Eons Finance - Smart Contract Audit Report

Summary

 Eons Finance Audit Report Eons Finance introduces a platform where users can stake on Aave and create LP tokens on Uniswap and earn Eons rewards for doing so.

We reviewed Eons's contracts at commit 555f6dafa3d0a5b67e1331ad473486d9781ac48b on the team's private GitHub.

Notes on the Contracts:
  • Controller:
  • The Controller is used for setting various state variables that will be referenced across the contracts.
  • Only the owner can mass update the emissions from the Controller contract which will mint Eons tokens to the Eons-Aave Vault and to the treasury wallet address which is controlled by the team.
  • The emissions are calculated by taking a percentage of the daily supply of Eons and applying it over all the blocks since emissions were last calculated.
  • Emissions are distributed for all the pools in the Eons-Aave Vault.

  • EonsAaveVault and EonsAaveRouter:
  • Anyone can deposit either ERC20 or ETH into a pool that has a token address set.
  • The tokens or ETH are transferred from the user to the Eons-Aave Router contract.
  • The tokens or ETH are deposited into the Aave lending pool from the Eons-Aave Router contract. The owner of the tokens in the lending pool is the Eons-Aave Router contract.
  • The user is minted 1 EonsETH token for every 1 ERC20 or ETH token deposited.
  • The Eons-Aave Vault can withdraw any amount from the Aave lending pool, as long as the amount to withdraw is less than the total amount in the lending pool.
  • On withdrawals, a portion of the interest accrued in Aave is transferred to the dev wallet controlled by the team.
  • Pending Eons emissions are distributed to users as a reward on every deposit and withdraw.

  • The owner can set the Eons-Aave Router address to any value at any time.
  • The owner is able to add new pools at any time.
  • The owner is able to set various data describing the pools at any time.
  • The owner is able to add any Aave token asset to the EonsAaveRouter at any time.

  • EonsUniswapVault and EonsUniswapRouter:
  • Anyone is able to mint to any address any amount of EonsLP tokens at any time via the deposit function.
  • Anyone is able to deduct from another user's balance variable at any time via the withdrawFrom function.
  • Anyone is able to burn any amount of EonsLP tokens from their own wallet at any time via the withdraw function.
  • The owner is able to mint any amount of EonsLP tokens to any address at any time.
  • There is a fallback function that will take the ETH passed in, swaps half of it for WETH, pairs the WETH with Eons, and mints LP tokens to the contract address.
  • Any remaining amounts of Eons or WETH are sent back to the msg.sender.
  • Users can also add liquidity manually.
  • Anyone can burn the LP tokens and transfer the remaining ETH to any wallet address at any time.

  • Eons Tokens:
  • Only approved minters can mint Eons.
  • Only the owner can specify the amount that an approved minter can mint.
  • The owner can set the transaction fee to any value at any time.
  • Any approved minter can mint for any address, as long as they pay the transaction fee, which is transferred to the team wallet.
  • Anyone can burn any amount of tokens from their own wallet.
  • Anyone can burn any amount of tokens from another user's wallet, as long as they have the necessary allowances.

  • The owner of the contract is a 2/3 multisig wallet.
  • Only the owner can mint or burn EonsETH.
  • Only the owner can mint or burn EonsLP, and must have proper allowance in order to burn from another wallet.

Audit Findings Summary:
  • No security issues from outside attackers were identified.
  • Ensure trust in the team as they have notable control in the ecosystem.
  • Date: July 13th, 2021.
  • Updated: September 2nd, 2021 to reflect permissions changes on sensitive functions, and to optimize for gas efficiency.

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
SuicideN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS