ZABU Finance - Smart Contract Audit Report

Summary

ZABU Finance Audit Report ZABU Finance is building a new yield farming platform on the Avalanche Network.

For this audit, we analyzed ZABU Finance's MasterChef staking contract. We reviewed the team's code on 0xd0f3121A190d85dE0AB6131f2bCEcdbfcfB38891 on the Avax Network.

Notes on the Contract:
  • The initial total supply of the $ZABU token has yet to be determined by the owner, however the owner can mint tokens up to any amount at any time.
  • The owner of the token contract has been properly set to the MasterChef staking contract for the provision of staking rewards.
  • The token is designed to be a governance token where 1 token = 1 vote.
  • Token holders can delegate their voting rights to any address. To save gas, users can also do so using an EIP-712 signature.

  • Users can stake various tokens in this contract to earn rewards in the form of the project's native $ZABU token.
  • There is a fee associated with making a withdrawal from the contract, set by the team upon adding the pool. The fee is directed to a wallet controlled by the team and its percentage can be updated at any time.
  • An emergencyWithdraw function exists so users can withdraw without collecting rewards. The withdraw fee is applied on emergency withdrawals.
  • The developers will be minted some tokens from rewards to incentivize further development.
  • The team must exercise caution as to not add the same token twice for staking.
  • The contract utilizes SafeMath (or similarily safe functions) to prevent overflows; and also uses ReentrancyGuard to prevent reentrancy via ERC777-compliant tokens.
  • The team must exercise caution when adding tokens to avoid fee-on-transfer and ERC777-compliant tokens.


Audit Findings Summary:
  • No security issues from outside attackers were identified.
  • Ensure trust in the team as they have some control in the ecosystem.
  • Date: September 18th, 2021

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
SuicideN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS


Details: MasterChef Staking


Function Graph

Smart Contract Graph

Inheritance Chart

Smart Contract Inheritance

Functions Overview


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Prv] _functionCallWithValue #

 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 +  ERC20 (Context, IERC20, Ownable)
    - [Pub]  #
    - [Pub] name
    - [Pub] symbol
    - [Pub] decimals
    - [Pub] totalSupply
    - [Pub] balanceOf
    - [Pub] transfer #
    - [Pub] allowance
    - [Pub] approve #
    - [Pub] transferFrom #
    - [Pub] increaseAllowance #
    - [Pub] decreaseAllowance #
    - [Int] _transfer #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _approve #
    - [Int] _setupDecimals #
    - [Int] _beforeTokenTransfer #

 + [Lib] SafeERC20 
    - [Int] safeTransfer #
    - [Int] safeTransferFrom #
    - [Int] safeApprove #
    - [Int] safeIncreaseAllowance #
    - [Int] safeDecreaseAllowance #
    - [Prv] _callOptionalReturn #

 +  ReentrancyGuard 
    - [Int]  #

 +  ZABU (ERC20)
    - [Pub] mint #
       - modifiers: onlyOwner
    - [Ext] delegates
    - [Ext] delegate #
    - [Ext] delegateBySig #
    - [Ext] getCurrentVotes
    - [Ext] getPriorVotes
    - [Int] _delegate #
    - [Int] _moveDelegates #
    - [Int] _writeCheckpoint #
    - [Int] safe32
    - [Int] getChainId

 +  MasterChef (Ownable, ReentrancyGuard)
    - [Pub]  #
    - [Ext] poolLength
    - [Ext] add #
       - modifiers: onlyOwner,nonDuplicated
    - [Ext] set #
       - modifiers: onlyOwner
    - [Pub] getMultiplier
    - [Ext] pendingZabu
    - [Pub] massUpdatePools #
    - [Pub] updatePool #
    - [Ext] deposit #
       - modifiers: nonReentrant
    - [Ext] withdraw #
       - modifiers: nonReentrant
    - [Ext] emergencyWithdraw #
       - modifiers: nonReentrant
    - [Int] safeZabuTransfer #
    - [Ext] setDevAddress #
       - modifiers: onlyOwner
    - [Ext] setTreasuryAddress #
       - modifiers: onlyOwner
    - [Ext] setFeeAddress #
       - modifiers: onlyOwner
    - [Ext] updateEmissionRate #
       - modifiers: onlyOwner
    - [Ext] updateStartBlock #
       - modifiers: onlyOwner