Try   HackMD
tags: Preliminary Report

Cronus Finance Preliminary Report

Copyright © 2022 by Verilog. All rights reserved.
May 10, 2022
by Verilog Audit

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

This report presents our second engineering engagement with Cronus Finance, a decentralized exchange deployed on the EVMOS ecosystem. Cronus Finance is an AMM DEX with liquidity mining rewards. Cronus Finance has its own governance token, $CRN, which can be staked into $sCRN and earn staking rewards denominated in stablecoin.

Table of Content

Project Summary

Cronus Finance is an AMM DEX deployed on the EVMOS ecosystem. A portion of Cronus Finance's code is based on SushiSwap, which features liquidity mining rewards and governance token staking. It is worth noting that Cronus Finance also implemented new features such as a Stable Cronus Staking that converts LP fees into stablecoins and allows $sCRN holders to claim exchange fees denominated in stablecoin.

Service Scope

Our review focused on the main branch, specifically, commit hash 0ad76ef2498766954f2494700418160732f69c24.

Our auditing for Cronus Finance covered the following components:

  • AMM DEX
  • Liquidity Mining Farm
  • $CRN Token
  • Stable Cronus Staking

Cronus Finance Architecture

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. AMM DEX
    The AMM DEX part of Cronus Finance is based on SushiSwap, which is based on Uniswap V2. Users can add/remove liquidity and swap assets by interacting with the CronusRouter02.sol contract. For adding liquidity, CronusRouter02.sol will first check whether the pair exists. If the pair does not exist, A CronusPair.sol will be deployed by CronusFactory.sol. If the pair exists, CronusRouter02.sol will query the reserve of tokenA and tokenB of the pair by calling CronusLibrary contract. CronusRouter02.sol will then check whether the user is depositing the minimal amount of tokenA and tokenB to the pair. If the check passes, then CronusRouter02.sol will the tokenA and tokenB that the user is depositing to the CronusPair.sol contract of the pair. The CronusPair.sol contract of the pair will then mint LP tokens to the user, representing the liquidity provided by the user.

    For removing liquidity, CronusRouter02.sol will first query the address of the deployed CronusPair.sol for the pair by calling CronusLibrary contract. The CronusPair.sol contract of the pair will then transfer the LP token from the user to the CronusPair.sol contract of the pair. The CronusPair.sol contract of the pair will then burn the LP tokens and send the amount (corresponding to the amount of LP tokens and the reserves) of tokenA and tokenB to the user.

    For swapping tokens. CronusRouter02.sol will query the CronusLibrary contract for the number of tokens that the user should receive/send. CronusRouter02.sol will first query the address of the deployed CronusPair.sol for the first hop of pairs in the path by calling CronusLibrary contract. The CronusPair.sol contract of the pair will then transfer the token that needs to be swapped from the user to the CronusPair.sol contract of the first hop of pairs in the path. Then a low-level function _swap is called to swap tokens between the hops in the path.

  2. Liquidity Mining Farm
    The liquidity mining farm part of Cronus Finance is based on SushiSwap MasterChef contracts. The MasterChefCronus.sol mints new $CRN tokens at each call to the updatePool function. New $CRN tokens are minted to the developer address, treasury address, investor address, and the deployed MasterChefCronus.sol contract based on a proportion defined in the MasterChefCronus.sol contract. The proportions can be changed by the owner of the MasterChefCronus.sol contract.

    The owner of the MasterChefCronus.sol can add a new reward pool to the liquidity mining contract by calling add function. Each reward pool needs to be specified with three parameters: _allocPoint, _lpToken, _rewarder. _allocPoint determines the proportion of the $CRN liquidity mining rewards that the reward pool is allocated. _lpToken determines which LP token is accepted by the reward pool. _rewarder is optional and used when a reward pool has double rewards in $CRN and another token. The owner of MasterChefCronus.sol can also later adjust the _allocPoint and _rewarder parameters by calling set.

    The function updatePool will update the rewards metrics of a particular pool, specified by _pid. The updatePool function will calculate the amount of $CRN that should be minted based on the time of the last update for the particular pool, the amount of $CRN to be minted every second, and the allocation point of the particular pool. The function would then mint the $CRN tokens to the devAddr, treasuryAddr, investorAddr, and the liquidity mining contract itself. The amount of $CRN tokens minted is determined by devPercent, treasuryPercent, and investorPercent, which can be set by the owner of the liquidity mining contract. The number of $CRN that each share of LP token deposit is then calculated and stored in the reward pool data structure as accCronusPerShare.

    The function deposit handles the deposit of LP tokens into the liquidity mining pool. The deposit function will first call updatePool to update the rewards metrics for the reward pool to the latest state, corresponding to the latest timestamp. Then the deposit function will check whether the user has already deposited LP tokens into the reward pair. If the user has already deposited into the reward pair, the already accumulated rewards will be harvested and sent to the user. Then the deposit function will calculate and store rewardDebt for the user that is depositing LP tokens. rewardDebt is the amount of $CRN token accumulated to date, before the user's deposit, for the amount of LP token that the user is depositing. Therefore, when calculating the amount of $CRN that the user is earning, the smart contract only needs to multiply the number of $CRN per share by the number of reward pool shares that the user holds, minus the rewardDebt for the user. The deposit function will also call onCronusReward function of the rewarder contract associated with the reward pool, if available. Lastly, the deposit function will transfer the LP token from the user to the liquidity mining farm.

    The function withdraw handles the withdrawal of LP tokens from the liquidity mining pool. The withdraw function will first call updatePool to update the rewards metrics for the reward pool to the latest state, corresponding to the latest timestamp. Then the already accumulated rewards will be harvested and sent to the user. Then the withdraw function will calculate and store rewardDebt for the user that is depositing LP tokens. The withdraw function will also call onCronusReward function of the rewarder contract associated with the reward pool, if available. Lastly, the withdraw function will transfer the LP token to the user from the liquidity mining farm.

  3. $CRN Token
    CronusToken.sol inherits SafeERC20.sol from OpenZepplin. CronusToken.sol has additoinal governance related features such as delegateBySig delegates.

  4. Stable Cronus Staking

Priviliged Roles

  1. CronusToken.sol

    • owner: mint new tokens.
    • keeper: update maxSupply limit.

  2. CronusFactory.sol

    • feeTo : the address that can receive mint fee when lp token minted.
    • feeToSetter: set feeTo and feeToSetter address.

  3. MasterChefCronus.sol

    • owner :addand set pool.
    • admin: deposit token for a user.

  4. MoneyMaker.sol

    • auth : authorized address. It can set bridge, dev cut, dev address, tokenTo address. It can also convert pairs of tokens to tokenTo
    • owner: add/remove auth role.

  5. StableCronusStaking.sol

    • owner: add/remove reward token and set deposit fee percent.

Findings & Improvement Suggestions

InformationalMinorMediumMajorCritical

Total Acknowledged Resolved
Critical 2 1 0
Major 1 1 0
Medium 1 1 0
Minor 2 2 0
Informational 9 0 0

Critical

  1. MasterChefCronus.sol: UserInfo.rewardDebt is not updated in collectAllPoolRewards(). Critical
    Description: collectAllPoolRewards() loops through all pools and transfers rewards of each pool to the user. However, UserInfo.rewardDebt is not updated to the state variable because UserInfo is a local copy in memory given memory modifier is used when declaring the variable in Line 5. UserInfo.rewardDebt still remains unchange after calling collectAllPoolRewards().
    Recommendation: Use storage instead of memory for UserInfo.

    



















    ​​​​function collectAllPoolRewards() public {
​​​​    for (uint256 _pid = 0; _pid < poolInfo.length; _pid++) {
​​​​        PoolInfo memory pool = poolInfo[_pid];
​​​​        // * suggestion: use `storage` *
​​​​        UserInfo storage user = userInfo[_pid][msg.sender];
​​​​        updatePool(_pid);
​​​​        if (user.amount > 0) {
​​​​            // Harvest Cronus
​​​​            uint256 pending = user.amount.mul(pool.accCronusPerShare).div(1e12).sub(user.rewardDebt);
​​​​            safeCronusTransfer(msg.sender, pending);
​​​​            emit Harvest(msg.sender, _pid, pending);
​​​​        }
​​​​        user.rewardDebt = user.amount.mul(pool.accCronusPerShare).div(1e12);

