-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathReadme.md.mustache
469 lines (389 loc) · 31.7 KB
/
Readme.md.mustache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
{{> partials/splash}}
[TOC]
## Details
- **Client** {{client_name}}
- **Date** {{date}}
- **Lead reviewer** Daniel Luca ([@cleanunicorn](https://twitter.com/cleanunicorn))
- **Reviewers** Daniel Luca ([@cleanunicorn](https://twitter.com/cleanunicorn)), Andrei Simion ([@andreiashu](https://twitter.com/andreiashu))
- **Repository**: [{{project_name}}]({{source_repository}})
- **Initial commit hash** `{{commit_hash}}`
- **Final commit hash** `{{final_hash}}`
- **Technologies**
- Solidity
- Node.JS
## Issues Summary
| SEVERITY | OPEN | CLOSED |
| -------- | :---: | :----: |
{{#issues_summary}}
| {{severity}} | {{open}} | {{closed}} |
{{/issues_summary}}
## Executive summary
This report represents the results of the engagement with **{{client_name}}** to review **{{project_name}}**.
The review was conducted over the course of **{{review_period}}** from **{{date_interval}}**. A total of **{{person_days}} person-days** were spent reviewing the code.
### Week 1
Before the beginning of the first week, we set up a kickoff meeting on Friday to ensure we have all the details to start the audit. This meeting was recorded and shared with all the parties involved in this review.
We started the following week by creating a code snapshot at commit hash `{{commit_hash}}`. We started using our arsenal of tools to make the graphs and descriptions of the contracts in scope. We proceeded to review the rest of the code manually.
Because there were no major issues, we gave access to the development team to the minor issues we found. This gave them the time and opportunity to provide fixes for them during the current week. We continued to review the code, but we found no major issues.
Towards the end of the week, we set up a meeting to present the current state of the report.
We also received a new commit hash `{{final_hash}}` that included fixes for the presented issues and included that in the report.
## Scope
The initial review focused on the [{{project_name}}]({{source_repository}}) repository, identified by the commit hash `{{commit_hash}}`.
We focused on manually reviewing the codebase, searching for security issues such as, but not limited to, re-entrancy problems, transaction ordering, block timestamp dependency, exception handling, call stack depth limitation, integer overflow/underflow, self-destructible contracts, unsecured balance, use of origin, costly gas patterns, architectural problems, code readability.
**Includes:**
- HaloHalo.sol
- HaloToken.sol
- AmmRewards.sol
- RewardsManager.sol
<!-- ## Recommendations
We identified a few possible general improvements that are not security issues during the review, which will bring value to the developers and the community reviewing and using the product. -->
<!-- ### Increase the number of tests
A good rule of thumb is to have 100% test coverage. This does not guarantee the lack of security problems, but it means that the desired functionality behaves as intended. The negative tests also bring a lot of value because not allowing some actions to happen is also part of the desired behavior.
-->
## Issues
{{#issues}}
### [{{title}}]({{url}})
 
{{{body}}}
---
{{/issues}}
## Artifacts
### Surya
Sūrya is a utility tool for smart contract systems. It provides a number of visual outputs and information about the structure of smart contracts. It also supports querying the function call graph in multiple ways to aid in the manual inspection and control flow analysis of contracts.
**Files Description Table**
| File Name | SHA-1 Hash |
| -------------------- | ---------------------------------------- |
| ./AmmRewards.sol | 49b19808853abe8c5c8bfb439d83ee196314a616 |
| ./HaloHalo.sol | 4d1f4fa884b7499e9ab33fcb423b88ea05ac2242 |
| ./HaloToken.sol | aadb215941a561bc6f3005d0f19a09a7775476bf |
| ./RewardsManager.sol | c0ee996398307a8e777783f8b1b1ef22af2e11c1 |
**Contracts Description Table**
| Contract | Type | Bases | | |
| :----------------: | :---------------------------------: | :---------------------------: | :------------: | :-----------------------: |
| └ | **Function Name** | **Visibility** | **Mutability** | **Modifiers** |
| | | | | |
| **AmmRewards** | Implementation | ReentrancyGuard, Ownable | | |
| └ | <Constructor> | Public ❗️ | 🛑 | NO❗️ |
| └ | poolLength | Public ❗️ | | NO❗️ |
| └ | add | Public ❗️ | 🛑 | onlyOwner |
| └ | set | Public ❗️ | 🛑 | onlyOwner |
| └ | setRewardTokenPerSecond | External ❗️ | 🛑 | onlyOwnerOrRewardsManager |
| └ | pendingRewardToken | External ❗️ | | NO❗️ |
| └ | massUpdatePools | External ❗️ | 🛑 | NO❗️ |
| └ | updatePool | Public ❗️ | 🛑 | NO❗️ |
| └ | deposit | Public ❗️ | 🛑 | NO❗️ |
| └ | withdraw | Public ❗️ | 🛑 | NO❗️ |
| └ | harvest | Public ❗️ | 🛑 | NO❗️ |
| └ | withdrawAndHarvest | Public ❗️ | 🛑 | NO❗️ |
| └ | emergencyWithdraw | Public ❗️ | 🛑 | NO❗️ |
| └ | setRewardsManager | Public ❗️ | 🛑 | onlyOwner |
| | | | | |
| **HaloHalo** | Implementation | ERC20 | | |
| └ | <Constructor> | Public ❗️ | 🛑 | NO❗️ |
| └ | enter | Public ❗️ | 🛑 | NO❗️ |
| └ | leave | Public ❗️ | 🛑 | NO❗️ |
| └ | getCurrentHaloHaloPrice | Public ❗️ | | NO❗️ |
| | | | | |
| **HaloToken** | Implementation | ERC20, ERC20Burnable, Ownable | | |
| └ | <Constructor> | Public ❗️ | 🛑 | ERC20 |
| └ | setCapped | External ❗️ | 🛑 | onlyOwner |
| └ | mint | External ❗️ | 🛑 | onlyOwner |
| | | | | |
| **RewardsManager** | Implementation | Ownable | | |
| └ | <Constructor> | Public ❗️ | 🛑 | NO❗️ |
| └ | releaseEpochRewards | External ❗️ | 🛑 | onlyOwner |
| └ | setVestingRatio | External ❗️ | 🛑 | onlyOwner |
| └ | setRewardsContract | External ❗️ | 🛑 | onlyOwner |
| └ | setHaloHaloContract | External ❗️ | 🛑 | onlyOwner |
| └ | getVestingRatio | External ❗️ | | NO❗️ |
| └ | getRewardsContract | External ❗️ | | NO❗️ |
| └ | getHaloHaloContract | External ❗️ | | NO❗️ |
| └ | transferToHaloHaloContract | Internal 🔒 | 🛑 | |
| └ | convertAndTransferToRewardsContract | Internal 🔒 | 🛑 | |
**Legend**
| Symbol | Meaning |
| :----: | ------------------------- |
| 🛑 | Function can modify state |
| 💵 | Function is payable |
#### Graphs
***AmmRewards***
```text
surya graph AmmRewards.sol | dot -Tpng > ./static/AmmRewards_graph.png
```
***HaloHalo***
```text
surya graph HaloHalo.sol | dot -Tpng > ./static/HaloHalo_graph.png
```
***HaloToken***
```text
surya graph HaloToken.sol | dot -Tpng > ./static/HaloToken_graph.png
```
***RewardsManager***
```text
surya graph RewardsManager.sol | dot -Tpng > ./static/RewardsManager_graph.png
```
#### Inheritance
#### Describe
```text
$ npx surya describe *.sol
+ AmmRewards (ReentrancyGuard, Ownable)
- [Pub] <Constructor> #
- [Pub] poolLength
- [Pub] add #
- modifiers: onlyOwner
- [Pub] set #
- modifiers: onlyOwner
- [Ext] setRewardTokenPerSecond #
- modifiers: onlyOwnerOrRewardsManager
- [Ext] pendingRewardToken
- [Ext] massUpdatePools #
- [Pub] updatePool #
- [Pub] deposit #
- [Pub] withdraw #
- [Pub] harvest #
- [Pub] withdrawAndHarvest #
- [Pub] emergencyWithdraw #
- [Pub] setRewardsManager #
- modifiers: onlyOwner
+ HaloHalo (ERC20)
- [Pub] <Constructor> #
- [Pub] enter #
- [Pub] leave #
- [Pub] getCurrentHaloHaloPrice
+ HaloToken (ERC20, ERC20Burnable, Ownable)
- [Pub] <Constructor> #
- modifiers: ERC20
- [Ext] setCapped #
- modifiers: onlyOwner
- [Ext] mint #
- modifiers: onlyOwner
+ RewardsManager (Ownable)
- [Pub] <Constructor> #
- [Ext] releaseEpochRewards #
- modifiers: onlyOwner
- [Ext] setVestingRatio #
- modifiers: onlyOwner
- [Ext] setRewardsContract #
- modifiers: onlyOwner
- [Ext] setHaloHaloContract #
- modifiers: onlyOwner
- [Ext] getVestingRatio
- [Ext] getRewardsContract
- [Ext] getHaloHaloContract
- [Int] transferToHaloHaloContract #
- [Int] convertAndTransferToRewardsContract #
($) = payable function
# = non-constant function
```
### Coverage
<!-- ```text
$ npm run coverage
``` -->
### Tests
```text
$ yarn run test
yarn run v1.22.10
warning package.json: No license field
$ npx hardhat --network localhost test
BASIS_POINTS = 10000
Amm Rewards
PoolLength
✓ PoolLength should execute (187308 gas)
Set
✓ Should emit event LogSetPool (285027 gas)
✓ Should revert if invalid pool
Pending Reward Token
✓ Pending Reward Token should equal Expected Reward Token (408378 gas)
✓ When time is lastRewardTime (408378 gas)
MassUpdatePools
✓ Should call updatePool (234554 gas)
✓ Updating invalid pools should fail
Add
✓ Should add pool with reward token multiplier (187308 gas)
UpdatePool
✓ Should emit event LogUpdatePool (234463 gas)
Deposit
✓ Depositing 0 amount (290613 gas)
✓ Depositing into non-existent pool should fail
Withdraw
✓ Withdraw 0 amount (255423 gas)
Harvest
✓ Should give back the correct amount of Reward Token (509159 gas)
✓ Harvest with empty user balance (246015 gas)
EmergencyWithdraw
✓ Should emit event EmergencyWithdraw (365663 gas)
Admin functions
✓ Non-owner should not be able to add pool
✓ Owner should be able to add pool (187308 gas)
✓ Non-owner should not be able to set pool allocs (187308 gas)
✓ Owner should be able to set pool allocs (231511 gas)
✓ Non-owner should not be able to set rewardTokenPerSecond
✓ Owner should be able to set rewardTokenPerSecond (32504 gas)
Set rewardTokenPerSecond
✓ Non-owner should not be able to set rewardTokenPerSecond
✓ RewardsManager should change rewardTokenPerSecond (167779 gas)
✓ Owner should be able to set rewardTokenPerSecond (32504 gas)
Halo Token
===================Deploying Contracts=====================
halo token deployed
Minted initial HALO for owner account
Minted initial HALO for addr1 account
Check Contract Deployment
✓ HaloToken should be deployed (54478 gas)
I should be able to transfer HALO tokens
✓ Allow transfer (89841 gas)
I should be able to mint HALO tokens and get the correct totalSupply
✓ Only owner should mint (72741 gas)
5e+25 HALO tokens owner balance
✓ When owner mints, the total supply should be equal to all wallet balance (74756 gas)
I should not be allowed to mint if capped is already locked
✓ Only owner can execute setCapped (64598 gas)
✓ Should revert mint when capped is locked (27220 gas)
✓ Should revert setCapped func if it has been executed more than once (27220 gas)
I should be able to burn HALO tokens and get the correct totalSupply
✓ Only account holder should burn (61594 gas)
✓ Only owner should burn users tokens (144521 gas)
4e+25 HALO tokens owner balance
✓ When user burns, the total supply should be equal to all wallet balance (62005 gas)
✓ Burn amount should not exceed wallet balance (34374 gas)
HALOHALO Contract
===================Deploying Contracts=====================
halo token deployed
40000000 HALO minted to 0x959FD7Ef9089B7142B6B908Dc3A8af7Aa8ff0FA1
halohalo deployed
==========================================================
Check Contract Deployments
✓ HaloToken should be deployed (37402 gas)
✓ Halohalo should be deployed (37402 gas)
Earn vesting rewards by staking HALO inside halohalo
✓ Genesis is zero (37402 gas)
✓ Deposit HALO tokens to halohalo contract to receive halohalo (190239 gas)
✓ Calculates current value of HALOHALO in terms of HALO without vesting (105873 gas)
✓ Calculates current value of HALOHALO in terms of HALO after vesting (143239 gas)
✓ Claim staked HALO + bonus rewards from Halohalo and burn halohalo (73308 gas)
Minting HALO to be entered in the halohalo contract..
Minting 100 HALO to User A...
Minting 100 HALO to User B...
Minting 100 HALO to User C...
100 HALO deposited by User A to halohalo
Simulate releasing vested bonus tokens to halohalo from Rewards contract #1
100 HALO deposited by User B to halohalo
Simulate releasing vested bonus tokens to halohalo from Rewards contract #2
100 HALO deposited by User C to halohalo
Transfer to 0xB0201641d9b936eB20155a38439Ae6AB07d85Fbd approved
All users leave halohalo
Address 0 left
Address 1 left
Address 2 left
✓ HALO earned by User A > HALO earned by User B > HALO earned by User C (754048 gas)
Rewards Manager
===================Deploying Contracts=====================
collateralERC20 deployed
halo token deployed
halohalo deployed
changedHaloHaloContract deployed
Set Rewards Manager contract.
