STAR - Smart Contract Audit Report

Summary

STAR ($STAR) is building a new yield farming platform on the Polygon Network.

For this audit, we analyzed the STAR Token contract and MasterChef contract on the Polygon mainnet.

  • Token Contract- 0xC6e2e8395A671eE3f6f55177F8Fe5984D5dA7741
  • MasterChef Contract- 0x56658E666Da404dD23107306453c7c8dE6351776

  • Notes on the Token Contract:
    • The total supply of the token is set to ~111 thousand $STAR [111,111].
    • No minting or burn functions are present; though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
    • At the time of writing this report, 99.98% of the total supply belongs to the deployer.

    • There is a Tax fee, Liquidity fee, FundOrBurn Fee, and Dev fee on all transfers where neither the sender nor the recipient is excluded from fees.
    • The tokens collected from the tax fee are removed from the circulating supply; This serves as a frictionless fee redistribution which automatically benefits all token holders at the time of each transaction.
    • The tokens collected from the liquidity fee during transfers are stored in the contract address balance. Once the threshold number of tokens (determined by the owner) is met, the tokens are swapped for ETH and sent back to the contract address.
    • On each transfer to Uniswap that occurs while the minimum threshold of ETH in the contract and tokens being sold (both determined by the owner) are met, the protocol will spend 1% of its ETH balance toward buying $STAR tokens that are subsequently burned.
    • Although the swap and liquify verbiage exists in the code, there are no automatic liquidity-adds supported by the protocol as the buyback mechanism is used instead.
    • If both the sender's or the recipient's address of a transfer is not a contract address, the tokens collected from the FundOrBurn fee are burned to reduce the total supply. If either the sender or the recipient of a transfer is a contract address, the tokens are sent to the team's Donation wallet.
    • The tokens collected from the dev fee are sent to the team's Investment Fund wallet.
    • Although the SafeMath library is utilized, the contract is deployed with Solidity v0.8.9 which has built-in overflow checks. SafeMath could be safely removed to reduce contract size and deployment costs.
    • Some gas optimizations can be achieved through declaring functions external instead of public, and some state variables constant. As this contract is already deployed, this is merely informational.

    • Ownership Controls of the Token Contract:
    • Ownership has not been renounced.
    • The owner can modify the Tax fee, Liquidity fee, FundOrBurn Fee, and Dev fee to any percentages up to 1% at any time.
    • The owner can exclude and include accounts from transfer fees and reward distribution.
    • The owner can set and update a maximum transaction amount at any time, which will impose a limit on the number of tokens that can be transferred during any given transaction. The owner can also exclude accounts from this restriction.
    • The owner can enable/disable the token swapping functionality, and set the threshold number of tokens related to it to any value at any time.
    • The owner can set the threshold amount of ETH needed to trigger the buyback mechanism, as well as the minimum number of tokens that must be sold to trigger the buyback mechanism.
    • The owner can manually initiate the buyback mechanism at any time.
    • The owner can enable/disable the buyback mechanism at any time.
    Notes on the MasterChef Contract:
    • Users can stake various tokens in this contract to earn rewards in the form of the project's native $STAR token.
    • There is a fee associated with making a deposit to the contract, set by the team upon adding the pool. The tokens collected from the deposit fee are allocated to the team.
    • Pending rewards are automatically distributed to users upon each deposit and withdraw.
    • A user can also manually claim their rewards as long as the interval time that was set by the team upon adding the pool has passed between claims.
    • An emergency withdraw function is present, allowing users to withdraw their tokens in case of an issue, but that user's rewards will be forfeited.
    • The MasterChef staking contract should not be used with deflationary, fee-on-transfer, or ERC-777 tokens. If a fee-on-transfer token is added as a staking asset, then the contract must be exempt from transfer fees in order to avoid exploitation from an outside attacker that could mint an extremely large amount of reward tokens that would make it possible to drain the liquidity pool.
    • The team is responsible for properly allocating tokens to the MasterChef contract in order for rewards to be paid out to users.
    • The contract utilizes ReentrancyGuard to prevent re-entrancy attacks in applicable functions.

    • Ownership Controls of the MasterChef Contract:
    • The owner can update the address of the token contract used for rewards.
    • The owner can manually claim the tokens collected from the deposit fee at any time.
    • The owner can create a new staking pool at any time. The deposit fee for new pools cannot exceed 1%.
    • The owner can assign an address to an operator role. The assigned operator has access to specific functionality in the contract.
    • The operator can modify the allocation points for each staking pool at any time.
    • The operator can modify the emissions rate of the contract to any value under 756.

    Audit Findings Summary
    • No external threats were identified.
    • Please ensure trust in the team prior to investing as they have substantial control in the ecosystem and currently own 99.98% of the token supply.
    • Date: January 5th, 2022.
    Resolved Issues
    • The team addressed an issue regarding the use of a fee-on-transfer token in the MasterChef contract. The MasterChef contract has been properly excluded from fees and the antiwhale restriction.

