Taksh - Smart Contract Audit Report
Taksh is releasing a new smart contract that facilitates a decentralized lottery for users who contribute DAI with contribution rewards being distributed as TAKSH tokens. A randomly selected winner receives all interest accumulated and users are still able to withdraw their original deposited amount.
Notes on Lottery contract:
Audit Findings Summary:
- Any address is able to deposit DAI into the contract for a chance to win the lottery as long as the lottery is in Open status.
- Those who have deposited DAI are able to withdraw the same amount that was deposited at anytime, as long as the winner is not being determined.
- A user is removed from the lottery when they withdraw all of their DAI from the contract.
- Users will have to manually withdraw any deposited DAI. It is not automatically returned when a winner is selected.
- There are no fees when depositing or withdrawing from the contract.
- There is no minimum amount of DAI required to deposit.
- The amount of DAI a user deposits does not affect their odds of winning.
- A user can deposit multiple times from different addresses to gain more entries in the pool and increase their odds of winning.
- All deposited DAI is transferred from the contract to an Aave lending pool.
- The DAI will earn interest over time in the lending pool. The accumulated interest is awarded to the winner when the lottery is ended.
- Chainlink is used to generate random data securely from off-chain to select lottery winners. This is the industry standard and is resistant to manipulation.
- LINK tokens must be supplied to the contract in order to generate the random data.
- Users earn rewards in TAKSH tokens based on the time they have contributed DAI to the lending pool.
- Users who contribute more DAI will earn more rewards.
- The rewards are given at an emission rate which is set by the owner.
- Rewards are distributed when users deposit or withdraw.
- In the fulfillRandomness function the randomness parameter is shadowed by the randomness state variable; we recommend renaming the state variable to resolve this.
- The "startTimestamp" variable is not used and could be removed.
- The owner is able to start the lottery at any time.
- The owner is able to end the lottery at any time.
- The owner is able to withdraw any residual DAI left in the contract at any time. DAI is not held in the contract so this is only accounting for rounding errors.
- The owner is able to change the emission rate of TAKSH rewards at any time.
- No external threats were identified.
- Ensure trust team in the team as they have notable control in the ecosystem.
- Date: October 8th, 2021
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|
($) = payable function # = non-constant function + [Lib] SafeMathChainlink - [Int] add - [Int] sub - [Int] mul - [Int] div - [Int] mod + [Int] LinkTokenInterface - [Ext] allowance - [Ext] approve # - [Ext] balanceOf - [Ext] decimals - [Ext] decreaseApproval # - [Ext] increaseApproval # - [Ext] name - [Ext] symbol - [Ext] totalSupply - [Ext] transfer # - [Ext] transferAndCall # - [Ext] transferFrom # + VRFRequestIDBase - [Int] makeVRFInputSeed - [Int] makeRequestId + VRFConsumerBase (VRFRequestIDBase) - [Int] fulfillRandomness # - [Int] requestRandomness # - [Pub]
# - [Ext] rawFulfillRandomness # + Context - [Int] # - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int] # - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod + [Lib] Address - [Int] isContract - [Int] sendValue # + ERC20 (Context, IERC20) - [Pub] # - [Pub] name - [Pub] symbol - [Pub] decimals - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Int] _transfer # - [Int] _mint # - [Int] _burn # - [Int] _approve # - [Int] _setupDecimals # - [Int] _beforeTokenTransfer # + [Lib] SafeERC20 - [Int] safeTransfer # - [Int] safeTransferFrom # - [Int] safeApprove # - [Int] safeIncreaseAllowance # - [Int] safeDecreaseAllowance # - [Prv] _callOptionalReturn # + [Int] ILendingPoolAddressesProvider - [Ext] getMarketId - [Ext] setMarketId # - [Ext] setAddress # - [Ext] setAddressAsProxy # - [Ext] getAddress - [Ext] getLendingPool - [Ext] setLendingPoolImpl # - [Ext] getLendingPoolConfigurator - [Ext] setLendingPoolConfiguratorImpl # - [Ext] getLendingPoolCollateralManager - [Ext] setLendingPoolCollateralManager # - [Ext] getPoolAdmin - [Ext] setPoolAdmin # - [Ext] getEmergencyAdmin - [Ext] setEmergencyAdmin # - [Ext] getPriceOracle - [Ext] setPriceOracle # - [Ext] getLendingRateOracle - [Ext] setLendingRateOracle # + [Lib] DataTypes + [Int] ILendingPool - [Ext] deposit # - [Ext] withdraw # - [Ext] borrow # - [Ext] repay # - [Ext] swapBorrowRateMode # - [Ext] rebalanceStableBorrowRate # - [Ext] setUserUseReserveAsCollateral # - [Ext] liquidationCall # - [Ext] flashLoan # - [Ext] getUserAccountData - [Ext] initReserve # - [Ext] setReserveInterestRateStrategyAddress # - [Ext] setConfiguration # - [Ext] getConfiguration - [Ext] getUserConfiguration - [Ext] getReserveNormalizedIncome - [Ext] getReserveNormalizedVariableDebt - [Ext] getReserveData - [Ext] finalizeTransfer # - [Ext] getReservesList - [Ext] getAddressesProvider - [Ext] setPause # - [Ext] paused + Lottery (VRFConsumerBase, Ownable) - [Pub] # - modifiers: VRFConsumerBase - [Ext] deposit # - [Ext] withdraw # - [Ext] startLottery # - modifiers: onlyOwner - [Ext] endLottery # - modifiers: onlyOwner - [Prv] pickWinner # - [Int] depositToAAVE # - [Ext] withdrawDust # - modifiers: onlyOwner - [Int] fulfillRandomness # - [Pub] interestEarned - [Ext] updateEmissionRate # - modifiers: onlyOwner - [Pub] getMultiplier - [Pub] updatePool # - [Ext] pendingTaksh - [Int] safeTakshTransfer #