Risq Protocol - Smart Contract Audit Report
Summary
Risq Protocol is creating a token, staking platform, and options platform.
For this audit we reviewed the project's Risq, RisqWBTCPool, RisqWBTCOptions, RisqStaking, and RisqStakingWBTC contracts. The Risq and RiskStaking contracts are deployed on the Binance Smartchain mainnet at the below addresses, and the Options and Pool contracts were audited using code provided by the project team.
Notes on the Contracts:
RISQ TokenRisqStakingWBTC
- The current total supply of $RISQ is 92,000,000.
- As of the date of this report, 88.35% of tokens are held by a GnosisSafeProxy contract.
- 4 separate TokenVesting contracts each hold 2.717% of tokens.
- Users can burn their own tokens to reduce the total supply.
- No minting functionalities are present.
- This contract complies with the BEP20 standard.
- No ownership-restriction functions are present.
RisqWBTCPool
- This contract is an implementation of the RisqStaking contract.
- Users can deposit RISQ tokens and will receive Risq Staking tokens in a 10,000:1 exchange; the owner defines the RISQ token address upon deployment.
- Users must wait at least 1 day before exchanging Risq Staking tokens back to RISQ tokens.
- Users are entitled to a share of profits from the pool based on the number of Risq Staking tokens they have; at this time the contract has no way to accumulate profits on its own, so the project team must deposit manually in order to fund the profit pool.
RisqWBTCOptions
- In this contract, users stake a once-defined BEP20 token, intended to be WBTC, in exchange for Risq WBTC LP Tokens proportional to the amount that they are contributing to the pool. The staked tokens are then used to provide liquidity to options contracts.
- Portions of the pool's funds will be continuously locked and unlocked for withdraw in order to ensure that a portion of options trader's earnings can be paid out.
- Any time a user deposits funds, the entirety of their staked funds will be locked for a period of time before they can withdraw them. The lockup period is initially set to 2 weeks, however the owner can change this to any value up to 60 days.
- Note that if a user receives LP tokens from a user whose funds are locked, the receiver's lock duration will be set equal to the sender's. Users can opt to accept/not accept locked fund transfers at any time.
- The RisqWBTCOptions contract is the intended owner of this contract.
General Notes
- Users have the ability to create put or call WBTC options with specified periods, strike prices, and amount of WBTC.
- Options must have a specified period within 1 day and 4 weeks.
- The strike fee, which is calculated based on the strike price provided, must be less than the specified option amount.
- A period fee exists which increases based on the period length along with an owner specified implied volatility rate. This rate can be changed by the owner at any time.
- The period and strike fees are sent to the RisqWBTCPool. A percentage of the amount is locked in the RisqWBTCPool to guarantee that a minimum amount will be able to be paid out to the options trader. This percentage can be changed by the owner at any time.
- A 1% settlement fee is taken when an option is created. This percentage cannot be changed, however settlement fee address can be changed by the owner at any time.
- Users have the ability to transfer ownership of their options to a different address.
Audit Findings Summary
- All contracts implement SafeMath to prevent overflows.
- No security issues from outside attackers were identified.
- Ensure trust in the project team as they have some control in the ecosystem.
- Date: October 7th, 2021.
