FootBallStarsIO - Smart Contract Audit Report

Summary

FootBallStarsIO is building a new yield farming platform where users can earn rewards in the form of the project's native $FTS token.

For this audit, we reviewed the team's MasterChef staking contract using code that was provided to us by the team.

Notes on the Contract:
The owner has the ability to utilize this contract to create staking pools. Users can stake various tokens into these pools to earn rewards in the form of the project's native $FTS token.
There is a fee associated with making a deposit to the contract which is set by the owner upon adding the pool. The fee is allocated to the team and its percentage can be set to any value from 0.00% to 1.00%.
The tokens collected from the deposit fee are allocated to a wallet controlled by the team.
An emergency withdraw function is present, allowing users to withdraw their tokens without being charged a fee in case of an issue, but that user's rewards will be forfeited.
Users can withdraw their pending rewards without leaving their staking position by passing 0 into either the withdraw() or deposit() functions.
User's have the ability to stake $CAKE tokens, which utilizes a different structure than the other BEP20 tokens set by the team.
If a user stakes $CAKE tokens, the $CAKE tokens will be swapped for $FTS and stored as pending rewards for the user. A harvest fee will be collected from the user's pending rewards.
If there are not enough $CAKE tokens in the contract balance to pay a user's pending rewards, the amount of $FTS a user earns will be equivalent to the value of $CAKE tokens that are left in the contract.

Ownership Controls:
The owner has the ability to send any amount of tokens that are stored in the contract address to the team's recovery address. The recovery address can be modified by the owner to any address at any time.
The owner has the ability to modify the harvest fee to any percentage at any time.
The owner can update the team's wallet to any address at any time.
The owner can assign multiple addresses to an operator role. The assigned addresses have access to specific functions in the contract.
Any operator can manually deposit or withdraw $CAKE tokens to and from the MasterChef contract at any time.
The team must ensure they carefully set $CAKE as the staking asset that will be assigned Pool ID 3, otherwise the contract will not function as intended.
The team must exercise caution when adding tokens to avoid fee-on-transfer and ERC777-compliant tokens.
The team must also be careful not to add the same token twice for staking.
The contract utilizes SafeMath to prevent overflows.

Audit Findings Summary:
No security issues from external attackers were identified.
Please ensure trust in the team as they can withdraw all of the BEP20 tokens from the contract at any time.
Date: October 11th, 2021

Combined External Threat Results

Vulnerability Category	Notes	Result
Arbitrary Storage Write	N/A	PASS
Arbitrary Jump	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Deprecated Opcodes	N/A	PASS
Ether Thief	N/A	PASS
Exceptions	N/A	PASS
External Calls	N/A	PASS
Integer Over/Underflow	N/A	PASS
Multiple Sends	N/A	PASS
Suicide	N/A	PASS
State Change External Calls	N/A	PASS
Unchecked Retval	N/A	PASS
User Supplied Assertion	N/A	PASS
Critical Solidity Compiler	N/A	PASS
Overall Contract Safety		PASS

Details: MasterChef Staking

Function Graph

Smart Contract Graph

Inheritence Chart

Smart Contract Inheritance

Functions Overview


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 + [Lib] SafeBEP20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 +  Context 
    - [Int]  #
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 + [Int] IBEP20 
    - [Ext] totalSupply
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] getOwner
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod
    - [Int] min
    - [Int] sqrt

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Prv] _functionCallWithValue #

 +  BEP20 (Context, IBEP20, Ownable)
    - [Pub]  #
    - [Ext] getOwner
    - [Pub] name
    - [Pub] decimals
    - [Pub] symbol
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Pub] mint #
       - modifiers: onlyOwner
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _burnFrom #

 + [Lib] Roles 
    - [Int] add #
    - [Int] remove #
    - [Int] has

 +  Operator 
    - [Int]  #
    - [Pub] isOperator
    - [Pub] addOperator #
       - modifiers: onlyOperator
    - [Pub] removeOperator #
       - modifiers: onlyOperator
    - [Pub] renounceOperator #
    - [Int] _addOperator #
    - [Int] _removeOperator #

 + [Int] IPancakeRouter01 
    - [Ext] factory
    - [Ext] WETH
    - [Ext] addLiquidity #
    - [Ext] addLiquidityETH ($)
    - [Ext] removeLiquidity #
    - [Ext] removeLiquidityETH #
    - [Ext] removeLiquidityWithPermit #
    - [Ext] removeLiquidityETHWithPermit #
    - [Ext] swapExactTokensForTokens #
    - [Ext] swapTokensForExactTokens #
    - [Ext] swapExactETHForTokens ($)
    - [Ext] swapTokensForExactETH #
    - [Ext] swapExactTokensForETH #
    - [Ext] swapETHForExactTokens ($)
    - [Ext] quote
    - [Ext] getAmountOut
    - [Ext] getAmountIn
    - [Ext] getAmountsOut
    - [Ext] getAmountsIn

 + [Int] IPancakeRouter02 (IPancakeRouter01)
    - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
    - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
    - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
    - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
    - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #

 + [Int] IMasterChef 
    - [Ext] cakePerBlock
    - [Ext] totalAllocPoint
    - [Ext] poolInfo
    - [Ext] userInfo
    - [Ext] poolLength
    - [Ext] deposit #
    - [Ext] withdraw #
    - [Ext] emergencyWithdraw #
    - [Ext] enterStaking #
    - [Ext] leaveStaking #
    - [Ext] pendingCake

 +  MasterChef (Ownable, Operator)
    - [Pub]  #
    - [Ext] poolLength
    - [Pub] add #
       - modifiers: onlyOwner
    - [Pub] set #
       - modifiers: onlyOwner
    - [Pub] getMultiplier
    - [Ext] pendingFTS
    - [Pub] massUpdatePools #
    - [Pub] updatePool #
    - [Int] _safeApprove #
    - [Int] _swap #
    - [Int] _tokenPath
    - [Pub] deposit #
    - [Pub] withdraw #
    - [Ext] recoverBEP20 #
       - modifiers: onlyOwner
    - [Pub] emergencyWithdraw #
    - [Int] safeFTSTransfer #
    - [Pub] depositPancake #
       - modifiers: onlyOperator
    - [Pub] emergencyWithdrawPancake #
       - modifiers: onlyOperator
    - [Pub] approve #
       - modifiers: onlyOwner
    - [Pub] setFeeAddress #
    - [Pub] setFeeValue #
    - [Pub] setRecoveryAddress #
       - modifiers: onlyOwner
    - [Pub] updateEmissionRate #
       - modifiers: onlyOwner
    - [Ext] getRecoveryAddress

Go Home