Sugar Bounce MasterChef - Smart Contract Audit Report

Audit Summary

Sugar Bounce is building a new MasterChef staking contract for users to deposit tokens and earn yield.

For this audit, we reviewed the project team's SBMasterChef and Rewarder contracts at commit 9feb77d75953b64628a473610e77906481c85a5b on the team's private GitHub repository.
We previously reviewed the project team's staking contract here.

Audit Findings

Please ensure trust in the team prior to investing as they have some control in the ecosystem.
Date: February 21st, 2022.

Contracts Overview

The SBMasterChef contract allows users to stake tokens in order to earn rewards in the form of a designated reward token until the reward tokens are depleted.
Users can deposit a specified token into the corresponding staking pool when the contract's reward start time is reached.
On deposits and withdrawals, pending rewards are harvested and transferred from the Rewarder contract to the user.
Users' rewards are dependent on their amount staked and the pool's reward per share amount.
The reward per share amount is calculated using the contract's block reward rate and the pool's allocation point percentage.
The user can trigger an emergency withdrawal, which will transfer all the user's deposited tokens to their wallet address, without calculating rewards.

The owner can add new staking pools at any time.
The owner can change the block reward rate to any value at any time.
The owner can change all pools' allocation points at any time.
The owner can change the Rewarder address at any time.
The owner can withdraw any tokens in the Rewarder contract at any time.
The SBMasterChef contract utilizes logic to protect against re-entrancy attacks in applicable functions.
The team must be careful not to add the same token twice and must exercise caution when adding tokens to avoid fee-on-transfer (unless the proper exemptions are made).
As the contracts are implemented using Solidity v0.8.x, they are safe from any possible overflow/underflow attacks.

External Threat Results

Vulnerability Category	Notes	Result
Arbitrary Storage Write	N/A	PASS
Arbitrary Jump	N/A	PASS
Centralization of Control	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Deprecated Opcodes	N/A	PASS
Ether Thief	N/A	PASS
Exceptions	N/A	PASS
External Calls	N/A	PASS
Flash Loans	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	N/A	PASS
Multiple Sends	N/A	PASS
Oracles	N/A	PASS
Suicide	N/A	PASS
State Change External Calls	N/A	PASS
Unchecked Retval	N/A	PASS
User Supplied Assertion	N/A	PASS
Critical Solidity Compiler	N/A	PASS
Overall Contract Safety		PASS

SBMasterChef Contract

Token Graph

Multi-file Token

												
($) = payable function
 # = non-constant function

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 +  ReentrancyGuard 
    - [Pub]  #

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Pub]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner
    - [Int] _transferOwnership #

 + [Int] IRewarder 
    - [Ext] onSBReward #

 + [Lib] TransferHelper 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #

 +  SBMasterChef (Ownable, ReentrancyGuard)
    - [Pub]  #
    - [Ext] poolLength
    - [Ext] setRewarder #
       - modifiers: onlyOwner
    - [Ext] setSBPerBlock #
       - modifiers: onlyOwner
    - [Ext] add #
       - modifiers: onlyOwner,nonReentrant
    - [Ext] set #
       - modifiers: onlyOwner
    - [Ext] pendingRewards
    - [Ext] updatePool #
       - modifiers: nonReentrant
    - [Prv] _updatePool #
    - [Ext] deposit #
       - modifiers: nonReentrant
    - [Ext] withdraw #
       - modifiers: nonReentrant
    - [Prv] harvest #
    - [Ext] emergencyWithdraw #
       - modifiers: nonReentrant

Rewarder Contract

BEP20 Token Graph