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Risq Contract
($) = payable function
# = non-constant function
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Prv] _functionCallWithValue #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ BEP20 (Context, IBEP20)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #
+ ERC20Burnable (Context, BEP20)
- [Pub] burn #
- [Pub] burnFrom #
+ Risq (BEP20, ERC20Burnable)
- [Pub] #
RisqStakingWBTC Contract
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Prv] _functionCallWithValue #
+ BEP20 (Context, IBEP20)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #
+ [Lib] SafeBEP20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] AggregatorV3Interface
- [Ext] decimals
- [Ext] description
- [Ext] version
- [Ext] getRoundData
- [Ext] latestRoundData
+ [Int] IPancakeRouter01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] ILiquidityPool
- [Ext] unlock #
- [Ext] send #
- [Ext] setLockupPeriod #
- [Ext] totalBalance
+ [Int] IBEPLiquidityPool (ILiquidityPool)
- [Ext] lock #
- [Ext] token
+ [Int] IBNBLiquidityPool (ILiquidityPool)
- [Ext] lock ($)
+ [Int] IRisqStaking
- [Ext] claimProfit #
- [Ext] buy #
- [Ext] sell #
- [Ext] profitOf
+ [Int] IRisqStakingBNB (IRisqStaking)
- [Ext] sendProfit ($)
+ [Int] IRisqStakingBEP20 (IRisqStaking)
- [Ext] sendProfit #
+ [Int] IRisqOptions
- [Ext] options
+ RisqStaking (BEP20, IRisqStaking)
- [Pub] #
- modifiers: BEP20
- [Ext] claimProfit #
- [Ext] buy #
- [Ext] sell #
- modifiers: lockupFree
- [Ext] revertTransfersInLockUpPeriod #
- [Ext] profitOf
- [Int] getUnsaved
- [Int] saveProfit #
- [Int] _beforeTokenTransfer #
- [Int] _transferProfit #
+ RisqStakingWBTC (RisqStaking, IRisqStakingBEP20)
- [Pub] #
- modifiers: RisqStaking
- [Ext] sendProfit #
- [Int] _transferProfit # RisqWBTCOptions Contract
($) = payable function
# = non-constant function
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Prv] _functionCallWithValue #
+ BEP20 (Context, IBEP20)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #
+ [Lib] SafeBEP20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] AggregatorV3Interface
- [Ext] decimals
- [Ext] description
- [Ext] version
- [Ext] getRoundData
- [Ext] latestRoundData
+ [Int] IPancakeRouter01
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] removeLiquidity #
- [Ext] removeLiquidityETH #
- [Ext] removeLiquidityWithPermit #
- [Ext] removeLiquidityETHWithPermit #
- [Ext] swapExactTokensForTokens #
- [Ext] swapTokensForExactTokens #
- [Ext] swapExactETHForTokens ($)
- [Ext] swapTokensForExactETH #
- [Ext] swapExactTokensForETH #
- [Ext] swapETHForExactTokens ($)
- [Ext] quote
- [Ext] getAmountOut
- [Ext] getAmountIn
- [Ext] getAmountsOut
- [Ext] getAmountsIn
+ [Int] ILiquidityPool
- [Ext] unlock #
- [Ext] send #
- [Ext] setLockupPeriod #
- [Ext] totalBalance
+ [Int] IERCLiquidityPool (ILiquidityPool)
- [Ext] lock #
- [Ext] token
+ [Int] IETHLiquidityPool (ILiquidityPool)
- [Ext] lock ($)
+ [Int] IRisqStaking
- [Ext] claimProfit #
- [Ext] buy #
- [Ext] sell #
- [Ext] profitOf
+ [Int] IRisqStakingETH (IRisqStaking)
- [Ext] sendProfit ($)
+ [Int] IRisqStakingBEP20 (IRisqStaking)
- [Ext] sendProfit #
+ [Int] IRisqOptions
- [Ext] options
+ RisqWBTCPool (IERCLiquidityPool, Ownable, BEP20)
- [Pub] #
- [Ext] setLockupPeriod #
- modifiers: onlyOwner
- [Ext] lock #
- modifiers: onlyOwner
- [Ext] unlock #
- modifiers: onlyOwner
- [Ext] send #
- modifiers: onlyOwner
- [Ext] provide #
- [Ext] withdraw #
- [Ext] shareOf
- [Pub] availableBalance
- [Pub] totalBalance
- [Int] _beforeTokenTransfer #
- [Int] divCeil
+ RisqWBTCOptions (Ownable, IRisqOptions)
- [Pub] #
- [Ext] transferPoolOwnership #
- modifiers: onlyOwner
- [Ext] setImpliedVolRate #
- modifiers: onlyOwner
- [Ext] setSettlementFeeRecipient #
- modifiers: onlyOwner
- [Ext] setOptionCollaterizationRatio #
- modifiers: onlyOwner
- [Ext] create ($)
- [Ext] transfer #
- [Ext] exercise #
- [Ext] unlockAll #
- [Pub] approve #
- [Pub] fees
- [Pub] unlock #
- [Int] getSettlementFee
- [Int] getPeriodFee
- [Int] getStrikeFee
- [Int] payProfit #
- [Int] swapToWBTC #
- [Prv] sqrt