Deployed Rewards Manager Contract address: 0x2Cc79B6860Fd7b58f0Fb56B4f448c13C7e898EC4
==========================================================
Check Contract Deployments
✓ HaloToken should be deployed (46340 gas)
✓ Halohalo should be deployed (46340 gas)
✓ Lptoken should be deployed (46340 gas)
✓ Rewards Management Contract should be deployed (46340 gas)
Admin functions can be set by the owner
✓ can set the vestingRatio if the caller is the owner (75061 gas)
✓ can not set the vestingRatio if the caller is not the owner (28636 gas)
✓ can not set the vesting ratio if vesting ratio is equal to zero (28636 gas)
✓ can set the rewards contract if the caller is the owner (57691 gas)
✓ can not set the rewards contract if the caller is not the owner (28636 gas)
✓ can not set the rewards contract if address parameter is address(0) (28636 gas)
✓ can set the halohalo contract if the caller is the owner (62872 gas)
✓ can not set the halohalo contract if the caller is not the owner (34236 gas)
✓ can not set the halohalo contract if the address parameter is address(0) (28636 gas)
Released HALO will be distributed 80% to the rewards contract converted to DESRT and 20% will be vested to the halohalo contract
✓ Release rewards in Epoch 0, HALOHALO priced to one at the end (347535 gas)
✓ Release rewards in Epoch 1, HALOHALO priced to 1.25 at the end (400100 gas)
✓ fails if the caller is not the owner (98301 gas)
·----------------------------------------------|----------------------------|-------------|----------------------------·
| Solc version: 0.6.12 · Optimizer enabled: false · Runs: 200 · Block limit: 6718946 gas │
···············································|····························|·············|·····························
| Methods │
···················|···························|··············|·············|·············|··············|··············
| Contract · Method · Min · Max · Avg · # calls · eur (avg) │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · add · 187296 · 187308 · 187307 · 19 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · deposit · 73501 · 119032 · 103855 · 6 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · emergencyWithdraw · - · - · 29531 · 2 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · harvest · 58707 · 81390 · 70049 · 4 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · massUpdatePools · - · - · 47258 · 2 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · set · 38843 · 58876 · 49000 · 5 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · setRewardsManager · 46328 · 46340 · 46338 · 29 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · setRewardTokenPerSecond · - · - · 32504 · 3 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · updatePool · 47155 · 72234 · 63874 · 6 · - │
···················|···························|··············|·············|·············|··············|··············
| AmmRewards · withdraw · 68115 · 91625 · 75952 · 3 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloHalo · enter · 51896 · 105873 · 84537 · 6 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloHalo · leave · 35930 · 56859 · 44302 · 5 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · approve · 46916 · 46964 · 46926 · 30 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · burn · - · - · 34374 · 4 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · burnFrom · - · - · 27631 · 2 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · increaseAllowance · - · - · 47237 · 1 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · mint · 37366 · 71578 · 59531 · 44 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · setCapped · - · - · 27220 · 4 · - │
···················|···························|··············|·············|·············|··············|··············
| HaloToken · transfer · 35279 · 35363 · 35335 · 3 · - │
···················|···························|··············|·············|·············|··············|··············
| LpToken · approve · 29792 · 46928 · 43974 · 29 · - │
···················|···························|··············|·············|·············|··············|··············
| LpToken · mint · - · - · 71335 · 24 · - │
···················|···························|··············|·············|·············|··············|··············
| LpToken · transfer · - · - · 52417 · 30 · - │
···················|···························|··············|·············|·············|··············|··············
| RewardsManager · releaseEpochRewards · 98301 · 215393 · 199781 · 30 · - │
···················|···························|··············|·············|·············|··············|··············
| RewardsManager · setHaloHaloContract · 28636 · 34236 · 29756 · 10 · - │
···················|···························|··············|·············|·············|··············|··············
| RewardsManager · setRewardsContract · - · - · 29055 · 1 · - │
···················|···························|··············|·············|·············|··············|··············
| RewardsManager · setVestingRatio · - · - · 28721 · 1 · - │
···················|···························|··············|·············|·············|··············|··············
| Deployments · · % of limit · │
···············································|··············|·············|·············|··············|··············
| AmmRewards · 3165941 · 3165953 · 3165952 · 47.1 % · - │
···············································|··············|·············|·············|··············|··············
| CollateralERC20 · 1750829 · 1750913 · 1750871 · 26.1 % · - │
···············································|··············|·············|·············|··············|··············
| HaloHalo · 1752202 · 1752226 · 1752224 · 26.1 % · - │
···············································|··············|·············|·············|··············|··············
| HaloToken · - · - · 1910204 · 28.4 % · - │
···············································|··············|·············|·············|··············|··············
| LpToken · - · - · 1750829 · 26.1 % · - │
···············································|··············|·············|·············|··············|··············
| RewardsManager · 1651492 · 1651516 · 1651512 · 24.6 % · - │
·----------------------------------------------|--------------|-------------|-------------|--------------|-------------·
59 passing (36s)
```
## License
This report falls under the terms described in the included [LICENSE](./LICENSE).
{{> partials/features}}
<link rel="stylesheet" href="./style/print.css"/>