​​​​        IRewarder rewarder = poolInfo[_pid].rewarder;
​​​​        if (address(rewarder) != address(0)) {
​​​​            rewarder.onCronusReward(msg.sender, user.amount);
​​​​        }
​​​​    }
​​​​}

    Result: Pending

  2. MasterChefCronus.sol: reward amount of rewarder contract is not reset in emergencyWithdraw(). Critical

    Description: Users callemergencyWithdraw() function to withdraw all staked tokens without caring about all the rewards. All reward amounts should be reset to zero. It does not reset the reward amount of rewarder contracts. An attacker can take a flash loan, deposit it into the double reward farm and drain the bonus rewards from rewarder contract.

    How The Attack Works:

    • Attacker takes a flash loan.
    • Deposits x LP tokens into any double reward farm.
    • Emergency withdraws its LP tokens.
    • Deposits a single LP token back into the same farm and waits n number of days.
    • Harvests the bonus reward as if it had x number of LP tokens instead of 1 LP token.

    Recommendation: Fix the mistake in emergencyWithddraw() function, clear user data in rewarder contract.

    

















    ​​​​/// @notice Withdraw without caring about rewards. EMERGENCY ONLY.
​​​​/// @param pid The index of the pool. See `poolInfo`.
​​​​function emergencyWithdraw(uint256 pid) external nonReentrant {
​​​​    PoolInfo memory pool = poolInfo[pid];
​​​​    UserInfo storage user = userInfo[pid][msg.sender];
​​​​    uint256 amount = user.amount;
​​​​    user.amount = 0;
​​​​    user.rewardDebt = 0;
​​​​    // * suggestion: update amount of rewarder contract *
​​​​    IRewarder _rewarder = pool.rewarder;
​​​​    if (address(_rewarder) != address(0)) {
​​​​        _rewarder.onCronusReward(msg.sender, 0);
​​​​    }

​​​​    // Note: transfer can fail or succeed if `amount` is zero.
​​​​    pool.lpToken.safeTransfer(msg.sender, amount);
​​​​    emit EmergencyWithdraw(msg.sender, pid, amount);
​​​​}

    Result: Pending

Major

  1. StableCronusStaking.sol: internalCronusBalance is not updated in emergencyWithdraw(). Major
    Description: internalCronusBalance is a varible used in updateReward to calculate rewards. It should be updated when cronus token is transferred to/from current contract otherwise the reward calculation will be inaccurate.

    In emergencyWithdraw(), the $CRN token is transferred from this contract to the user. It does not deduct the amount from internalCronusBalance. Besides making the reward calculation inaccurate, this may also cause the reward calculation to revert on subtraction underflow (it deducts internalCronusBalance from the token balance). Thus it may also make the functions calls to deposit(), addRewardToken(),removeRewardToken(), withdraw() fail because of the revert on updateReward().
    Recommendation:

    















    ​​​​function emergencyWithdraw() external {
​​​​    UserInfo storage user = userInfo[_msgSender()];

​​​​    uint256 _amount = user.amount;
​​​​    user.amount = 0;
​​​​    uint256 _len = rewardTokens.length;
​​​​    for (uint256 i; i < _len; i++) {
​​​​        IERC20 _token = rewardTokens[i];
​​​​        user.rewardDebt[_token] = 0;
​​​​    }
​​​​    // *suggestion: update internalCronusBalance*
​​​​    internalCronusBalance = internalCronusBalance.sub(_amount);
​​​​    
​​​​    CRN.safeTransfer(_msgSender(), _amount);
​​​​    emit EmergencyWithdraw(_msgSender(), _amount);
​​​​}

    Result: Pending

Medium

  1. StableCronusStaking.sol: removing reward token void unclaimed reward of the removed token. Medium
    Description: After calling removeRewardToken(), the removed token is removed from the rewardTokens list and thus no longer accessable when fetching rewards (through withdraw() and deposit()).
    Result: Discussion needed with Cornus Finance Team.

