DPex - Smart Contract Audit Report
We audited DPex's contracts at commit 028318900fe110abdd176f32f0c1ab2f8edbb3a9 on GitHub; and at the Kovan addresses below.
- DPex is a fork of Uniswap with a few key notable changes.
- The liquidity provider fee is 0.3%, matching Uniswap's.
- There is an additional 0.1% fee on transactions involving WETH and PSI. The fee amount can be updated via Governance; though it cannot exceed 20%.
- Half of this additional fee (0.05%) will be used to fund rewards to be distributed to holders of PSI token.
- Fees are collected by the Fee Aggregator, which has the ability to swap WETH to PSI for PSI-holder rewards; and also provides rewards to liquidity providers.
- The contract utilizes Chi gas token to drastically reduce the gas costs of adding/removing liqudity and swapping tokens.
- The team must provide the Chi gas tokens to be used by the contract.
- Governance operates using levels. Governance participants can grant any address any level below the caller's current level.
- The deployer of the contract is granted the Mastermind role (level 100); leading to somewhat centralized control of the platform.
- Access control via Governance includes the following roles: Mastermind (100+), Governer (50+), and Partner (10+).
- Having the Mastermind role also grants access to functions restricted to the lower-level roles.
- Anyone with the "mastermind" access level can update the Governance address in the FeeAggregator and Router at any time.
- Anyone with the Governer level or above can edit critical variables in the ecosystem (Router address, gas token address, FeeAggregator address, and more.
- The Partner access role is not used in the current implementation of the contracts.
- All contracts except the Router are behind Admin Upgradability Proxies; meaning the contracts can be upgraded at any time via Governance.
- Usage of ReentrancyGuard in applicable locations.
- Utilization of SafeMath to prevent overflows.
- Use of TransferHelper and SafeERC20 to ensure safe transfers.
Audit Findings Summary:
- No security issues from outside attackers were identified.
- Ensure trust in the team as governance is somewhat centralized and critical variables & contracts can be upgraded at any time.
- The developer has performed KYC with our firm.
- Date: February 2nd, 2021
External Threats - Audit Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|