Polypanda X Solid Group: Audit Results
Auditing Process
Solid Group’s auditing process goes in-depth and covers a wide range of token code characteristics. The main things the audit checks for are vulnerabilities and imminent risks to the safety and security of the code, Solid Group does an extensive auditing process intending to help their customers increase their code quality while reducing the high level of risk presented by cryptographic tokens and blockchain technology.
Contract
MasterChef | Bamboo | Bamboo Transfer Ownership| MasterChef Transfer Ownership
MasterChef contract is behind a Timelock contract
Highlights of the process
✅MATIC-20’s Conformance
✅ No external mint function
✅ No volatile code
Vulnerability Summary
Audit Findings
- Issue #1| Best Practice | 🟡 Severity Low | ❌ Not Fixed | massUpdatePools
Description
Iterating over an unbounded array is an anti-pattern and should be avoided. The number of iterations can grow beyond the block gas limit.
Recommendation
Since the contract is already deployed and can’t be changed, our recommendation is to always monitor the number of pools in the system.
- Issue #2| Logical Issue / Gas Optimization | 🟢 Informational Severity | buybackToLpSingle
Description
This statement will always be true because approval was called before allowance.
Recommendation
Our recommendation is to remove the unnecessary requirements to save on gas.
- Issue #3|Best Practice | 🟢 Informational Severity | L166, L202, L239, L240, L260
Description
Calling external function without checking the return value.
Recommendation
Our recommendation is to check the return value while calling an external function.
- Issue #4| Logical Issue | 🟢 Informational Severity | updatePool
Description
buybackEnabled() can be set to false. However, the fees for buyback are still being subtracted from the reward.
Recommendation
Since the contract is already deployed and can’t be changed, please make sure the community is aware that they will always receive 70% of their reward.
- Issue #5| Logical Issue | 🟢 Informational Severity |updateEmissionRate
Description
maxBamboosPerBlock() can only be reduced.
- Issue #6 | Gas Optimization | 🟢 Informational Severity | deposit
Description
The require() statement will always be true, as it was already checked by the if statement.
Owner Capabilities
Description
If buybackToLp or buybackToLpSingle fails, the manualLpAddress (which is controlled by the owner of the contract) gets the deposit fee.
Our recommendation is to consider not charging a fee if the buyback fails.
- The owner can sets the blackHoleAddress to an address he owns and receive a 10% reward.
• The owner can set the router address to a malfunctioning or malicious contract. However, there is an emergency withdrawal function in case withdrawals don’t work which doesn’t call updatePool and external functions.
⚠️ General Notes
The findPath and findPathUSDC functions are frequently called when interacting with the contract but assume assumptions that may not always be true (e.g that every token has a usdc or weth pool). If they fail, critical functions of the contract, such as deposit() or withdraw(), will fail.
We would recommend wrapping those code paths with try-excepts and make sure errors are handled gracefully.
However, it is important to mention that the emergencyWithdrawal() function can act as a fail-safe in extreme cases, and allow users to withdraw their funds even if there a bug in the contract.
Summary
We found 1 low severity issue, and 5 informational issues (which do not affect the code itself). External functions are frequently called when interacting with the MasterChef contract but assume assumptions that may not always be true. Since the contract is already deployed and can’t be changed there is nothing the team can do in order to handle such errors in a graceful manner. However, there is an emergencyWithdrawal function that can be called by the investors in extreme cases to get their funds.
About Polypanda
“The creation of Polypanda was inspired by the recent development of a multitude of farms on the Polygon Network. Since Polygon offers essentially frictionless farming, the number of farms popping up is on the rise. The consequence of this is that with new farming projects, many have issues in their design that do not bode well for the community. Polypanda aims to fix the inefficiencies that are present in other Polygon farming protocols and to create an ecosystem that works around the primary token, Bamboo. Bamboo is the fastest growing plant on the planet, and we aim to build our farm with the fastest yields by utilizing the Polygon Network and a unique tokenomics setup. After all, pandas need lots of Bamboo!”
🌏 Website |🗣Telegram |📣 Telegram Announcement Channel|🐦 Twitter
About Solid Group
Solid Group is a blockchain consulting and auditing service provider, founded by 3 cybersecurity experts with a passion for thinking out of the box, learning, and sharing knowledge. Every project goes through a meticulous process and is viewed by at least two partners, thereby achieving a high level of credibility and professionalism.
Our group is partnered with multiple organizations and launchpads that have a combined market cap of over 300 million USD.
📣 Telegram| 🗣Telegram discussion group |📣 Twitter |🛡 Contact for audit
Disclaimer
SolidGroup reports are not, nor should be considered, an “endorsement” or “disapproval” of any particular project or team. These reports are not, nor should be considered, an indication of the economics or value of any “product” or “asset” created by any team. Solid Group does not cover testing or auditing the integration with external contracts or services (such as Unicrypt, Uniswap, PancakeSwap, etc’…)
SolidGroup Audits do not provide any warranty or guarantee regarding the absolute bug-free nature of the technology analyzed, nor do they provide an indication of the technology proprietors. SolidGroup Audits should not be used in any way to make decisions around investment or involvement with any particular project. These reports in no way provide investment advice, nor should be leveraged as investment advice of any sort. SolidGroup Reports represent an extensive auditing process intending to help our customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology. Blockchain technology and cryptographic assets present a high level of ongoing risk. SolidGroup’s position is that each company and individual are responsible for their own due diligence and continuous security. SolidGroup in no way claims any guarantee of security or functionality of the technology we agree to analyze.