Minor

  1. CronusToken.sol: updateSupply() input _newSupply should not be lower than current maxSupply Minor
    Description: The purpose of udpateSupply() function is to mint extra Cronus tokens thus, a requirement condition would be necessary to make sure the updated maxSupply will not be lower than the current totalSupply
    Recommendation: Adding a requirement condition check

    



    ​​​​function updateSupply(uint256 _newSupply) public onlyKeeper {
​​​​    require(_newSupply > maxSupply, "CRN::updateSupply: supply cannot be less than current");
​​​​    maxSupply = _newSupply;
​​​​}

    Result: Fixed in Commit -

  2. StableCronusStaking.sol: loop can be avoided through data structure. Minor
    Description:In order to remove one reward token, removeRewardToken() function loops through all the reward tokens. Loop can be avoid by using more optimized data structures.

    













    ​​​​function removeRewardToken(IERC20 _rewardToken) external onlyOwner {
​​​​    require(isRewardToken[_rewardToken], "StableCronusStaking: token can't be removed");
​​​​    updateReward(_rewardToken);
​​​​    isRewardToken[_rewardToken] = false;
​​​​    uint256 _len = rewardTokens.length;
​​​​    for (uint256 i; i < _len; i++) {
​​​​        if (rewardTokens[i] == _rewardToken) {
​​​​            rewardTokens[i] = rewardTokens[_len - 1];
​​​​            rewardTokens.pop();
​​​​            break;
​​​​        }
​​​​    }
​​​​    emit RewardTokenRemoved(address(_rewardToken));
​​​​}

    Recommendation: Use EnumerableSet (See code below). tokenIndex can also serve as isRewardToken to further save gas. All require(isRewardToken[_token]) should change to require(tokenIndex[_token] != 0).

    































    ​​​​mapping(IERC20 => uint256) tokenIndex;
​​​​//mapping(IERC20 => bool) isRewardToken;  // removed
​​​​function addRewardToken(IERC20 _rewardToken) external onlyOwner {
​​​​    uint256 valueIndex = tokenIndex[_rewardToken]; // 0 index is reserve as null identifier
​​​​    require(valueIndex, "StableCronusStaking: rewardToken already exists.");
​​​​    
​​​​    rewardTokens.push(_rewardToken);
​​​​    tokenIndex[_rewardToken] = rewardTokens.length;
​​​​    
​​​​    updateReward(_rewardToken);
​​​​    emit RewardTokenAdded(address(_rewardToken));
​​​​}
​​​​function removeRewardToken(IERC20 _rewardToken) external onlyOwner {
​​​​    uint256 valueIndex = tokenIndex[_rewardToken];
​​​​    require(valueIndex, "StableCronusStaking: rewardToken does not exist.");
​​​​    
​​​​    updateReward(_rewardToken);
​​​​    
​​​​    uint256 toDeleteIndex = tokenIndex[_rewardToken] - 1;
​​​​    uint256 lastIndex = rewardTokens.length - 1;
​​​​    
​​​​    if (lastIndex != toDeleteIndex) {
​​​​        address lastValue = rewardTokens[lastIndex]
​​​​        rewardTokens[toDeleteIndex] = lastValue;    // update last value to the removed value
​​​​        tokenIndex[lastValue] = valueIndex;    // update index
​​​​    }
​​​​    
​​​​    rewardTokens.pop();
​​​​    detele tokenIndex[_rewardToken];
​​​​    
​​​​    emit RewardTokenRemoved(address(_rewardToken));
​​​​}

    Result: Pending

Informational

  1. MasterChefCronus.sol: Interaction with external contract (L294, L321, L350, L358) Informational
    Description: The snippets are following proper check-effects-interaction pattern. However, attention should be paid to the external lptoken.safeTransfer and lptoken.safeTransferFrom that is interacted.
    Recommendation: Ensure the external lpToken.safeTransfer and lpToken.safeTransferFrom have proper reentrancy guard.
    Result: Pending

  2. CronusToken.sol: a limitation on max inflation each year Informational
    Description: Comparing with Uniswap goveranance token contract,
    Result: Fixed in Commit -

  3. StableCronusStaking .sol has serveral magic numbers (Rui). Informational
    Description: In constructor() L106 5e17, in addRewardToken() L187 25, in setDepositFeePercent() L218 5e17
    Recommendation: Consider using constant state varibale to represent fixed numbers.
    Result: Pending.

