Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/JusDeFi_report.md Secret

Created November 5, 2020 13:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yuriy77k/976deff343bf45cba9a08857540eb6ea to your computer and use it in GitHub Desktop.
Save yuriy77k/976deff343bf45cba9a08857540eb6ea to your computer and use it in GitHub Desktop.
Download ZIP
JusDeFi Security Audit Report
Raw
JusDeFi_report.md

JusDeFi Security Audit Report

1. Summary

JusDeFi smart contract security audit report performed by Callisto Security Audit Department

JusDeFi is a next-generation yield farming experiment, combining some of the most exciting features from today’s biggest players in DeFi with revolutionary new tokenomics. Participants can stake JDFI tokens directly (or to stake LP for even larger rewards) and our unique fee structure powers the burn and buyback systems which in turn drive price action. Whenever you unstake your JDFI, a fee will be charged. Half goes into the staking rewards pool, and the other half is burned. This unstaking fee is dynamic, and changes weekly based on community governance.

2. In scope

Commit hash d2dbfc8f0d2cff1f0ffca9153de509da59c79aec

Include:

  • AirdropToken.sol
  • DevStakingPool.sol
  • FeePool.sol
  • JDFIStakingPool.sol
  • JusDeFi.sol
  • StakingPool.sol
  • UNIV2StakingPool.sol
  • interfaces/IJDFIStakingPool.sol
  • interfaces/IJusDeFi.sol
  • interfaces/IStakingPool.sol

Exclude:

  • test/JusDeFiMock.sol
  • test/StakingPoolMock.sol

3. Findings

In total, 3 issues were reported including:

  • 1 high severity issues.

  • 2 notes.

3.1. Reentrancy attack

Severity: high

Description

In the function compound() user receives remaining ETH before clear reward. It allows attacker to use the same rewards many times for minting liquidity tokens.

Recommendation

Clear reward before send remaining ETH to user. https://github.com/jusdefi/jusdefi/blob/d2dbfc8f0d2cff1f0ffca9153de509da59c79aec/contracts/UNIV2StakingPool.sol#L61-L64

_clearRewards(msg.sender);

// return remaining ETH to sender
msg.sender.sendValue(msg.value - amountETH);

3.2. Trusted addresses

Severity: low

Description

The function transferFrom in JusDeFi allow to transfer from any address without allowance if msg.sender is in whitelist. Two of three whitelisted addresses are JDFIStakingPool and UNIV2StakingPool which is part of codebase, but third address uniswapRouter sets in constructor and is external contract which is not part of provided codebase. You have to be sure that uniswapRouter passed security audit and have no issues.

3.3. Preset values mismatch.

Severity: note

Description

The preset values of RESERVE_TEAM, RESERVE_JUSTICE, preminted JDFI/A do not match with appropriate values written on the https://www.jusde.fi/

4. Conclusion

The high severity issue was found that have to be fixed before deploying. Also, you have to pay attention on two notes pointed in this report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment