Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_MChef_report.md Secret

Created April 16, 2021 14:02
Show Gist options
  • Save yuriy77k/60abfdc407c0fa036cab728699aef702 to your computer and use it in GitHub Desktop.
Save yuriy77k/60abfdc407c0fa036cab728699aef702 to your computer and use it in GitHub Desktop.
Download ZIP
MChef Security Audit Report
Raw
ETH_MChef_report.md

MChef Security Audit Report

1. Summary

MChef smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Contract commit 578705b62cbe1b48d9f4a029eac518d850259d04

3. Findings

In total, 5 issues were reported including:

  • 0 high severity issues.

  • 1 medium severity issues.

  • 2 low severity issues.

  • 2 notes.

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(address recipient, ...) function:

require( recipient != address(this) );

3.2. Unused parameter months

Severity: note

Description

In the function setRewardsValue() there is parameter months but it's not using in the function logic.

3.3. The function bonusPendingToken() may return wrong result

Severity: low

Description

If function bonusPendingToken() calling not by _user it will return wrong result. Because it use msg.sender to get UserInfo.

Recommendation

At line 1324 use this code:

UserInfo storage user = userInfo[_pid][_user];

3.4. High Gas spending

Severity: note

Description

The function massUpdatePools() updates every existing pool. It will use many gas if will be many pools. This function is calling from others functions: add(), set() (it's possible not update pools from them), updateRewardPerBlock(), setRewardsValue(), updateRewardsValue(), so Gas usage will be high i those functions too.

However, using massUpdatePools() in the functions setRewardsValue(), updateRewardsValue() is not required and may be removed from them.

3.5. rewardSender may block users' deposits and withdrawals.

Severity: medium

Description

The function safeRewardTokenTransfer() transfer tokens from rewardSender address to user. But in case there is not enough tokens or rewardSender did not approve transfers the transaction will be reverted. This function calls from deposit() and withdraw() functions. Therefore it will be reverted too in that cases.

Recommendation

Use safeRewardTokenTransfer() like this:

    function safeRewardTokenTransfer(address _to, uint256 _amount) internal {
        if (IERC20(token).balanceOf(rewardSender) >= _amount && IERC20(token).allowance(rewardSender, address(this)) >= _amount)
            IERC20(token).transferFrom(rewardSender, _to, _amount);
    }

4. Conclusion

The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment