ZABU Finance - Smart Contract Audit Report
ZABU Finance is building a new yield farming platform on the Avalanche Network.For this audit, we analyzed ZABU Finance's MasterChef staking contract. We reviewed the team's code on 0xd0f3121A190d85dE0AB6131f2bCEcdbfcfB38891 on the Avax Network.
Notes on the Contract:
- The initial total supply of the $ZABU token has yet to be determined by the owner, however the owner can mint tokens up to any amount at any time.
- The owner of the token contract has been properly set to the MasterChef staking contract for the provision of staking rewards.
- The token is designed to be a governance token where 1 token = 1 vote.
- Token holders can delegate their voting rights to any address. To save gas, users can also do so using an EIP-712 signature.
- Users can stake various tokens in this contract to earn rewards in the form of the project's native $ZABU token.
- There is a fee associated with making a withdrawal from the contract, set by the team upon adding the pool. The fee is directed to a wallet controlled by the team and its percentage can be updated at any time.
- An emergencyWithdraw function exists so users can withdraw without collecting rewards. The withdraw fee is applied on emergency withdrawals.
- The developers will be minted some tokens from rewards to incentivize further development.
- The team must exercise caution as to not add the same token twice for staking.
- The contract utilizes SafeMath (or similarily safe functions) to prevent overflows; and also uses ReentrancyGuard to prevent reentrancy via ERC777-compliant tokens.
- The team must exercise caution when adding tokens to avoid fee-on-transfer and ERC777-compliant tokens.
Audit Findings Summary:
- No security issues from outside attackers were identified.
- Ensure trust in the team as they have some control in the ecosystem.
- Date: September 18th, 2021
External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|
Details: MasterChef Staking
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + Context - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int]
# - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod + [Lib] Address - [Int] isContract - [Int] sendValue # - [Int] functionCall # - [Int] functionCall # - [Int] functionCallWithValue # - [Int] functionCallWithValue # - [Prv] _functionCallWithValue # + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + ERC20 (Context, IERC20, Ownable) - [Pub] # - [Pub] name - [Pub] symbol - [Pub] decimals - [Pub] totalSupply - [Pub] balanceOf - [Pub] transfer # - [Pub] allowance - [Pub] approve # - [Pub] transferFrom # - [Pub] increaseAllowance # - [Pub] decreaseAllowance # - [Int] _transfer # - [Int] _mint # - [Int] _burn # - [Int] _approve # - [Int] _setupDecimals # - [Int] _beforeTokenTransfer # + [Lib] SafeERC20 - [Int] safeTransfer # - [Int] safeTransferFrom # - [Int] safeApprove # - [Int] safeIncreaseAllowance # - [Int] safeDecreaseAllowance # - [Prv] _callOptionalReturn # + ReentrancyGuard - [Int] # + ZABU (ERC20) - [Pub] mint # - modifiers: onlyOwner - [Ext] delegates - [Ext] delegate # - [Ext] delegateBySig # - [Ext] getCurrentVotes - [Ext] getPriorVotes - [Int] _delegate # - [Int] _moveDelegates # - [Int] _writeCheckpoint # - [Int] safe32 - [Int] getChainId + MasterChef (Ownable, ReentrancyGuard) - [Pub] # - [Ext] poolLength - [Ext] add # - modifiers: onlyOwner,nonDuplicated - [Ext] set # - modifiers: onlyOwner - [Pub] getMultiplier - [Ext] pendingZabu - [Pub] massUpdatePools # - [Pub] updatePool # - [Ext] deposit # - modifiers: nonReentrant - [Ext] withdraw # - modifiers: nonReentrant - [Ext] emergencyWithdraw # - modifiers: nonReentrant - [Int] safeZabuTransfer # - [Ext] setDevAddress # - modifiers: onlyOwner - [Ext] setTreasuryAddress # - modifiers: onlyOwner - [Ext] setFeeAddress # - modifiers: onlyOwner - [Ext] updateEmissionRate # - modifiers: onlyOwner - [Ext] updateStartBlock # - modifiers: onlyOwner