  4. StableCronusStaking.sol: event names inconsistency. Informational
    Description: event ClaimReward() does not follow the "noun + verb past participle" naming scheme.
    Recommendation: event RewardClaimed()
    Result:

  5. StableCronusStaking.sol: event important fields not indexed. Informational
    Description: event RewardTokenAdded(address token) and event RewardTokenRemoved(address token) do not index the added/removed token address.
    Recommendation: Add indexed modifier.
    Result: Pending

  6. MoneyMaker.sol: setBridge(address token, address bridge) does not check loops in existing bridge. Informational
    Description: In _convertStep(), the recursive function will recuse all the input tokens until all of them are converted to tokenTo, however, if the bridgeOf(token) graph has a loop, the recursive function will be in dead loop and revert due to out-of-gas. Example: The path of token bridges must not contain any loop (Say, A - B - C - A), otherwise the convert() will be in a dead loop.
    Recommendation: Check Directed Acyclic Graph (DAG) compliance before calling setBridge().
    Consequence: convert() will be in dead loop.
    Result: Pending

  7. MoneyMaker.sol: state variable wavax does not represent the correct meaning of the variable’s value. Informational
    Description: wavax is from traderJoes implementation which is deployed on Avalanche. Using wavax is a bit confusing in the code since Cronos is deployed on Evmos.
    Recommendation: Use another name like wevmos .
    Consequence: Misleading and confusing to future developers.
    Result: Pending

  8. MoneyMaker.sol: Events on updating state variables should also include the old values. Informational
    Description: Events on updating state variables (SetDevAddr SetDevCut SetTokenTo) do not include the old values.
    Recommendation: See code below:

    


    ​​​​event SetDevAddr(address indexed newDevAddr, address indexed oldDevAddr);
​​​​event SetDevCut(uint256 indexed newDevCut, uint256 indexed oldDevCut);
​​​​event SetTokenTo(address indexed newTokenTo, address indexed oldTokenTo);

    Result: Pending

Disclaimer

Verilog receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog in no way claims any guarantee of security or functionality of the technology we agree to analyze.

In addition, Verilog reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog has the right to distribute the Report through other means, including via Verilog publications and other distributions. Verilog makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.

Last changed by 
Verilog Solutions
VERILOG LTD.
0
450

Read more

BendDAO Audit

Copyright &#xA9; 2022 by Verilog Solutions. All rights reserved. May 24, 2022 by Verilog Solutions <!-- watermark --> This report presents our engineering engagement with the BendDAO team on their decentralized non-custodial NFT liquidity and lending protocol -- the BendDAO Protocol. Table of Content [TOC]

Jun 20, 2022
Vesta Finance Audit

Copyright &#xA9; 2022 by Verilog Solutions. All rights reserved. January 30, 2022 by Verilog Solutions <!-- watermark --> Project Summary Vesta Finance is an Arbitrum-based lending protocol. Users can collateralize ETH and other supported assets to borrow $VST, which is Vesta Finance&apos;s stablecoin. Vesta will support other collateral after the launch. A portion of Vesta Finance&apos;s code is based on Liquity. Service Scope

May 28, 2022
YuzuSwap Audit

Copyright &#xA9; 2022 by Verilog Solutions. All rights reserved. January 4, 2022 by Verilog Solutions <!-- watermark --> This report presents our engineering engagement with YuzuSwap, one of the first DEX projects for the Emerald paratime on the Oasis Network. YuzuSwap is an AMM DEX with innovative trading incentive designs, such as the trading pool share token (TPST). YuzuSwap&apos;s TPST design keeps track of DEX users&apos; swap operations and provides rewards for these users. Table of Content [TOC]

May 28, 2022
Fountain Protocol Audit

Copyright &#xA9; 2022 by Verilog Solutions. All rights reserved. February 18, 2022 by Verilog Solutions <!-- watermark --> This report presents Verilog&apos;s smart contract auditing engagement with Fountain Protocol. Fountain Protocol is one of the first Lending protocols on the Emerald Paratime of Oasis Network. Table of Content [TOC]

May 28, 2022
Read more from Verilog Solutions
Published on HackMD