YFFII Smart Contract Audit
source link: https://blog.coinfabrik.com/yffii-smart-contract-audit/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
- 2
- Shares
Introduction
CoinFabrik was asked to audit the contracts for the YFFII project. First we will provide a summary of our discoveries and then we will show the details of our findings.
Summary
The contracts audited are the contracts deployed at 0x91a06884F6db45FF499cC2f7C6f3eb60a617D5AE and 0x900E9bAEc63BcdB9FBb0D9743326360e6AE4B2dB.
Contracts
The audited contracts are:
- Controller.sol (md5: 304e66a01ff2b10b81763a06f09bc6e2)
- YearnRewards.sol (md5: a6937e2f61dcabc8bca2825bd45e485e)
Analyses
The following analyses were performed:
- Misuse of the different call methods
- Integer overflow errors
- Division by zero errors
- Outdated version of Solidity compiler
- Front running attacks
- Reentrancy attacks
- Misuse of block timestamps
- Softlock denial of service attacks
- Functions with excessive gas cost
- Missing or misused function qualifiers
- Needlessly complex code and contract interactions
- Poor or nonexistent error handling
- Failure to use a withdrawal pattern
- Insufficient validation of the input parameters
- Incorrect handling of cryptographic signatures
Detailed findings
Severity Classification
Security risks are classified as follows:
- Critical: These are issues that we manage to exploit. They compromise the system seriously. They must be fixed immediately.
- Medium: These are potentially exploitable issues. Even though we did not manage to exploit them or their impact is not clear, they might represent a security risk in the near future. We suggest fixing them as soon as possible.
- Minor: These issues represent problems that are relatively small or difficult to take advantage of but can be exploited in combination with other issues. These kinds of issues do not block deployments in production environments. They should be taken into account and be fixed when possible.
- Enhancement: These kinds of findings do not represent a security risk. They are best practices that we suggest to implement.
This classification is summarized in the following table:
SEVERITYEXPLOITABLEROADBLOCKTO BE FIXEDCriticalYesYesImmediatelyMediumIn the near futureYesAs soon as possibleMinorUnlikelyNoEventuallyEnhancementNoNoEventually
Issues Found by Severity
Critical severity
No issues of critical severity found.
Medium severity
No issues of medium severity found
Minor severity
No issues of minor severity found
Enhancements
Outdated Solidity compiler version
The latest Solidity compiler version currently available is 0.7.4, switching from 0.5.x to 0.7.x involves modifying the code however given that the project is still small, we recommend considering to do so as it would allow you to enjoy the latest bug fixes and gas optimization changes to the date.
If you wish to stay with the 0.5.16 version we recommend not using a floating pragma as it allows older versions of 0.5.x to be used, the following pragma is more appropriate: pragma solidity 0.5.16;
Commonly used require statements can be changed to modifiers
Currently the following require statement can be seen in many functions through the code:
This can be refactored into using a modifier, so that only an extra word needs to be used in each function header when needed:
The same can be done with the following require statement:
Like this:
This change is merely for reducing code complexity and does not change the logic in any way.
Conclusion
We found the contracts to be simple and straightforward and to have an overall good quality code.
A large part of the logic is done in external contracts, it is very important that you make sure to always use the correct addresses referring to trusted and verified contracts, and that these can not get changed by external parties.
Disclaimer: This audit report is not a security warranty, investment advice, or an approval of the YFFII project since CoinFabrik has not reviewed its platform. Moreover, it does not provide a smart contract code faultlessness guarantee. External contracts have not been audited by CoinFabrik and were assumed to work properly during this audit.
- 2
- Shares
Related Posts
-
HEX Smart Contract Audit
CoinFabrik was asked to audit the contracts for the HEX project. Firstly, we will provide…
-
iCherry Smart Contract Audit
CoinFabrik was asked to audit the contracts for the ICherry Finance project. First we will…
-
Katana Smart Contract Audit
CoinFabrik was asked to audit the contracts for the Katana project. First we will provide…
-
Securitize Smart Contract Audit
CoinFabrik was asked to audit the Securitize contracts for the DSToken project. First we will…
-
Timvi Smart Contract Audit
CoinFabrik was asked to audit the contracts for the Timvi project. Firstly, we will provide…
-
Katana Smart Contract Audit
CoinFabrik was asked to audit the contracts for the Katana project. First we will provide…
-
EtherParty Smart Contract Security Audit
Coinfabrik team has been hired to audit Etherparty smart contracts. Firstly, we will provide a…
-
Stasis Token Smart Contract Audit
Coinfabrik has been hired to audit the smart contracts for Stasis sale, the Stable Euro…
-
RCN BasicCosigner Smart Contract Security Audit
Coinfabrik security audit's team was asked to audit the BasicCosigner contract. This contract is part…
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK