VultureSwap Staking - Smart Contract Audit Report
Audit Summary
VultureSwap is building a new staking contract for users to deposit tokens and earn yield.
For this audit, we reviewed the following contracts on the Cronos Smart Chain Mainnet:
- MasterChef contract at 0x52d48c2245C87B39762062D96da827A6EC8C900D.
- VswapToken contract at 0x8a02F855e1a9a232B34d798d0Cc7432cd5A14E94.
Audit Findings
Please ensure trust in the team prior to investing as they have some control in the ecosystem.
Date: February 21st, 2022.
Updated: February 22nd, 2022 to reflect changes made by the team.Finding #1 - VswapToken - Informational
Description: The mint() function is declared public, but is never called internally.
Recommendation: We recommend declaring the function external for additional gas savings on each call.
Contracts Overview
- The MasterChef contract allows users to stake tokens in order to earn rewards in the form of the designated $VSWAP reward token.
- Users can deposit a specified token into the corresponding staking pool when the contract's reward start time is reached; there can only be one pool for each staking token.
- On deposits and withdrawals, pending $VSWAP tokens are minted and transferred to the user; $VSWAP reward tokens can be harvested until the total minted amount reaches 80 million.
- A deposit fee is deducted from the deposit amount and transferred to the fee address if the pool has one set.
- Users' rewards are dependent on their amount staked and the pool's reward per share amount.
- The reward per share amount is calculated using the contract's reward rate and the pool's allocation point percentage.
- The required amounts of $VSWAP reward tokens are minted to the MasterChef contract from the VswapToken contract each time a pool is updated; 20% of the required reward amount is also minted to the developer address each time.
- The user can trigger an emergency withdrawal, which will transfer all the user's deposited tokens to their wallet address, without calculating rewards.
- The developer address can set a new developer address at any time.
- The fee address can set a new fee address at any time.
- The owner can change the contract's start time as long as the original start time has not been reached.
- The owner can add new staking pools at any time.
- The owner can change all pools' allocation points to any value at any time.
- The owner can update each pool's deposit fee to any value up to 4% of the deposit amount at any time.
- The owner can change the reward rate to any value up to 5 tokens per second at any time.
- The MasterChef contract utilizes ReentrancyGuard to prevent reentrancy attacks in applicable functions.
- The VswapToken contract complies with the BEP20 standard.
- The contracts utilize SafeMath to prevent overflow/underflow attacks.
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS | Centralization of Control | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
VswapToken Contract
($) = payable function
# = non-constant function
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ BEP20 (Context, IBEP20, Ownable)
- [Pub] #
- [Ext] getOwner
- [Pub] name
- [Pub] decimals
- [Pub] symbol
- [Pub] totalSupply
- [Pub] maxSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Pub] mint #
- modifiers: onlyOwner
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _burnFrom #
+ VswapToken (BEP20)
- [Pub] mint #
- modifiers: onlyOwner MasterChef Contract
($) = payable function
# = non-constant function
+ ReentrancyGuard
- [Int] #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ BEP20 (Context, IBEP20, Ownable)
- [Pub] #
- [Ext] getOwner
- [Pub] name
- [Pub] decimals
- [Pub] symbol
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Pub] mint #
- modifiers: onlyOwner
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _burnFrom #
+ VswapToken (BEP20)
- [Pub] mint #
- modifiers: onlyOwner
+ [Lib] SafeBEP20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ MasterChef (Ownable, ReentrancyGuard)
- [Pub] #
- [Ext] poolLength
- [Ext] add #
- modifiers: onlyOwner,nonDuplicated
- [Ext] set #
- modifiers: onlyOwner
- [Pub] getMultiplier
- [Ext] pendingVswap
- [Pub] massUpdatePools #
- [Pub] updatePool #
- [Ext] deposit #
- modifiers: nonReentrant
- [Ext] withdraw #
- modifiers: nonReentrant
- [Ext] emergencyWithdraw #
- modifiers: nonReentrant
- [Int] safeVswapTransfer #
- [Ext] setDevAddress #
- [Ext] setFeeAddress #
- [Ext] updateEmissionRate #
- modifiers: onlyOwner
- [Ext] updateStartTime #
- modifiers: onlyOwner