Taksh - Smart Contract Audit Report

Summary

Taksh is releasing a new smart contract that facilitates a decentralized lottery for users who contribute DAI with contribution rewards being distributed as TAKSH tokens. A randomly selected winner receives all interest accumulated and users are still able to withdraw their original deposited amount.

We reviewed the Taksh Lottery contract at commit 24450a67064aace82ccedc9a944877922638eef7 on the team's private Github repository.

Notes on Lottery contract:
Any address is able to deposit DAI into the contract for a chance to win the lottery as long as the lottery is in Open status.
Those who have deposited DAI are able to withdraw the same amount that was deposited at anytime, as long as the winner is not being determined.
A user is removed from the lottery when they withdraw all of their DAI from the contract.
Users will have to manually withdraw any deposited DAI. It is not automatically returned when a winner is selected.
There are no fees when depositing or withdrawing from the contract.
There is no minimum amount of DAI required to deposit.
The amount of DAI a user deposits does not affect their odds of winning.
A user can deposit multiple times from different addresses to gain more entries in the pool and increase their odds of winning.

All deposited DAI is transferred from the contract to an Aave lending pool.
The DAI will earn interest over time in the lending pool. The accumulated interest is awarded to the winner when the lottery is ended.
Chainlink is used to generate random data securely from off-chain to select lottery winners. This is the industry standard and is resistant to manipulation.
LINK tokens must be supplied to the contract in order to generate the random data.
Users earn rewards in TAKSH tokens based on the time they have contributed DAI to the lending pool.
Users who contribute more DAI will earn more rewards.
The rewards are given at an emission rate which is set by the owner.
Rewards are distributed when users deposit or withdraw.

In the fulfillRandomness function the randomness parameter is shadowed by the randomness state variable; we recommend renaming the state variable to resolve this.
The "startTimestamp" variable is not used and could be removed.

The owner is able to start the lottery at any time.
The owner is able to end the lottery at any time.
The owner is able to withdraw any residual DAI left in the contract at any time. DAI is not held in the contract so this is only accounting for rounding errors.
The owner is able to change the emission rate of TAKSH rewards at any time.
Audit Findings Summary:
No external threats were identified.
Ensure trust team in the team as they have notable control in the ecosystem.
Date: October 8th, 2021

Audit Results

Vulnerability Category	Notes	Result
Logical Issues	N/A	PASS
Arbitrary Storage Write	N/A	PASS
Arbitrary Jump	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Deprecated Opcodes	N/A	PASS
Ether Thief	N/A	PASS
Exceptions	N/A	PASS
External Calls	N/A	PASS
Flash Loans	N/A	PASS
Integer Over/Underflow	N/A	PASS
Multiple Sends	N/A	PASS
Oracles	N/A	PASS
Suicide	N/A	PASS
State Change External Calls	N/A	PASS
Unchecked Retval	N/A	PASS
User Supplied Assertion	N/A	PASS
Critical Solidity Compiler	N/A	PASS
Overall Contract Safety		PASS

Function Graph

ERC20 Token Graph

Inheritence Chart

Multi-file Token

Functions Overview


 ($) = payable function
 # = non-constant function
 
 + [Lib] SafeMathChainlink 
    - [Int] add
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] mod

 + [Int] LinkTokenInterface 
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] balanceOf
    - [Ext] decimals
    - [Ext] decreaseApproval #
    - [Ext] increaseApproval #
    - [Ext] name
    - [Ext] symbol
    - [Ext] totalSupply
    - [Ext] transfer #
    - [Ext] transferAndCall #
    - [Ext] transferFrom #

 +  VRFRequestIDBase 
    - [Int] makeVRFInputSeed
    - [Int] makeRequestId

 +  VRFConsumerBase (VRFRequestIDBase)
    - [Int] fulfillRandomness #
    - [Int] requestRandomness #
    - [Pub]  #
    - [Ext] rawFulfillRandomness #

 +  Context 
    - [Int]  #
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #

 +  ERC20 (Context, IERC20)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _setupDecimals #
    - [Int] _beforeTokenTransfer #

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 + [Int] ILendingPoolAddressesProvider 
    - [Ext] getMarketId
    - [Ext] setMarketId #
    - [Ext] setAddress #
    - [Ext] setAddressAsProxy #
    - [Ext] getAddress
    - [Ext] getLendingPool
    - [Ext] setLendingPoolImpl #
    - [Ext] getLendingPoolConfigurator
    - [Ext] setLendingPoolConfiguratorImpl #
    - [Ext] getLendingPoolCollateralManager
    - [Ext] setLendingPoolCollateralManager #
    - [Ext] getPoolAdmin
    - [Ext] setPoolAdmin #
    - [Ext] getEmergencyAdmin
    - [Ext] setEmergencyAdmin #
    - [Ext] getPriceOracle
    - [Ext] setPriceOracle #
    - [Ext] getLendingRateOracle
    - [Ext] setLendingRateOracle #

 + [Lib] DataTypes 

 + [Int] ILendingPool 
    - [Ext] deposit #
    - [Ext] withdraw #
    - [Ext] borrow #
    - [Ext] repay #
    - [Ext] swapBorrowRateMode #
    - [Ext] rebalanceStableBorrowRate #
    - [Ext] setUserUseReserveAsCollateral #
    - [Ext] liquidationCall #
    - [Ext] flashLoan #
    - [Ext] getUserAccountData
    - [Ext] initReserve #
    - [Ext] setReserveInterestRateStrategyAddress #
    - [Ext] setConfiguration #
    - [Ext] getConfiguration
    - [Ext] getUserConfiguration
    - [Ext] getReserveNormalizedIncome
    - [Ext] getReserveNormalizedVariableDebt
    - [Ext] getReserveData
    - [Ext] finalizeTransfer #
    - [Ext] getReservesList
    - [Ext] getAddressesProvider
    - [Ext] setPause #
    - [Ext] paused

 +  Lottery (VRFConsumerBase, Ownable)
    - [Pub]  #
       - modifiers: VRFConsumerBase
    - [Ext] deposit #
    - [Ext] withdraw #
    - [Ext] startLottery #
       - modifiers: onlyOwner
    - [Ext] endLottery #
       - modifiers: onlyOwner
    - [Prv] pickWinner #
    - [Int] depositToAAVE #
    - [Ext] withdrawDust #
       - modifiers: onlyOwner
    - [Int] fulfillRandomness #
    - [Pub] interestEarned
    - [Ext] updateEmissionRate #
       - modifiers: onlyOwner
    - [Pub] getMultiplier
    - [Pub] updatePool #
    - [Ext] pendingTaksh
    - [Int] safeTakshTransfer #

Go Home