StarSeed - Smart Contract Audit Report
Summary
StarSeed ($STAR) is building a new yield farming platform on Polygon.
We reviewed StarSeed's MasterChef staking contract at 0x5c72CB5F3cf810fed7434FA4e789C1E68e89889a on the Polygon mainnet.
Notes on the Contract:
- The initial total supply of the $STAR token has yet to be determined by the owner, however the owner can mint tokens at any time up to the maximum supply value that is set to 111,111 $STAR.
- Any user can burn their tokens to reduce the total supply.
- There is a 0.75% 'transfer fee' on all transactions for any address that participates in a transfer. The tokens collected through transfer fee gets sent directly to a wallet controlled by the team.
- Users can stake various LP tokens into the MasterChef contract in order to earn StarSeed tokens.
- There is a fee associated with making a deposit to the contract, set by the owner upon adding the pool. This fee is sent directly to a wallet controlled by the team.
- On both deposits and withdrawals, user's rewards will be calculated and sent to a reward locker contract. This reward locker contract was out of scope for the audit.
- On withdrawals, the user will receive the desired amount of LP tokens; this amount cannot be more than the amount the user has deposited.
- An emergencyWithdraw function exists so users can withdraw without collecting rewards.
- The owner has the ability to add different types of tokens for staking and update reward rates.
- The owner of the MasterChef contract can assign a different owner to the token contract at any time.
- Utilization of SafeMath (or similarily safe functions) across all contracts to prevent overflows.
- The team must exercise caution when adding tokens to avoid fee-on-transfer and ERC777-compliant tokens.
Audit Findings Summary
- No external threats were identified.
- Please ensure trust in the team as they have substantial control in the ecosystem.
- Date: September 14th, 2021
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
MasterChef Contract - Details
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IRewardLocker
- [Ext] lock ($)
- [Ext] lockWithStartBlock ($)
- [Ext] vestCompletedSchedulesForMultipleTokens #
- [Ext] vestScheduleForMultipleTokensAtIndices #
- [Ext] vestCompletedSchedules #
- [Ext] vestScheduleAtIndices #
- [Ext] vestSchedulesInRange #
- [Ext] numVestingSchedules
- [Ext] getVestingScheduleAtIndex
- [Ext] getVestingSchedules
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ ERC20 (Context, IERC20)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _setupDecimals #
- [Int] _beforeTokenTransfer #
+ ERC20Burnable (Context, ERC20)
- [Pub] burn #
- [Pub] burnFrom #
+ StarToken (ERC20, ERC20Burnable, Ownable)
- [Pub] transfer #
- [Pub] transferFrom #
- [Int] _transferFee #
- [Ext] mint #
- modifiers: onlyOwner
+ ReentrancyGuard
- [Int] #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Prv] _functionCallWithValue #
+ [Lib] SafeERC20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ MasterChefv2 (Ownable, ReentrancyGuard)
- [Pub] #
- [Ext] poolLength
- [Ext] add #
- modifiers: onlyOwner,nonDuplicated
- [Ext] set #
- modifiers: onlyOwner
- [Pub] getMultiplier
- [Ext] pendingStar
- [Pub] massUpdatePools #
- [Pub] updatePool #
- [Ext] deposit #
- modifiers: nonReentrant
- [Ext] withdraw #
- modifiers: nonReentrant
- [Ext] emergencyWithdraw #
- modifiers: nonReentrant
- [Int] _updateUserReward #
- [Ext] harvest #
- modifiers: nonReentrant
- [Ext] harvestMultiple #
- modifiers: nonReentrant
- [Ext] harvestAll #
- modifiers: nonReentrant
- [Int] _lockReward #
- [Ext] setDevAddress #
- modifiers: onlyOwner
- [Ext] updateEmissionRate #
- modifiers: onlyOwner
- [Ext] setStarTransferOwner #
- [Ext] transferStarOwnership #