AMT Vault

Smart Contract Audit Report

Audit Summary

AMT is building a new platform where users can stake AMT tokens and earn rewards.

For this audit, we reviewed the vault contract provided to us by the project team.

We previously reviewed the project team's AMT platform, which includes the AMT token contract and the Master contract, here.

Audit Findings

All findings have been resolved.
Date: October 28th, 2022.
Updated: November 23rd, 2022 to reflect updates made to the contract by the project team.

Finding #1 - vault - High (Resolved)

Description: In the stake() function, the newShares calculation will always cause the transaction to revert as the totalShares divisor is set to zero on deployment and cannot be updated.

function stake(uint256 amount) public{
...
uint256 newShares = (amount * totalAmt)/totalShares;
totalShares = totalShares + newShares;
...
}

Risk/Impact: All staking transactions will revert due to a divide-by-zero error.
Recommendation: The team should add an if-statement to the stake() function that sets newShares to the amount being staked when totalShares is equal to zero as follows:

if(totalShares == 0){
   newShares = amount;   
}
else{
   newShares = (amount * totalAmt)/totalShares;

Resolution: The team has implemented the above recommendation.

---

Finding #2 - vault - High (Resolved)

Description: The convertToAmt() function calculates amountAMT using the returned getAmountsOut() value. This return value can be manipulated through the use of a flash loan.

function convertToAmt() private {
   uint256[] memory amountAMT;
   uint256 amountBtcb = btcb.balanceOf(address(this));
   amountAMT = router.getAmountsOut(amountBtcb, path);

   router.swapExactTokensForTokens(amountBtcb,
         amountAMT[1]*99/100,
         path,
         address(this),
         block.timestamp + 600
   );
}

Risk/Impact: Users can leverage a flash loan to manipulate the AMT price in order to drain the liquidity pool of BTCB. Also, as a result of a flash loan, the contract will receive fewer AMT tokens than expected when performing a swap.
Exploit scenario:

1. User A borrows BTCB via a flash loan.
2. User A sells BTCB to the liquidity pool and extracts AMT tokens.
3. User A calls the chargeAll() function which subsequently calls the convertToAmt() function.
4. User A sells AMT back to the liquidity pool and receives BTCB in return.
5. User A returns the flash loan and profits off of the remaining BTCB.

Recommendation: The team should implement a Time Weighted Average Price Oracle (TWAP) or use Chainlink to properly configure the minimum amount value to mitigate the potential price manipulation.
Resolution: The team implemented a Time Weighted Average Price Oracle.

Contract Overview

• Any user can specify an amount of AMT tokens to stake into this contract.
• A number of shares are allocated to the user based on their staked amount and the AMT balance of this contract to the total number of staked shares by all users.
• A sync will occur on all stakes and withdrawals when the last logged Snap ID in this contract is behind the current snap ID of the AMT contract.
• During a sync, the charge functionality in the Master contract is triggered for each snap ID.
• This contract will receive an amount of BTCB based on the proportion of the tokens allocated to the charge fund and this contract's AMT balance at the time of the snapshot to the difference between the total supply of AMT and the liquidity pool's AMT balance.
• The contract's full BTCB balance is then swapped for AMT tokens.
• Any user that has staked tokens can initiate a withdrawal at any time.
• On withdrawals, the user is sent a number of AMT tokens based on their staked amount and the AMT balance of this contract to the total number of staked shares by all users.
• Any user can manually sync the contract at any time.
• As the contract is implemented with Solidity v0.8.0, it is safe from any possible overflows/underflows.

Audit Results

Inheritance Chart

Function Graph

Functions Overview

 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IERC20Metadata (IERC20)
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  ERC20 (Context, IERC20, IERC20Metadata)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _spendAllowance #
    - [Int] _beforeTokenTransfer #
    - [Int] _afterTokenTransfer #

 + [Lib] Math 
    - [Int] max
    - [Int] min
    - [Int] average
    - [Int] ceilDiv
    - [Int] mulDiv
    - [Int] mulDiv
    - [Int] sqrt
    - [Int] sqrt

 + [Lib] Arrays 
    - [Int] findUpperBound

 + [Lib] Counters 
    - [Int] current
    - [Int] increment #
    - [Int] decrement #
    - [Int] reset #

 +  ERC20Snapshot (ERC20)
    - [Int] _snapshot #
    - [Int] _getCurrentSnapshotId
    - [Pub] balanceOfAt
    - [Pub] totalSupplyAt
    - [Int] _beforeTokenTransfer #
    - [Prv] _valueAt
    - [Prv] _updateAccountSnapshot #
    - [Prv] _updateTotalSupplySnapshot #
    - [Prv] _updateSnapshot #
    - [Prv] _lastSnapshotId

