Pera Finance Smart Contract Audit By Hacken Club
Pera Finance is a DeFi platform where traders, liquidity providers and holders yield farm together through the DeFi’s first decentralized trading competition.
Recently, Pera Finance cooperates with Hacken Club for its smart contract auditing. Hacken Club is the leading Security Consulting Company with an essential focus on blockchain security.
Pera Finance Smart Contract AUDIT Result Below:
- Critical
✅ No critical issues were found. - High
1. Undocumented owner functionality
— The owner can withdraw all tokens from the contract. This behavior is
not mentioned in the provided documentation.
✅ Contracts: PeraStaking.sol
✅ Function: withdrawTokens()
✅ Recommendation: remove the function or provide the description in the
documentation.
✅ Status: Fixed
2. Potential DoS Risk
— Iteration over the activeRewards array can consume much Gas as the
size of the array grows.
— This could lead to potential Denial of Service.
✅ Contracts: PeraStaking. sol
✅ Function: updateReward()
✅ Recommendation: the contract design should be changed to avoid data
updates for all its users during one single call.
✅ Status: Mitigated
3. Potential Reward Token Balance Shortage
— Rewards in all available tokens are transferred during one call. If
there is at least one token whose balance is insufficient, the whole
call will fail.
✅ Contracts: PeraStaking. sol
✅ Function: claimAllRewards()
✅ Recommendation: allow to claim rewards one by one or by batches
provided by a caller.
✅ Status: Mitigated
4. Missing Reward Balance Update
— claimAllRewards function does not decrease totalRewardBalance after
reward transfer to a user.
— This can lead to an incorrect reward token balance. If the staking
and reward tokens are the same, this can lead to the usage of
deposited funds as reward funds.
✅ Contracts: TradeFarming. sol
✅ Function: claimAllRewards()
✅ Recommendation: Decrease totalRewardBalance during rewards claiming.
✅ Status: Mitigated
5. Reward and Staking Token Balances Should be Separate
— The contract should separate reward and staking token balances.
— In the case of these tokens being the same, this could lead to the
use of staking tokens in the name of reward tokens.
✅ Contracts: PeraStaking. sol
✅ Function: –
✅ Recommendation: Review and check this logic.
✅ Status: Fixed - Medium
1. Missing Allowance Check
— The safeTransferFrom function is being called in other functions, but
they never check if there is enough allowance prior to calling it.
— This can lead to reverts in the calling functions.
✅ Contracts: PeraStaking. sol, TradeFarming.sol
✅ Function: depositRewards(), swapExactTokensForETH (),
swapTokensForExactETH(), swapETHForExactTokens(),
swapExactETHForTokens()
✅ Recommendation: Add control mechanisms for allowances. Adjust the
allowance before calling the safeTransferFrom function
✅ Status: Mitigated
2. Revert due to transfer Function Gas Limitation
— The swapETHForExactTokens functions cannot be called from another
contract with a fallback function. This is because the transfer
function has a hardcoded Gas upper limit, used in the refunding
logic.
— This can lead to limitations in the system.
✅ Contracts: TradeFarming.sol
✅ Function: swapETHForExactTokens()
✅ Recommendation: Use the call function, which allows the caller to
send all the Gas.
✅ Status: Reported
3. Unused Return
— There are calls to EnumerableSet.UintSet’s functions but return
values of these calls are ignored.
— This can lead to unexpected behaviors in the function execution.
✅ Contracts: TradeFarming. sol
✅ Function: swapExactETHForTokens(), swapETHForExactTokens(),
swapExactTokensForETH(), swapTokensForExactETH()
✅ Recommendation: Implement control mechanisms.
✅ Status: Reported - Low
1. Missing Zero Address Validation
— The constructor and depositRewardTokens take address parameters but
do not check if they are zero address.
— This can lead to unwanted external calls to 0x0.
✅ Contracts: TradeFarming.sol
✅ Function: constructor() and depositRewardTokens()
✅ Recommendation: Implement zero address checks.
✅ Status: Fixed
2.Unused State Variable
— Field `MAX_UINT` is never used.
— Contracts: TradeFarming.sol
✅ Function: –
✅ Recommendation: Remove unused variable.
✅ Status: Fixed
3. Use of Hardcoded Values
— The constructor and mulDiv functions use hardcoded values in their
computations.
— In PeraStaking.sol contract, withdraw, calcWeight, and _decrease
functions use hardcoded values in their computations.
✅ Contracts: TradeFarming.sol, PeraStaking.sol
✅ Function: withdraw(), calcWeight(), _decrease(), constructor(),
mulDiv()
✅ Recommendation: Move hardcoded values to constants.
✅ Status: Reported
4. Functions That Can be Declared as external
— To save Gas, public functions that are never called in the contract
should be declared as external.
✅ Contracts: PeraStaking.sol
✅ Function: calcWeight()
✅ Recommendation: Aforementioned function should be declared as
external.
✅ Status: Reported
5. Floating Pragma
— The PeraStaking.sol, and TradeFarming.sol contracts use floating
pragma ^0.8.11
✅ Contracts: PeraStaking.sol, TradeFarming.sol
✅ Function: –
✅ Recommendation: Consider locking the pragma version whenever possible
and avoid using a floating pragma in the final deployment
✅ Status: Reported
The smart contracts given for audit have been analyzed by the best industry practices at the date of this report, with cybersecurity vulnerabilities and issues in smart contract source code, the details of which are disclosed in this report (Source Code); the Source Code compilation, deployment, and functionality (performing the intended functions).
ABOUT Hacken Club
Hacken Club is the Leading Security Consulting Company with an essential focus on blockchain security.
ABOUT Pera Finance
Pera Finance is the first DEX Optimizer designed to boost on-chain trading volume via trader incentives.
RESOURCES
Hacken’s GitHub