    Audit Results

    Vulnerability CategoryNotesResult
    Arbitrary Storage WriteN/APASS
    Arbitrary JumpN/APASS
    Centralization of ControlThe team currently owns 99.98% of the token supply.PASS
    Delegate Call to Untrusted ContractN/APASS
    Dependence on Predictable VariablesN/APASS
    Deprecated OpcodesN/APASS
    Ether ThiefN/APASS
    ExceptionsN/APASS
    External CallsN/APASS
    Flash LoansN/APASS
    Integer Over/UnderflowN/APASS
    Logical IssuesThe team added a fee-on-transfer token to the MasterChef contract but has resolved this issue by excluding the Masterchef contract from fees and the antiwhale restriction.PASS
    Multiple SendsN/APASS
    OraclesN/APASS
    SuicideN/APASS
    State Change External CallsN/APASS
    Unchecked RetvalN/APASS
    User Supplied AssertionN/APASS
    Critical Solidity CompilerN/APASS
    Overall Contract Safety PASS

    Details: STAR Token

    ERC20 Token Graph

    Multi-file Token

    
     ($) = payable function
     # = non-constant function
     
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     + [Lib] SafeMath 
        - [Int] tryAdd
        - [Int] trySub
        - [Int] tryMul
        - [Int] tryDiv
        - [Int] tryMod
        - [Int] add
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] mod
        - [Int] sub
        - [Int] div
        - [Int] mod
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Int] functionStaticCall
        - [Int] functionStaticCall
        - [Int] functionDelegateCall #
        - [Int] functionDelegateCall #
        - [Int] verifyCallResult
    
     +  Ownable (Context)
        - [Pub]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
    
     + [Int] IUniswapV2Factory 
        - [Ext] feeTo
        - [Ext] feeToSetter
        - [Ext] getPair
        - [Ext] allPairs
        - [Ext] allPairsLength
        - [Ext] createPair #
        - [Ext] setFeeTo #
        - [Ext] setFeeToSetter #
    
     + [Int] IUniswapV2Router01 
        - [Ext] factory
        - [Ext] WETH
        - [Ext] addLiquidity #
        - [Ext] addLiquidityETH ($)
        - [Ext] removeLiquidity #
        - [Ext] removeLiquidityETH #
        - [Ext] removeLiquidityWithPermit #
        - [Ext] removeLiquidityETHWithPermit #
        - [Ext] swapExactTokensForTokens #
        - [Ext] swapTokensForExactTokens #
        - [Ext] swapExactETHForTokens ($)
        - [Ext] swapTokensForExactETH #
        - [Ext] swapExactTokensForETH #
        - [Ext] swapETHForExactTokens ($)
        - [Ext] quote
        - [Ext] getAmountOut
        - [Ext] getAmountIn
        - [Ext] getAmountsOut
        - [Ext] getAmountsIn
    
     + [Int] IUniswapV2Router02 (IUniswapV2Router01)
        - [Ext] removeLiquidityETHSupportingFeeOnTransferTokens #
        - [Ext] removeLiquidityETHWithPermitSupportingFeeOnTransferTokens #
        - [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
        - [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
        - [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
    
     + [Int] ERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     +  StarToken (Context, ERC20, Ownable)
        - [Pub]  #
        - [Pub] name
        - [Pub] symbol
        - [Pub] decimals
        - [Pub] totalSupply
        - [Pub] balanceOf
        - [Pub] transfer #
        - [Pub] allowance
        - [Pub] approve #
        - [Pub] transferFrom #
        - [Pub] increaseAllowance #
        - [Pub] decreaseAllowance #
        - [Pub] isExcludedFromReward
        - [Pub] totalFees
        - [Pub] minimumTokensBeforeSwapAmount
        - [Pub] buyBackUpperLimitAmount
        - [Pub] reflectionFromToken
        - [Pub] tokenFromReflection
        - [Pub] excludeFromReward #
           - modifiers: onlyOwner
        - [Ext] includeInReward #
           - modifiers: onlyOwner
        - [Pub] isExcludedFromAntiWhale
        - [Pub] setExcludedFromAntiWhale #
           - modifiers: onlyOwner
        - [Pub] isIncludedInStarLpList
        - [Pub] setIncludeInStarLpList #
           - modifiers: onlyOwner
        - [Prv] _approve #
        - [Prv] _transfer #
        - [Pub] setMinimumBalanceRequired #
           - modifiers: onlyOwner
        - [Pub] setMinimumSellOrderAmount #
           - modifiers: onlyOwner
        - [Prv] swapTokens #
           - modifiers: lockTheSwap
        - [Prv] buyBackTokens #
           - modifiers: lockTheSwap
        - [Prv] swapTokensForEth #
        - [Prv] swapETHForTokens #
        - [Prv] _tokenTransfer #
        - [Prv] _transferStandard #
        - [Prv] _transferToExcluded #
        - [Prv] _transferFromExcluded #
        - [Prv] _transferBothExcluded #
        - [Prv] _reflectFee #
        - [Prv] _getValues
        - [Prv] _getTValues
        - [Prv] _getRValues
        - [Prv] _getRate
        - [Prv] _getCurrentSupply
        - [Prv] _takeLiquidity #
        - [Prv] _takeFundOrBurn #
        - [Prv] _takeDev #
        - [Prv] calculateTaxFee
        - [Prv] calculateDevFee
        - [Prv] calculateFundOrBurnFee
        - [Prv] calculateLiquidityFee
        - [Prv] removeAllFee #
        - [Prv] restoreAllFee #
        - [Pub] isExcludedFromFee
        - [Pub] excludeFromFee #
           - modifiers: onlyOwner
        - [Pub] includeInFee #
           - modifiers: onlyOwner
        - [Ext] setTaxFeePercent #
           - modifiers: onlyOwner
        - [Ext] setFundOrBurnFeePercent #
           - modifiers: onlyOwner
        - [Ext] setDevFeePercent #
           - modifiers: onlyOwner
        - [Ext] setLiquidityFeePercent #
           - modifiers: onlyOwner
        - [Ext] setMaxTxAmount #
           - modifiers: onlyOwner
        - [Ext] setNumTokensSellToAddToLiquidity #
           - modifiers: onlyOwner
        - [Ext] setBuybackUpperLimit #
           - modifiers: onlyOwner
        - [Pub] setSwapAndLiquifyEnabled #
           - modifiers: onlyOwner
        - [Prv] swapAndLiquify #
           - modifiers: lockTheSwap
        - [Prv] addLiquidity #
        - [Pub] setBuyBackEnabled #
           - modifiers: onlyOwner
        - [Pub] buyBackAndBurn #
           - modifiers: onlyOwner
        - [Ext]  ($)
    							

