Beluga Protocol security audit, conducted by the Callisto Network Security Department during April 2021.
Beluga Protocol Specification
Audit Request
Our contracts are vaults, they take deposits and optimize yields on them.
- Telegram: https://t.me/belugaprotocol
- Twitter: https://twitter.com/belugaprotocol
- Medium: https://belugaprotocol.medium.com
Disclosure policy
I am fine with the report being published as is unless there is a highly severe bug in the code, then please privately message me.
The report can be publish as long as there is no high severity bugs in the contracts.
Platform
Binance Smart Chain
Beluga Protocol Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
Smart contracts commit 84c33c8ca90f4a6d3ed2115bd7b2d90bf595abc9
2 Findings
In total, 3 issues were reported including:
-
0 high severity issues.
-
0 medium severity issues.
-
2 low severity issues.
-
1 notes.
-
0 owner privileges.
No critical security issues were found.
2.1 NoMintRewardPool
is not defined
Severity: note.
Description:
NoMintRewardPool
contract is not defined. Perhaps we are talking about a StakingRewards
contract from RewardsPool.sol
Code Snippet:
2.2 Restriction to use Reward Pool by others smart contracts
Severity: low.
Description:
RewardPool.sol
uses the construction tx.origin
to allow only the initiators of the transaction to collect the reward. This can lead to the blocking of many users who use smart contracts for convenience and security. For example, users using multisig contracts will not be able to use this contract.
More info about tx.origin
vulnerabilities: ethereum/solidity#683
Code Snippet:
2.3 Known vulnerabilities of ERC-20 token
Severity: low.
Description:
-
It is possible to double withdrawal attacks. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Recommendation:
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
3. Conclusion
The audited smart contract can be deployed. Only low severity issues were found during the audit.
4. Revealing previous audit reports
4.1 Notes about gorbunovperm report.
The issue 3.2. does not hurt users and can’t cause any losses for users or contract. It’s an owner’s right to restrict other contracts from interacting with the farms.
The severity was changed to low
.
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!