Diamond Birb - Smart Contract Audit Report
Diamond Birb is building a new DeFi ecosystem on the Binance Smart Chain.For this audit, we analyzed the Diamond Birb Token and MasterChef contracts. We reviewed Diamond Birb's contract at 0x551dce34a8add5fa5cce12fa83187e4084007918 on the Binance Smart Chain mainnet.
Notes on the Diamond Birb Contract:
The intial total supply of $DBIRB Token is 20 million [20,000,000]. The owner of the Diamond Birb token contract has been properly set as the MasterChef contract. The $DBIRB token is designed to be a governance token where 1 token = 1 vote. Token holders can delegate their voting rights to any address. To save gas, users can also do so using an EIP-712 signature. The transfer function of the token does not properly call _moveDelegates. As a result, when tokens (that are currently delegated) are transferred, the voting power is not being moved. Therefore the governance related features will not function as intended. The contract also includes an "operator" role which will allow the team to retain control of certain aspects of the token. There is a 'maximum wallet amount' that can be set and updated by the operator at any time. The maximum wallet amount will revert transfers if the number of $DBIRB tokens that the recipient owns will exceed the threshold that is set by the team. Utilization of SafeMath (or similarily safe functions) to prevent overflows. The contract complies with the BEP20 Token Standard.
Notes on the MasterChef Contract:
Users can stake various tokens into the MasterChef contract to earn rewards in the form of the project's native $DBIRB token. $DBIRB Tokens can be minted through generated rewards for stakeholders, where an additional percentage of the minted $DBIRB Tokens are minted to the SyrupBar Token Contract (as $SYRUP). Note that the DBIRB SyrupBar contract was considered out of scope for the purpose of this audit. There is a fee associated with making a deposit to the contract, set by the owner upon adding the pool. The fee is directed to the team and its percentage can be updated to any amount ranging from 0% to 20% at any time. The share of rewards that are generated by a given pool can be changed by the owner at any time. The MasterChef staking contract should not be used with deflationary, fee-on-transfer, or ERC-777 tokens. If a fee-on-transfer token is added as a staking asset, then the contract must be exempt from transfer fees in order to avoid exploitation from an outside attacker that could mint an extremely large amount of reward tokens that would make it possible to drain the liquidity pool. The team must also be careful to avoid adding duplicate pools for a token. The contract includes referral logic which allows users to earn additional $DBIRB token rewards in the form of a commission rate that can range anywhere from 0% to 5%. The owner of the Masterchef contract has the ability to update this commission rate at any time. The referral contract that is referenced is out of scope for the purpose of this audit and was not reviewed by our team. Referral commission is paid if users (that have been referred) opt to claim their rewards by either depositing or withdrawing tokens while they have pending (unclaimed) rewards. A savvy user can take advantage of the referral logic if they refer themself on a secondary address and use that address to harvest their referral benefits. The contract utilizes SafeMath (or similarily safe functions) to prevent overflows/underflows.
Audit Findings Summary:
- No threats from external attackers were identified.
- The transfer function of the $DBIRB token contract does not properly call _moveDelegates. As a result, when tokens (that are currently delegated) are transferred, the voting power is not being moved. Therefore, if there is any intention to utilize the governance related features, they will not function as intended.
- Ensure trust in the team as they have substantial control within the ecosystem.
- Date: October 11th, 2021
- Updated: October 20th, 2021 to reflect the newly revised and deployed contracts.
- Updated: October 22nd, 2021 to reflect a third deployment of the contracts.
Combined External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod - [Int] min - [Int] sqrt + Context - [Int]
# - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int] # - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner - [Int] _transferOwnership # + [Int] IDBirbReferral - [Ext] recordReferral # - [Ext] recordReferralCommission # - [Ext] getReferrer + [Int] IBEP20 - [Ext] totalSupply - [Ext] decimals - [Ext] symbol - [Ext] name - [Ext] getOwner - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] Address - [Int] isContract - [Int] sendValue # - [Int] functionCall # - [Int] functionCall # - [Int] functionCallWithValue # - [Int] functionCallWithValue # - [Int] functionStaticCall - [Int] functionStaticCall - [Int] functionDelegateCall # - [Int] functionDelegateCall # - [Prv] _verifyCallResult + [Lib] SafeBEP20 - [Int] safeTransfer # - [Int] safeTransferFrom # - [Int] safeApprove # - [Int] safeIncreaseAllowance # - [Int] safeDecreaseAllowance # - [Prv] _callOptionalReturn # + BEP20 (Context, IBEP20, Ownable) - [Pub] # - [Ext] getOwner - [Pub] name - [Pub] decimals - [Pub] symbol - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Pub] mint # - modifiers: onlyOwner - [Int] _transfer # - [Int] _mint # - [Int] _burn # - [Int] _approve # - [Int] _burnFrom # + DBirbToken (BEP20) - [Pub] availableBalancePerWallet - [Ext] updateMaxBalancePerWallet # - modifiers: onlyOperator - [Pub] isExcludedFromAntiFat - [Ext] excludeFromAntiFat # - modifiers: onlyOperator - [Pub] operator - [Ext] transferOperator # - modifiers: onlyOperator - [Pub] # - modifiers: BEP20 - [Pub] mint # - modifiers: onlyOwner - [Int] _transfer # - modifiers: antiFat - [Ext] delegates - [Ext] delegate # - [Ext] delegateBySig # - [Ext] getCurrentVotes - [Ext] getPriorVotes - [Int] _delegate # - [Int] _moveDelegates # - [Int] _writeCheckpoint # - [Int] safe32 - [Int] getChainId + DBirbSyrupBar (BEP20) - [Pub] mint # - modifiers: onlyOwner - [Pub] burn # - modifiers: onlyOwner - [Pub] # - [Pub] safeDBirbTransfer # - modifiers: onlyOwner - [Ext] delegates - [Ext] delegate # - [Ext] delegateBySig # - [Ext] getCurrentVotes - [Ext] getPriorVotes - [Int] _delegate # - [Int] _moveDelegates # - [Int] _writeCheckpoint # - [Int] safe32 - [Int] getChainId + DBirbMasterChef (Ownable) - [Pub] # - [Pub] updateMultiplier # - modifiers: onlyOwner - [Ext] poolLength - [Ext] add # - modifiers: onlyOwner,nonDuplicated - [Ext] set # - modifiers: onlyOwner - [Int] updateStakingPool # - [Pub] getMultiplier - [Ext] pendingDBirb - [Pub] massUpdatePools # - [Pub] updatePool # - [Ext] deposit # - [Ext] withdraw # - [Ext] enterStaking # - [Ext] leaveStaking # - [Ext] emergencyWithdraw # - [Int] safeDBirbTransfer # - [Ext] dev # - [Ext] setFeeAddress # - [Ext] updateEmissionRate # - modifiers: onlyOwner - [Ext] setDBirbReferral # - modifiers: onlyOwner - [Ext] setReferralCommissionRate # - modifiers: onlyOwner - [Int] payReferralCommission #