Retro DeFi Token & Farm - Smart Contract Audit Report

Summary

TAO Audit Report Retro DeFi intends to build a yield aggregator on the Binance Smart Chain.

For this audit we reviewed the project's Native Farm contract and QBERT (Native) Token contract. We reviewed the contracts at commit 1d9fd8b4bddfa6a5f2b79b807e9cc36ce9c11ee7 and again at commit 6fe987343d82138451c30357bc773e68844411c3 on GitHub. Please note we have not reviewed the project's strategy contracts.

Notes of the Contracts:
  • The total supply of the token is set to 850,000.
  • The owner has the ability to mint tokens at any time.
  • The owner of the token is intended to be the farm contract for the provision of rewards.
  • The contract utilizes SafeMath libraries to prevent overflows along with following the BEP20 standard.

  • Users can stake various tokens into the Farm contract in order to earn QBERT token rewards.
  • There are no fees associated with making a deposit to or withdrawing from the contract.
  • User's tokens will be forwarded to Strategy contracts created by the team to earn yield.
  • Users must trust the team's Strategy implementations as those contracts will hold their funds. We have not reviewed the Strategy contracts at this time, though it's interface hints that the team can remove any tokens from the strategies.
  • Rewards are generated via minting of the QBERT token. Rewards are expected to end in the beginning of August.
  • An emergency withdraw function is present, allowing users to withdraw their tokens while ignoring rewards in case of an issue.
  • The project team can add different types of tokens for staking, and can update the reward rates for each token.
  • Utilization of SafeMath (or similarily safe functions) to prevent overflow issues.
Audit Findings Summary
  • No issues from external attackers were identified.
  • Ensure trust in the team as they can remove users' tokens from the Farm contract at any time, and can update reward rates.
  • Further, ensure trust in the team's Strategy implementations as they will hold users' funds. We have not reviewed those contracts.
  • Date: May 17th, 2021.
  • UpdateDate: May 20th, 2021 - Removal of unneeded function.

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
OraclesN/APASS
SuicideN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS


Details: Native Token Contract


ERC20 Token Graph

Multi-file Token


($) = payable function
# = non-constant function

Int = Internal
Ext = External
Pub = Public

+  Context 
- [Int] _msgSender
- [Int] _msgData

+ [Lib] SafeMath 
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod

+ [Int] IERC20 
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #

+  ERC20 (Context, IERC20)
- [Pub]  #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #

+  Ownable (Context)
- [Int]  #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner

+  QBERT (ERC20, Ownable)
- [Pub]  #
- modifiers: ERC20
- [Pub] mint #
- modifiers: onlyOwner


Details: Native Farm Contract


ERC20 Token Graph

Multi-file Token


($) = payable function
# = non-constant function

Int = Internal
Ext = External
Pub = Public

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 +  ERC20 (Context, IERC20)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _setupDecimals #
    - [Int] _beforeTokenTransfer #

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Int] functionDelegateCall #
    - [Int] functionDelegateCall #
    - [Prv] _verifyCallResult

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 + [Lib] EnumerableSet 
    - [Prv] _add #
    - [Prv] _remove #
    - [Prv] _contains
    - [Prv] _length
    - [Prv] _at
    - [Int] add #
    - [Int] remove #
    - [Int] contains
    - [Int] length
    - [Int] at
    - [Int] add #
    - [Int] remove #
    - [Int] contains
    - [Int] length
    - [Int] at
    - [Int] add #
    - [Int] remove #
    - [Int] contains
    - [Int] length
    - [Int] at

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 +  ReentrancyGuard 
    - [Int]  #

 +  NATIVEToken (ERC20)
    - [Pub] mint #

 + [Int] IStrategy 
    - [Ext] wantLockedTotal
    - [Ext] sharesTotal
    - [Ext] earn #
    - [Ext] deposit #
    - [Ext] withdraw #
    - [Ext] inCaseTokensGetStuck #

 +  NativeFarm (Ownable, ReentrancyGuard)
    - [Ext] poolLength
    - [Pub] add #
       - modifiers: onlyOwner
    - [Pub] set #
       - modifiers: onlyOwner
    - [Pub] getMultiplier
    - [Ext] pendingNATIVE
    - [Ext] stakedWantTokens
    - [Pub] massUpdatePools #
    - [Pub] updatePool #
    - [Pub] deposit #
       - modifiers: nonReentrant
    - [Pub] withdraw #
       - modifiers: nonReentrant
    - [Pub] withdrawAll #
       - modifiers: nonReentrant
    - [Pub] emergencyWithdraw #
       - modifiers: nonReentrant
    - [Int] safeNATIVETransfer #
    - [Pub] inCaseTokensGetStuck #
       - modifiers: onlyOwner