Sperax - Farms
Summary
In this audit, Quantstamp reviewed Sperax's Demeter Protocol, which will be deployed on Arbitrum. The Demeter Protocol allows for users to create their own Yield Farms for a flat fee. Creators of Farms specify RewardToken managers which can configure the rate at which Reward Token rewards accumulate for depositors. Optionally, these Reward Token managers can be assigned to an instance of the Rewarder contract, which contains logic for maintaining rewards at a constant APR rate, based on market conditions. Farms will eventually expire, although Expirable Farms can be extended for a fee. Farm creators also have the opportunity to allow users to lock up funds for a specified cooldown period, to earn additional rewards. After initiating a cooldown, users must wait for that extra time in order to withdraw. The purpose of including the lock up period is to ensure locked tokens for the protocol while allowing depositors to earn extra rewards. Farms are intended to support liquidity deposits from protocols representing liquidity as an ERC20 instance of the token pair, in the style of Uniswap V2, or as an ERC721 instance that represents a liquidity position, in the style of Uniswap V3. We identified 18 issues and include 4 suggestions for the general improvement of the codebase and adherence to best practices. SPE-1 and SPE-2 can both be addressed with further input validation. We recommend disallowing deposits and withdrawals to occur in the same block, in order to address the risk described in SPE-3. Use of OpenZeppelin's SafeCast library can address SPE-4. In addition to these high severity issues, we identified a number of issues that should be considered to ensure the accuracy of reward distribution and other accounting. Further, there is a significant centralization aspect that users should be aware of in which Rewards are only available if they are accurately maintained and supplied to the farm by its creator. Their test suite is extensive, although, documentation could be improved by including more technical documentation and contract specifications. The Spearx team was very collaborative and helpful throughout the audit. **Fix Review Update** The team has addressed all the issues by either fixing or acknowledging them. We appreciate the team's responsiveness and commitment to security.
Issues (17)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 1 | 1 | 1 | - | 3 |
Fixed | 9 | 2 | 3 | - | 14 |
| Total | 10 | 3 | 4 | 0 | 17 |