Tokemak Security Smart Contract Audit

Summary

In the security audit of the selected contracts of Tokemak (listed in the appendix) we identified two high-severity, one medium-severity, and several low/informational/undetermined-severity issues. One high-severity issue was fixed. A remaining high-severity problem is the assumed trust in the manager. That is, the manager can perform any operation with the provided user funds based upon some calculations that are carried out off the chain. The staking logic does not force locking funds on the contract side (to which we assigned a medium-severity label). The Tokemak team decided upon not fixing the locking issue. Nevertheless, they have resolved 10 issues and acknowledged all the remaining issues.

Project

Tokemak

Multi-Chain

No active critical issues

Last audited on 2021/09/20

Auditor

287 audits on Trustblock

Multi-Tags

Issues (20)

	Low	Medium	High	Critical	Total
Not fixed	9	1	1	-	11
Fixed	8	-	1	-	9
Total	17	1	2	0	20

Contracts (18)

#	File Name
1	contracts/controllers/SushiswapController.sol
2	contracts/controllers/UniswapController.sol
3	contracts/interfaces/IManager.sol
4	contracts/staking/Staking.sol
5	contracts/token/Toke.sol
6	contracts/interfaces/balancer/IBalancerRegistry.sol
7	contracts/interfaces/ILiquidityEthPool.sol
8	contracts/controllers/ZeroExController.sol
9	contracts/interfaces/IStaking.sol
10	contracts/interfaces/ILiquidityPool.sol

Tokemak

Summary

Issues (20)

Manager's Decisions Are Made Off the Chainnot_fixed/high

Stake Without Locking Fundsnot_fixed/medium

`initialize` Functions Can be Frontrunnot_fixed/low

`schedule.setup` Checks Always Passnot_fixed/low

Allowance Double-Spend Exploitnot_fixed/low

Contracts (18)