Bridge Staking Platform V2- Audit
Off-Chain (Private)
Audited on 2023/03/09
No active critical issues
Summary
Bridge Oracle allows external data to be easily injected into blockchain and smart contracts allowing developers to leverage the terabytes of data available on Web2.0 to build a whole range of useful and impactful dApps without having to compromise on security.
Issues (3)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | - | - | - | - | 0 |
Fixed | 1 | 1 | 1 | - | 3 |
| Total | 1 | 1 | 1 | 0 | 3 |
Centralization Risks in StakePoolV2.sol
fixed/high
In the contract `StakePoolV2` the role `_owner` has authority over the function shown in the diagram below. Any compromise to the `_owner` account may allow the hacker to take advantage of this authority and modify the maximum deposit amount. If the maximum deposit amount is set to 0, then any deposit request will be blocked. 
Incompatibility with Deflationary Tokens
fixed/medium
When transferring deflationary ERC20 tokens, the input amount may not be equal to the received amount due to the charged transaction fee. For example, if a user sends 100 deflationary tokens (with a 10% transaction fee), only 90 tokens actually arrived to the contract. However, a failure to discount such fees may allow the same user to withdraw 100 tokens from the contract, which causes the contract to lose 10 tokens in such a transaction. Reference: https://thoreum-finance.medium.com/what-exploit-happened-today-for-gocerberus-and-garuda-also-for-lokum-ybear-piggy-caramelswap-3943ee23a39f ```solidity=645 token.safeTransferFrom(address(msg.sender), address(this), _amount); ``` - Transferring tokens by `_amount`. But the actual token amount received by the recipient might not equal to `_amount`. ```solidity=646 addressTotalAmount[msg.sender] = myTotal.add(_amount); totalAmount = totalAmount.add(_amount); ``` - The `addressTotalAmount` and `totalAmount` used for bookkeeping purposes without compensating the potential transfer fees.
Third Party Dependency
fixed/low
The contract is serving as the underlying entity to interact with one or more third party protocols. The scope of the audit treats third party entities as black boxes and assume their functional correctness. However, in the real world, third parties can be compromised and this may lead to lost or stolen assets. In addition, upgrades of third parties can possibly create severe impacts, such as increasing fees of third parties, migrating to new LP pools, etc. ```solidity=617 IERC20 public token; ``` - The contract `StakePool` interacts with third party contract with `IERC20` interface via `token`.
Contract (1)
| # | File Name |
|---|---|
| 1 | StakePoolV2.sol |