Yield Enhancement Labs Finance - Smart Contract Audit Report
Summary
Yield Enhancement Labs (YEL) Finance is building a new multi-chain yield farming platform.
We
Notes on the Token:The initial supply of the token is 0. The team has the ability to set any address as a minter of the token. Addresses with the Minter role can mint an unlimited amount of tokens at any time. Addresses with the Minter role can also use the SwapIn and SwapOut functions, which mirror the mint and burn functions but emit a LogSwapin/LogSwapout event. There are no fees on transfers of the token. The pausable library is imported but no functions (besides pause()) use the whenNotPaused modifier. As such, this library can be removed. Unchecked math is used in multiple places without reason. All math used in the contract should be checked.
Notes on the Staking Contract:Users can stake various LP tokens into the Staking contract into order to earn YEL tokens. There is a fee associated with making a deposit to the contract, set for each asset pool by the team. There is a no fee associated with withdrawing from the contract. An emergencyWithdraw function exists so users can withdraw without collecting rewards. The project team can add different types of tokens for staking, and can update the reward rates for each pool at any time. The owner of the contract can also call updateEmissionRate() to update the current reward rate. The owner of the contract can update the destination for deposit fees, and update the start block at any time as well. The team must be careful not to add the same token twice, and ensure tokens added for staking are not malicious. In the funcsafeRewardfer function, the third transfer is not in an else statement, so when the contract's reward balance is low standard withdraws will fail as they will be attempted twice. It is advisable to use the standard MasterChef logic here (details provided to team).
Notes on the Crowdsale Contract:This contract allows users to contribute a blockchain's native currency to purchase tokens. Prices for tokens are denominated in USD, and at the time of transaction the contract will determine the USD value of the currency provided for a user's purchase. Once tokens are purchased up to a threshold value the price of tokens for future purchases will increase. The team will set the token price, start/end time, and threshold value at the time of deployment. After the presale concludes, users will be able to claim their purchased tokens based upon the amount of the base currency contributed. The team can withdraw all of the raised funds and tokens at any time.
Audit Findings Summary:
- No security issues from outside attackers were identified.
- Ensure trust in the team prior to investing as they have notable control in the ecosystem and will need to add liquidity manually after the presale.
- Date: July 9th, 2021
Combined External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
YEL Token
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20Metadata (IERC20)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ ERC20 (Context, IERC20, IERC20Metadata)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _beforeTokenTransfer #
+ ERC20Burnable (Context, ERC20)
- [Pub] burn #
- [Pub] burnFrom #
+ Pausable (Context)
- [Pub] #
- [Pub] paused
- [Int] _pause #
- modifiers: whenNotPaused
- [Int] _unpause #
- modifiers: whenPaused
+ ERC20Pausable (ERC20, Pausable)
- [Int] _beforeTokenTransfer #
+ [Lib] Counters
- [Int] current
- [Int] increment #
- [Int] decrement #
- [Int] reset #
+ [Lib] ECDSA
- [Int] recover
- [Int] recover
- [Int] toEthSignedMessageHash
- [Int] toTypedDataHash
+ EIP712
- [Pub] #
- [Int] _domainSeparatorV4
- [Prv] _buildDomainSeparator
- [Int] _hashTypedDataV4
+ [Lib] Roles
- [Int] add #
- [Int] remove #
- [Int] has
+ MinterRole
- [Pub] #
- [Pub] isMinter
- [Pub] addMinter #
- modifiers: onlyMinter
- [Pub] renounceMinter #
- [Int] _addMinter #
- [Int] _removeMinter #
+ YELToken (ERC20, ERC20Burnable, ERC20Pausable, MinterRole, Ownable)
- [Pub] #
- modifiers: ERC20
- [Pub] transfer #
- [Pub] approve #
- [Pub] transferFrom #
- [Ext] mint #
- modifiers: onlyMinter
- [Ext] burn #
- modifiers: onlyMinter
- [Ext] Swapin #
- modifiers: onlyMinter
- [Ext] Swapout #
- modifiers: onlyMinter
- [Ext] pause #
- modifiers: onlyOwner,whenNotPaused
- [Ext] unpause #
- modifiers: onlyOwner,whenPaused
- [Int] _beforeTokenTransfer # YEL Staking
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ OwnableData
+ Ownable (OwnableData)
- [Pub] #
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Pub] claimOwnership #
+ [Lib] SafeERC20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ YELStaking (Ownable)
- [Pub] #
- [Ext] changeEndTime #
- modifiers: onlyOwner
- [Ext] setYelPerSecond #
- modifiers: onlyOwner
- [Ext] poolLength
- [Ext] add #
- modifiers: onlyOwner
- [Ext] set #
- modifiers: onlyOwner
- [Pub] getMultiplier
- [Ext] pendingYel
- [Pub] massUpdatePools #
- [Pub] updatePool #
- [Pub] deposit #
- [Pub] withdraw #
- [Pub] emergencyWithdraw #
- [Int] safeRewardTransfer # YEL CrowdSale
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] AggregatorV3Interface
- [Ext] decimals
- [Ext] description
- [Ext] version
- [Ext] getRoundData
- [Ext] latestRoundData
+ YELCrowdsale (Ownable)
- [Pub] #
- [Ext] ($)
- [Pub] claimTokens #
- modifiers: claimStart,hasTokensToClaim
- [Ext] withdraw #
- modifiers: onlyOwner
- [Ext] withdrawTokens #
- modifiers: onlyOwner,claimStart
- [Pub] buyTokens ($)
- modifiers: isPresale
- [Int] remainingTokensByMaxPrice #
- [Pub] remainingTokensByCurrentPrice
- [Int] updateTokenPrice #
- [Pub] balanceOf
- [Pub] getPriceInWeiPerToken
- [Pub] getLatestPriceETHUSD
- [Pub] getDecimalsOracle