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Int] _checkOwner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 +  AMT (ERC20Snapshot, Ownable)
    - [Pub]  #
       - modifiers: ERC20
    - [Pub] mint #
       - modifiers: onlyOwner
    - [Pub] snapshot #
       - modifiers: onlyOwner
    - [Pub] getCurrentSnapshotId
    - [Pub] burn #
    - [Pub] burnFrom #

 + [Int] IUniswapV2Router01 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidity #
    - [Ext] addLiquidityETH ($)
    - [Ext] removeLiquidity #
    - [Ext] removeLiquidityETH #
    - [Ext] removeLiquidityWithPermit #
    - [Ext] removeLiquidityETHWithPermit #
    - [Ext] swapExactTokensForTokens #
    - [Ext] swapTokensForExactTokens #
    - [Ext] swapExactETHForTokens ($)
    - [Ext] swapTokensForExactETH #
    - [Ext] swapExactTokensForETH #
    - [Ext] swapETHForExactTokens ($)
    - [Ext] quote
    - [Ext] getAmountOut
    - [Ext] getAmountIn
    - [Ext] getAmountsOut
    - [Ext] getAmountsIn

 + [Int] IUniswapV2Router02 (IUniswapV2Router01)
    - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
    - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 + [Int] IUniswapV2Factory 
    - [Ext] feeTo
    - [Ext] feeToSetter
    - [Ext] getPair
    - [Ext] allPairs
    - [Ext] allPairsLength
    - [Ext] createPair #
    - [Ext] setFeeTo #
    - [Ext] setFeeToSetter #

 + [Int] IUniswapV2Pair 
    - [Ext] name
    - [Ext] symbol
    - [Ext] decimals
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transfer #
    - [Ext] transferFrom #
    - [Ext] DOMAIN_SEPARATOR
    - [Ext] PERMIT_TYPEHASH
    - [Ext] nonces
    - [Ext] permit #
    - [Ext] MINIMUM_LIQUIDITY
    - [Ext] factory
    - [Ext] token0
    - [Ext] token1
    - [Ext] getReserves
    - [Ext] price0CumulativeLast
    - [Ext] price1CumulativeLast
    - [Ext] kLast
    - [Ext] mint #
    - [Ext] burn #
    - [Ext] swap #
    - [Ext] skim #
    - [Ext] sync #
    - [Ext] initialize #

 +  LIQUIDITYAMT (ERC20Snapshot, Ownable)
    - [Pub]  #
       - modifiers: ERC20
    - [Pub] mint #
       - modifiers: onlyOwner
    - [Pub] snapshot #
       - modifiers: onlyOwner
    - [Pub] getCurrentSnapshotId
    - [Pub] burn #
    - [Pub] burnFrom #

 + [Int] IERC20Permit 
    - [Ext] permit #
    - [Ext] nonces
    - [Ext] DOMAIN_SEPARATOR

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Int] functionDelegateCall #
    - [Int] functionDelegateCall #
    - [Int] verifyCallResultFromTarget
    - [Int] verifyCallResult
    - [Prv] _revert

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Int] safePermit #
    - [Prv] _callOptionalReturn #

 +  TokenTimelock 
    - [Pub]  #
    - [Pub] token
    - [Pub] beneficiary
    - [Pub] releaseTime
    - [Pub] release #

 +  liqLocker (TokenTimelock)
    - [Pub]  #
       - modifiers: TokenTimelock
    - [Pub] charge #
    - [Pub] release #

 +  Master (Ownable)
    - [Pub]  #
    - [Pub] extendApprove #
       - modifiers: onlyOwner
    - [Pub] setPayerWallet #
       - modifiers: onlyOwner
    - [Pub] addressLiquidityPool
    - [Pub] addressLiquidityLocker
    - [Pub] payRent #
    - [Pub] charge #
    - [Pub] liqCharge #
    - [Pub] addLiquidityLocking #
       - modifiers: onlyOwner
    - [Pub] addLiquidity #
    - [Pub] removeLiquidity #
    - [Pub] mintMaster #
       - modifiers: onlyOwner

 +  vault (Ownable)
    - [Pub]  #
    - [Pub] addressShares
    - [Pub] addressAmt
    - [Pub] addressInitialSnapShot
    - [Pub] isContractSync
    - [Pub] amtStacked
    - [Pub] stake #
    - [Pub] withdrwal #
    - [Prv] charge #
    - [Prv] convertToAmt #
    - [Pub] chargeAll #
    - [Pub] syncContract #

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1300+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value across 1500 projects!.
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

Contact us today to get a free quote for a smart contract audit of your project!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

• High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
• Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
• Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
• Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

• Go Home