    Details: MasterChef

    ERC20 Token Graph

    Multi-file Token

    
     ($) = payable function
     # = non-constant function
     
     +  Context 
        - [Int] _msgSender
        - [Int] _msgData
    
     + [Lib] SafeMath 
        - [Int] tryAdd
        - [Int] trySub
        - [Int] tryMul
        - [Int] tryDiv
        - [Int] tryMod
        - [Int] add
        - [Int] sub
        - [Int] mul
        - [Int] div
        - [Int] mod
        - [Int] sub
        - [Int] div
        - [Int] mod
    
     + [Int] IERC20 
        - [Ext] totalSupply
        - [Ext] balanceOf
        - [Ext] transfer #
        - [Ext] allowance
        - [Ext] approve #
        - [Ext] transferFrom #
    
     + [Lib] Address 
        - [Int] isContract
        - [Int] sendValue #
        - [Int] functionCall #
        - [Int] functionCall #
        - [Int] functionCallWithValue #
        - [Int] functionCallWithValue #
        - [Int] functionStaticCall
        - [Int] functionStaticCall
        - [Int] functionDelegateCall #
        - [Int] functionDelegateCall #
        - [Int] verifyCallResult
    
     + [Lib] SafeERC20 
        - [Int] safeTransfer #
        - [Int] safeTransferFrom #
        - [Int] safeApprove #
        - [Int] safeIncreaseAllowance #
        - [Int] safeDecreaseAllowance #
        - [Prv] _callOptionalReturn #
    
     +  Ownable (Context)
        - [Pub]  #
        - [Pub] owner
        - [Pub] renounceOwnership #
           - modifiers: onlyOwner
        - [Pub] transferOwnership #
           - modifiers: onlyOwner
        - [Int] _transferOwnership #
    
     +  ReentrancyGuard 
        - [Pub]  #
    
     +  StarSeedsMasterchef (Ownable, ReentrancyGuard)
        - [Pub]  #
        - [Pub] operator
        - [Ext] poolLength
        - [Ext] totalAllocation
        - [Pub] canHarvest
        - [Ext] remainingRewards
        - [Pub] getMultiplier
        - [Pub] pendingStar
        - [Ext] getDepositFees
           - modifiers: onlyOwner
        - [Pub] setDevAddress #
        - [Ext] setstarContractAddress #
           - modifiers: onlyOwner
        - [Pub] transferOperator #
           - modifiers: onlyOperator
        - [Pub] add #
           - modifiers: onlyOwner
        - [Pub] set #
           - modifiers: onlyOwner
        - [Ext] updateBonus #
           - modifiers: onlyOwner
        - [Ext] collectFees #
           - modifiers: onlyOwner
        - [Pub] massUpdatePools #
        - [Pub] updatePool #
        - [Pub] startFarming #
           - modifiers: onlyOperator
        - [Pub] updateEmissionRate #
           - modifiers: onlyOperator
        - [Pub] updateAllocPoint #
           - modifiers: onlyOperator
        - [Ext] fundMasterChef #
           - modifiers: onlyOperator
        - [Ext] setStarId #
           - modifiers: onlyOwner
        - [Pub] deposit #
           - modifiers: nonReentrant
        - [Pub] withdraw #
           - modifiers: nonReentrant
        - [Pub] emergencyWithdraw #
           - modifiers: nonReentrant
        - [Pub] harvestStar #
           - modifiers: nonReentrant
        - [Pub] compound #
        - [Int] payOrLockupPendingStar #
        - [Int] safeStarTransfer #