HoneyFarm - Smart Contract Audit Report
Summary
HoneyFarm intends to build a yield aggregator on the Binance Smart Chain.
For this audit, we reviewed the following contracts on the Binance Smart Chain mainnet:
- Bear token contract at 0xc3EAE9b061Aa0e1B9BD3436080Dc57D2d63FEdc1
- Bear Master staking contract at 0xc3D910c9D2bB024931a44Cf127B6231aC1F04de3
Notes of the Contract:Audit Findings Summary
- Users can stake various tokens into the YetiMaster contract in order to earn rewards in the project's native token.
- The project team can add different types of tokens for staking, and can update the reward rates for each token.
- The team must exercise caution when adding tokens to avoid ERC777-compliant tokens (this is uncommon).
- The YetiMaster staking contract should not be used with deflationary tokens. If a deflationary token is added as a staking asset, then the contract must be exempt from transfer fees.
- User's deposited tokens will be forwarded to Strategy contract to earn yield while the user earns rewards.
- The Honey Token has a transfer fee that can range anywhere from 0% to 3%. The operator (project team delegate) has the ability to modify this fee at any time.
- There is a fee associated with making a deposit to or withdrawing from the contract. The deposit fee is determined by the owner and may range anywhere from 0% to 3%. The withdraw fee is determined based on a set of time intervals that correspond to a fee based on how long a holder has staked their tokens and can range anywhere from 0% to 4%.
- The owner can use the setWithdrawFee function to modify the interval structure related to the withdraw fee.
- Funds held in the Strategy contract will then be forwarded for deposit into Pancakeswap farms for yield. Please note that the Strategy contract and Pancakeswap Farms were not included as part of this audit report.
- Yield from deposits will be denominated in the deposit asset and is additional to a user's earned native token rewards.
- Rewards are generated via minting of the project's native token. 10% of rewards will be minted to the team.
- An emergency withdraw function is present, allowing users to withdraw their tokens while ignoring rewards in case of an issue.
- Users can also earn further (minted) token rewards by referring others to deposit into the contract, they will also receive commission on the referred user's earnings from staking. There is a separate referral contract that was not reviewed by our team as part of this audit.
- The owner has the ability to modify the token reward amount for referrals and the commission rate at any time.
- The owner of the YetiMaster contract can transfer ownership of the HoneyToken contract to a new address at any time. The ability to do so will allow them to mint HoneyTokens to any address at any time.
- The team worked with us to optimize these contracts for gas efficiency.
- Utilization of SafeMath (or similarily safe functions) to prevent overflow issues.
- Any user has the ability to modify the withdraw fees associated with unstaking from the contract.
- Ensure trust in the team as they have substantial control in the ecosystem.
- Further, ensure trust in the team as tokens can be minted if ownership of the HoneyToken contract is transferred.
- Date: August 11th, 2021.
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Details: HoneyFarm
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Lib] SafeBEP20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ ReentrancyGuard
- [Int] #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ [Int] IStrategy
- [Ext] wantLockedTotal
- [Ext] earn #
- [Ext] deposit #
- [Ext] withdraw #
- [Ext] inCaseTokensGetStuck #
+ [Int] IEarningsReferral
- [Ext] recordReferral #
- [Ext] recordReferralCommission #
- [Ext] getReferrer
- [Ext] updateOperator #
- [Ext] drainBEP20Token #
+ BEP20 (Context, IBEP20, Ownable)
- [Pub] #
- [Ext] getOwner
- [Pub] name
- [Pub] decimals
- [Pub] symbol
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Pub] mint #
- modifiers: onlyOwner
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _burnFrom #
+ HoneyToken (BEP20)
- [Pub] #
- modifiers: BEP20
- [Pub] mint #
- modifiers: onlyOwner
- [Int] _transfer #
- [Pub] updateTransferTaxRate #
- modifiers: onlyOperator
- [Pub] operator
- [Pub] transferOperator #
- modifiers: onlyOperator
+ YetiMaster (Ownable, ReentrancyGuard)
- [Ext] poolLength
- [Pub] #
- [Pub] add #
- modifiers: onlyOwner
- [Pub] set #
- modifiers: onlyOwner,poolExists
- [Pub] getMultiplier
- [Ext] pendingEarnings
- [Pub] massUpdatePools #
- [Pub] updatePool #
- [Pub] deposit #
- modifiers: nonReentrant,poolExists
- [Pub] withdraw #
- modifiers: nonReentrant,poolExists
- [Pub] emergencyWithdraw #
- modifiers: nonReentrant,poolExists
- [Int] safeEarningsTransfer #
- [Pub] inCaseTokensGetStuck #
- modifiers: onlyOwner
- [Pub] setDevAddress #
- modifiers: onlyOwner
- [Pub] setFeeAddress #
- modifiers: onlyOwner
- [Pub] setEarningsReferral #
- modifiers: onlyOwner
- [Pub] setReferralCommissionRate #
- modifiers: onlyOwner
- [Int] payReferralCommission #
- [Pub] transferEarningTokenOwnership #
- modifiers: onlyOwner
- [Pub] getWithdrawFee
- [Pub] setWithdrawFee #