Beluga Protocol security audit, conducted by the Callisto Network Security Department during April 2021.


Beluga Protocol Specification


Audit Request

Our contracts are vaults, they take deposits and optimize yields on them.

Disclosure policy

I am fine with the report being published as is unless there is a highly severe bug in the code, then please privately message me.

The report can be publish as long as there is no high severity bugs in the contracts.

Standard disclosure policy.

Platform

Binance Smart Chain


Beluga Protocol Smart Contract Security Audit Report

Are Your Funds Safe?

1. In scope

Smart contracts commit 84c33c8ca90f4a6d3ed2115bd7b2d90bf595abc9

2 Findings

In total, 3 issues were reported including:

  • 0 high severity issues.

  • 0 medium severity issues.

  • 2 low severity issues.

  • 1 notes.

  • 0 owner privileges.

No critical security issues were found.

2.1 NoMintRewardPool is not defined

Severity: note.

Description:

NoMintRewardPool contract is not defined. Perhaps we are talking about a StakingRewards contract from RewardsPool.sol

Code Snippet:

2.2 Restriction to use Reward Pool by others smart contracts

Severity: low.

Description:

RewardPool.sol uses the construction tx.origin to allow only the initiators of the transaction to collect the reward. This can lead to the blocking of many users who use smart contracts for convenience and security. For example, users using multisig contracts will not be able to use this contract.

More info about tx.origin vulnerabilities: ethereum/solidity#683

Code Snippet:

2.3 Known vulnerabilities of ERC-20 token

Severity: low.

Description:

  1. It is possible to double withdrawal attacks. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation:

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

4. Revealing previous audit reports

4.1 Notes about gorbunovperm report.

The issue 3.2. does not hurt users and can’t cause any losses for users or contract. It’s an owner’s right to restrict other contracts from interacting with the farms.

The severity was changed to low.

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.


Trust the Blockchain, Audit the Smart Contracts.


Follow Callisto’s Security Department on Twitter to get our latest news and updates!