Dracula Protocol - Smart Contract Audit Report
Summary
Dracula Protocol is a suite of smart contracts which aggregate major DeFi yield farms and liquidity mining platforms through a single smart-contract and unified web interface.
We reviewed Dracula's contracts at commit aee008291587cddca18035a30033d234b958a820, and later commit 2c10049f51203350d86674c4672fc5271d52031b on GitHub.
Token Contract:
- The token is mintable by the owner of the contract.
- After deployment of MasterVampire, that contract will be set as owner and will be the only minter of DRC token, for the purpose of providing rewards.
- The token is designed to be a governance token as well where 1 token = 1 vote.
DrainController:- The contract enables the team to perform liquidity drains; collecting assets to fund user rewards.
- The team can add any address to the whitelist, which allows them to perform liquidity drains.
- Chi Gas Token can be used when performing drains; reducing the gas fees associated with collecting the funds. The caller also recieves a gas stipend in ETH for performing the call.
- The team can also update the address of MasterVampire, the minimum ETH threshold to drain a pool, and the max gas price eligible for gas refunds.
DrainDistributor:- This contract distributes ETH rewards collected among reward pools, sends some of this ETH to the DrainController for gas refunds, and sends a share to the developers as well.
- The owner has the ability to update the distribution of the ETH at any time.
- The owner can also change the address of the addresses set to receive the ETH as described above.
Reward Pool:- This contract allows users to stake various assets as determined by the team in order to earn rewards in DRC tokens.
- DRC tokens used for rewards must be sent to the pool by the team manually - the owner can set the addresses which are allowed to fund rewards.
- The reward rate for users staking tokens in these pools is determined by the amount of tokens provided and the staking period.
- The period (duration for rewards) shall be set by the team upon deployment.
- The DRC reward pool contract contains additional logic to burn 1% of tokens upon withdrawal. The owner can update this rate up to 10% maximum.
Adapters & Related Interfaces:- IVampireAdapter is an interface used by the MasterVampire contract to interact with 'victim' pools on targeted protocols.
- In additon, each protocol intended to be a victim has its own adapter and interface in order to interact with each specific protocol.
- The interface also has view functions which will be used for calculating rewards and Governance.
- VampireAdapter holds functions for performing delegate calls to external victim platforms from the MasterVampire contract.
MasterVampire:- This contract allows users to deposit their assets into the protocol, and specifically into their specified victim pool.
- This contract contains the logic to convert ibETH (Interest-bearing ETH used in order to earn further rewards in ETH for depositers) into their real ETH value.
- The logic for draining pools (from the DrainController) is also contained in this contract.
- The owner can add additional victims and pools through this contract.
- The owner can also update a variety of variables critical to the platform, such as the addresses of victims and other contracts in the ecosystem.
- The owner can recover ERC20 tokens accidentally sent to the contract.
Timelock:- This contract is used to adminster parts of the protocol while introducing a time-delay.
- The minimum delay is 6 hours, though the actual delay can be set by the admin of the contract.
Best Practices / General Notes:- Usage of ReentrancyGuard in applicable functions to prevent re-entrancy attacks.
- Utilization of SafeMath to prevent overflows and ensure safe transfers.
- The token properly follows the ERC20 standard.
- There is one wallet, not controlled by the team, that has more tokens than is in Uniswap's liquidity. This poses a small risk to the liquidity pool; but no risk to the core platform itself.
- The protocol interacts with numerous external platforms. If one of these external protocls are exploited, it could have a negative impact on Dracula.
Audit Findings Summary:- No security issues from external attackers were identified.
- Ensure trust in the team as they have notable power in the ecosystem. The lead developer appears extremely committed to the development of the platform and the GitHub commits reflect this.
- Date: March 13th, 2021
External Threats - Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Name | Address | Graphics |
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
|