Economic model and tokenomics
- ☑ Trust assumptions and risk categorization
What This Analysis Does NOT Include
- ☒ Formal verification or mathematical proofs
- ☒ Professional security audit
- ☒ Economic modeling or market analysis
- ☒ Team background checks
- ☒ Legal or regulatory compliance review
Verification Guide
External Resources
| RESOURCE | NOTES |
|---|---|
| Etherscan Contract Page | Verified source code and transaction history |
| OpenZeppelin Documentation | ERC20 and Ownable reference implementations |
| Foundry Documentation | Cast commands used for on-chain verification |
Commandline Tools
Tip
Commands below use cast from the Foundry Toolkit. To run the commands below, you must set the RPC URL environment variable:
Verify Contract Exists
Confirm the contract is deployed and get basic information.
# GET CONTRACT BYTECODE SIZE
cast codesize 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515
# GET CONTRACT AGE (DEPLOYMENT TIMESTAMP)
cast age 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515
Verify Token Information
Confirm token metadata matches expected values.
# CHECK TOKEN NAME
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "name()(string)"
# Expected: "Xcellar"
# CHECK TOKEN SYMBOL
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "symbol()(string)"
# Expected: "XCL"
# CHECK DECIMALS
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "decimals()(uint8)"
# Expected: 18
Verify Supply Information
Confirm supply values and any burn activity.
# CHECK TOTAL SUPPLY (IMMUTABLE - ORIGINAL)
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "TOTAL_SUPPLY()(uint256)"
# CHECK CURRENT CIRCULATING SUPPLY
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "totalSupply()(uint256)"
# May be less than TOTAL_SUPPLY if burns occurred
Verify Ownership & Distribution
Confirm ownership status and initial distribution parameters.
# CHECK CURRENT OWNER
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "owner()(address)"
# Returns owner address (or 0x0 if renounced)
# CHECK PRESALE WALLET
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "presaleWallet()(address)"
# CHECK PRESALE ALLOCATION
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "presaleAllocation()(uint256)"
Check Balances
Query token balances for specific addresses.
# CHECK BALANCE OF AN ADDRESS
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "balanceOf(address)(uint256)" <ADDRESS>
Verify No Mint Function
Confirm the contract has no minting capability.
# ATTEMPT TO CALL MINT (SHOULD FAIL - FUNCTION DOESN'T EXIST)
cast call 0xCa5E50710F656F2e537cE2Fc8504dB6E24eD3515 "mint(address,uint256)" 0x0000000000000000000000000000000000000000 1
# Expected: Error - function doesn't exist
Red Flags to Look For
When verifying, watch for these warning signs:
| FLAG | WHAT TO CHECK |
|---|---|
| ☒ | Contract Not Verified - source code should be verified on Etherscan |
| ☒ | Code Doesn't Match - verified code should match our analysis |
| ☒ | Hidden Functions - no undocumented functions should exist |
| ☒ | Proxy Pattern - contract should be standalone (no proxy) |
| ☒ | Owner is EOA - check if owner is a single address vs multisig |
| ☒ | Mint Function Exists - should NOT exist based on our analysis |
| ☒ | Pause Function Exists - should NOT exist based on our analysis |
Green Flags to Look For
| FLAG | WHAT TO CHECK |
|---|---|
| ☑ | Verified Source Code - available and readable on Etherscan |
| ☑ | Code Matches Analysis - our description matches the code |
| ☑ | OpenZeppelin Usage - using standard, audited libraries |
| ☑ | Simple Logic - clean, understandable code |
| ☑ | Ownership Renounced - if owner is 0x0, fully decentralized |
| ☑ | Reasonable Distribution - tokens spread among multiple holders |
| ☑ | Active Trading - presence on DEXs with liquidity |