FootBallStarsIO - Smart Contract Audit Report
FootBallStarsIO is building a new yield farming platform where users can earn rewards in the form of the project's native $FTS token.For this audit, we reviewed the team's MasterChef staking contract using code that was provided to us by the team.
Notes on the Contract:
- The owner has the ability to utilize this contract to create staking pools. Users can stake various tokens into these pools to earn rewards in the form of the project's native $FTS token.
- There is a fee associated with making a deposit to the contract which is set by the owner upon adding the pool. The fee is allocated to the team and its percentage can be set to any value from 0.00% to 1.00%.
- The tokens collected from the deposit fee are allocated to a wallet controlled by the team.
- An emergency withdraw function is present, allowing users to withdraw their tokens without being charged a fee in case of an issue, but that user's rewards will be forfeited.
- Users can withdraw their pending rewards without leaving their staking position by passing 0 into either the withdraw() or deposit() functions.
- User's have the ability to stake $CAKE tokens, which utilizes a different structure than the other BEP20 tokens set by the team.
- If a user stakes $CAKE tokens, the $CAKE tokens will be swapped for $FTS and stored as pending rewards for the user. A harvest fee will be collected from the user's pending rewards.
- If there are not enough $CAKE tokens in the contract balance to pay a user's pending rewards, the amount of $FTS a user earns will be equivalent to the value of $CAKE tokens that are left in the contract.
- The owner has the ability to send any amount of tokens that are stored in the contract address to the team's recovery address. The recovery address can be modified by the owner to any address at any time.
- The owner has the ability to modify the harvest fee to any percentage at any time.
- The owner can update the team's wallet to any address at any time.
- The owner can assign multiple addresses to an operator role. The assigned addresses have access to specific functions in the contract.
- Any operator can manually deposit or withdraw $CAKE tokens to and from the MasterChef contract at any time.
- The team must ensure they carefully set $CAKE as the staking asset that will be assigned Pool ID 3, otherwise the contract will not function as intended.
- The team must exercise caution when adding tokens to avoid fee-on-transfer and ERC777-compliant tokens.
- The team must also be careful not to add the same token twice for staking.
- The contract utilizes SafeMath to prevent overflows.
Audit Findings Summary:
- No security issues from external attackers were identified.
- Please ensure trust in the team as they can withdraw all of the BEP20 tokens from the contract at any time.
- Date: October 11th, 2021
Combined External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|
Details: MasterChef Staking
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + [Lib] SafeBEP20 - [Int] safeTransfer # - [Int] safeTransferFrom # - [Int] safeApprove # - [Int] safeIncreaseAllowance # - [Int] safeDecreaseAllowance # - [Prv] _callOptionalReturn # + Context - [Int]
# - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int] # - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner - [Int] _transferOwnership # + [Int] IBEP20 - [Ext] totalSupply - [Ext] decimals - [Ext] symbol - [Ext] name - [Ext] getOwner - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod - [Int] min - [Int] sqrt + [Lib] Address - [Int] isContract - [Int] sendValue # - [Int] functionCall # - [Int] functionCall # - [Int] functionCallWithValue # - [Int] functionCallWithValue # - [Prv] _functionCallWithValue # + BEP20 (Context, IBEP20, Ownable) - [Pub] # - [Ext] getOwner - [Pub] name - [Pub] decimals - [Pub] symbol - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Pub] mint # - modifiers: onlyOwner - [Int] _transfer # - [Int] _mint # - [Int] _burn # - [Int] _approve # - [Int] _burnFrom # + [Lib] Roles - [Int] add # - [Int] remove # - [Int] has + Operator - [Int] # - [Pub] isOperator - [Pub] addOperator # - modifiers: onlyOperator - [Pub] removeOperator # - modifiers: onlyOperator - [Pub] renounceOperator # - [Int] _addOperator # - [Int] _removeOperator # + [Int] IPancakeRouter01 - [Ext] factory - [Ext] WETH - [Ext] addLiquidity # - [Ext] addLiquidityETH ($) - [Ext] removeLiquidity # - [Ext] removeLiquidityETH # - [Ext] removeLiquidityWithPermit # - [Ext] removeLiquidityETHWithPermit # - [Ext] swapExactTokensForTokens # - [Ext] swapTokensForExactTokens # - [Ext] swapExactETHForTokens ($) - [Ext] swapTokensForExactETH # - [Ext] swapExactTokensForETH # - [Ext] swapETHForExactTokens ($) - [Ext] quote - [Ext] getAmountOut - [Ext] getAmountIn - [Ext] getAmountsOut - [Ext] getAmountsIn + [Int] IPancakeRouter02 (IPancakeRouter01) - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens # - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens # - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens # - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($) - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens # + [Int] IMasterChef - [Ext] cakePerBlock - [Ext] totalAllocPoint - [Ext] poolInfo - [Ext] userInfo - [Ext] poolLength - [Ext] deposit # - [Ext] withdraw # - [Ext] emergencyWithdraw # - [Ext] enterStaking # - [Ext] leaveStaking # - [Ext] pendingCake + MasterChef (Ownable, Operator) - [Pub] # - [Ext] poolLength - [Pub] add # - modifiers: onlyOwner - [Pub] set # - modifiers: onlyOwner - [Pub] getMultiplier - [Ext] pendingFTS - [Pub] massUpdatePools # - [Pub] updatePool # - [Int] _safeApprove # - [Int] _swap # - [Int] _tokenPath - [Pub] deposit # - [Pub] withdraw # - [Ext] recoverBEP20 # - modifiers: onlyOwner - [Pub] emergencyWithdraw # - [Int] safeFTSTransfer # - [Pub] depositPancake # - modifiers: onlyOperator - [Pub] emergencyWithdrawPancake # - modifiers: onlyOperator - [Pub] approve # - modifiers: onlyOwner - [Pub] setFeeAddress # - [Pub] setFeeValue # - [Pub] setRecoveryAddress # - modifiers: onlyOwner - [Pub] updateEmissionRate # - modifiers: onlyOwner - [Ext] getRecoveryAddress