Sophon Farming Program
Summary
In this audit, we reviewed the `SophonFarming` and `SophonFarmingState` contracts. The contracts are a fork of the SushiSwap `MasterChefV2` contract that has been significantly modified to not distribute pending rewards, but to track them internally as they accrue. These accrued rewards will eventually be the basis for an airdrop. Furthermore, a boost mechanic has been added, with which users can essentially forfeit part of their deposit for an increased point multiplier on the forfeited amount, creating a separate so-called boosted amount. The boost multiplier and other variables are set by a trusted owner (for more information, see SOP-11). This boosted amount will continue to earn the user points independently of the remaining accessible deposit balance of the user. Eventually, the contracts will contain a permissionless bridging mechanic, where after the farming and an optional withdrawal period have ended, the LP tokens of the pools will be able to get bridged to the Sophon blockchain, a hyper chain on ZkSync, through a bridge developed by Matter Labs. However, this feature has not been completed at the time of the audit start date, making it subject to future audits. Overall, we deem the codebase as robust, but lacking certain input restrictions (SOP-2, SOP-3). A flow has been identified that could lead to user funds being lost (SOP-1). The test suite thoroughly tests the codebase. While documentation was sparse and specifications of the protocol architecture were missing, we were able to get clarification via a code walkthrough. The client has also been very responsive with our additional questions after the walkthrough. **Update Fix-Review** All issues have been either fixed or acknowledged. A few tests have been added that further improve the existing test suite.
Issues (11)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 3 | - | - | - | 3 |
Fixed | 4 | 3 | 1 | - | 8 |
| Total | 7 | 3 | 1 | 0 | 11 |