Maximus Staking
Smart Contract Audit Report
Audit Summary
Maximus is building a new staking contract for users to deposit tokens and earn yield.
For this audit, we reviewed the project team's Maximus contract at commit dda2246078ad2e104246b9aa55ccbaedbbdab203 on the team's GitHub repository.
Audit Findings
Please ensure trust in the team prior to investing.
Date: April 5th, 2022.
Updated: April 6th, 2022 to address changes made by the team.Finding #1 - Maximus - Informational (Resolved)
Description: Ownership of the contract is renounced on deployment without any prior ownership functionality.
Recommendation: We recommend removing the Ownable library as it is not utilized within the contract before or after ownership is renounced and therefore is dead code.
Resolution: The team has removed the Ownable library inheritance.Finding #2 - Maximus - Informational (Resolved)
Description: Several state variables can never be modified, but are not declared constant.Recommendation: We recommend declaring these functions external and declaring the state variable constant for additional gas savings on each call.Maximus.HEDRON_ADDRESS, Maximus.HEX_ADDRESS
Resolution: The team has declared the variables as constant.Finding #3 - Maximus - Informational (Resolved)
Description: Several functions are declared public, but are never called internally.Recommendation: We recommend declaring these functions external for additional gas savings on each call.Maximus.getMintingPhaseStartDay, Maximus.getMintingPhaseEndDay, Maximus.getStakeStartDay, Maximus.getStakeEndDayMaximus.getRedemptionRate, Maximus.getHedronRedemptionRate, Maximus.getHexDay, Maximus.getHedronDay, Maximus.getEndStaker, Maximus.pledgeHEX, Maximus.redeemHEX, Maximus.stakeHEX, Maximus.endStakeHEX, Maximus.mintHedron
Resolution: The team has declared the functions external.
Contract Overview
- This contract allows users to stake a team-designated token for a set duration of time in order to earn rewards in the form of the staking token as well as an additional reward token.
- Ownership of the contract is renounced on deployment.
- Users can deposit the specified staking token into the contract until the depositing end time is reached. Users are minted an equal amount of $MAXI and there are no fees on deposits or withdrawals.
- Any user can burn their own $MAXI tokens to reduce the total supply.
- Additionally, users can burn $MAXI tokens from other addresses up to the amount of allowance they've been granted, also reducing the total supply.
- Once the depositing end time has been reached, anyone can trigger the staking process in which the total staking token balance and predefined staking duration of the contract are passed to the staking token address's
stakeStart()
function for staking; the staking token contract is not included in the scope of this audit, so we are unable to provide an assessment of the contract with regards to security.- Users staking token rewards are based on the contract's staking token balance and the total $MAXI supply.
- Anyone may trigger the reward token harvesting process within the reward token contract using the staking index and ID from the staking token contract at any time; however, reward tokens cannot be claimed until the staking end time has been reached.
- The reward token contract is not included in the scope of this audit, so we are unable to provide an assessment of the contract with regards to security.
- Users' reward token amounts are based on the contract's total balance of the reward token and the total $MAXI supply.
- The team cannot change the staking token or reward token addresses once deployed.
- When the staking end time has been reached users may trigger the end of the staking process and withdraw their staked funds; rewards are then automatically claimed. An equal amount of the user's $MAXI is burned on withdrawals.
- The contract is Ownable, however, ownership is renounced on deployment.
- The team must exercise caution when setting the staking/reward token and must avoid using any fee-on-transfer tokens; if a fee-on-transfer token is used as the staking token then this contract should be excluded from the staking/reward token's fee mechanism.
- The contract complies with the ERC-20 standard.
- As the contract is deployed with Solidity v0.8.x, it is protected from overflow/underflow attacks.
Audit Results
Vulnerability Category | Notes | Result |
---|---|---|
Arbitrary Jump/Storage Write | N/A | PASS |
Centralization of Control | N/A | PASS |
Compiler Issues | N/A | PASS |
Delegate Call to Untrusted Contract | N/A | PASS |
Dependence on Predictable Variables | N/A | PASS |
Ether/Token Theft | N/A | PASS |
Flash Loans | N/A | PASS |
Front Running | N/A | PASS |
Improper Events | N/A | PASS |
Improper Authorization Scheme | N/A | PASS |
Integer Over/Underflow | N/A | PASS |
Logical Issues | N/A | PASS |
Oracle Issues | N/A | PASS |
Outdated Compiler Version | N/A | PASS |
Race Conditions | N/A | PASS |
Reentrancy | N/A | PASS |
Signature Issues | N/A | PASS |
Unbounded Loops | N/A | PASS |
Unused Code | N/A | PASS |
Overall Contract Safety | PASS |
Inheritance Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20Metadata (IERC20)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ Context
- [Int] _msgSender
- [Int] _msgData
+ ERC20 (Context, IERC20, IERC20Metadata)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _spendAllowance #
- [Int] _beforeTokenTransfer #
- [Int] _afterTokenTransfer #
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Int] verifyCallResult
+ [Lib] SafeERC20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ ERC20Burnable (Context, ERC20)
- [Pub] burn #
- [Pub] burnFrom #
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ HedronToken
- [Ext] approve #
- [Ext] transfer #
- [Ext] mintNative #
- [Ext] claimNative #
- [Ext] currentDay
+ HEXToken
- [Ext] currentDay
- [Ext] stakeStart #
- [Ext] approve #
- [Pub] transfer #
- [Pub] stakeEnd #
- [Ext] stakeCount
+ Maximus (ERC20, ERC20Burnable, Ownable)
- [Pub] #
- modifiers: ERC20
- [Pub] decimals
- [Pub] getMintingPhaseStartDay
- [Pub] getMintingPhaseEndDay
- [Pub] getStakeStartDay
- [Pub] getStakeEndDay
- [Pub] getRedemptionRate
- [Pub] getHedronRedemptionRate
- [Pub] getHexDay
- [Pub] getHedronDay
- [Pub] getEndStaker
- [Prv] percent
- [Prv] mint #
- [Pub] pledgeHEX #
- [Pub] redeemHEX #
- [Pub] stakeHEX #
- [Prv] _stakeHEX #
- [Prv] _endStakeHEX #
- [Pub] endStakeHEX #
- [Prv] get_redemption_rate
- [Pub] mintHedron #
- [Prv] _mintHedron #
About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.