TRUST Summit | Nov 3, 2025 | NYCWhere decision-makers define the next chapter of secure blockchain adoption.
Learn more

DAO Maker

Audit name:

[SCA] DAO Maker | Rewards | Mar2021

Date:

Mar 9, 2021

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the DAO Maker team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

titlecontent
PlatformEthereum, BNB Chain
LanguageSolidity
TagsRewards Pool
Timeline01/03/2021 - 08/03/2021
Methodologyhttps://hackenio.cc/sc_methodology

    Review Scope

    Repositoryhttps://github.com/daomaker/staking-contract-new/
    Commit2144f6b0af21786be5ff96d42f2737d79cab3275

    Audit Summary

    7Total Findings
    5Resolved
    0Accepted
    0Mitigated

    According to the assessment, the Customer's smart contracts are secure. Though one issue that can be exploited in a case of the ownership takeover exist.

    Our team performed an analysis of code functionality, manual audit, and automated checks with Mythril and Slither. All issues found during automated analysis were manually reviewed, and important vulnerabilities are presented in the Audit overview section. A general overview is presented in AS-IS section, and all found issues can be found in the Audit overview section.

    Security engineers found 3 high, 4 medium, and 1 informational issue during the audit.

    After the second review Customers` smart contracts contains 1 high severity issues.

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for DAO Maker
    Audited ByHacken
    Approved ByHacken
    Changelog05/03/2021 – Initial Audit
    08/03/2021 – Final Review

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for DAO Maker
      Audited By
      Hacken
      Approved By
      Hacken
      Changelog
      05/03/2021 – Initial Audit
      08/03/2021 – Final Review

    System Overview

    FarmManagersol

    Description

    FarmManager manages Farm contracts.

    Inheritance

    FarmManager contract is Ownable.

    Usage

    FarmManager contract has following usages:

    • SafeERC20 for IERC20.

    • SafeMath for uint25.

    Structs

    FarmManager contract has no custom structures.

    Enums

    FarmManager contract has no custom enums.

    Events

    FarmManager contract has one custom event:

    • FarmAdded.

    Modifiers

    FarmManager has no custom modifier.

    Fields and constants

    FarmManager contract has following fields:

    • IFarm[] public farms;

    • IERC20[] public stakingTokens

    • mapping(address => bool) public funders

    • uint public moveBurnRate = 5

    • uint public burnRate = 100

    • uint public unstakeEpochs = 10

    • bool public paused

    • address public redistributor

    Functions

    FarmManager has following external functions:

    • constructor Description: \-Initializes the contract. Sets a deployer as funder and redistributor. Visibility: \-None Input parameters: \-None Constraints: \-None Events emit: \-None Output: \-None

    • newFarm Description: \-Add a new farm to the manager. Adds all existing staking tokens to farm. Visibility: \-public Input parameters: \-IFarm farm Constraints: \-Can only be called by the owner. Events emit: \-None Output: \-None

    • add Description: \-Add a new staking token to the manager. Also adds to all existing farms. Visibility: \-public Input parameters: \-uint allocPoint \-IERC20 stakingToken Constraints: \-Can only be called by the owner. Events emit: \-None Output: \-None

    • set Description: \-Update allocation point of a pool. Visibility: \-public Input parameters: \-uint allocPoint \-uint _fid \-uint _pid \-bool _withUpdate Constraints: \-Can only be called by the owner. Events emit: \-None Output: \-None

    • fund Description: \-Fund a farm with amount. Must give allowance to created farm first. Visibility: \-public Input parameters: \-uint _fid \-uint256 _amount Constraints: \-Can only be called by the owner. \-An allowance should be set for a farm contract. Events emit: \-None Output: \-None

    • changePool Description: \-Allow stakers within a pool to move their stakes. Visibility: \-public Input parameters: \-uint _currentFid \-uint _nextFid \-uint _pid Constraints: \-Stake amount should be greater than 0. \-Unstake amount should be 0. \-Withdrawal should not be requested. Events emit: \-None Output: \-None

    • emergencyWithdrawRewards Description: \-Withdraws all reward tokens. Visibility: \-public Input parameters: \-None Constraints: \-Can only be called by the owner. Events emit: \-None Output: \-None

    • updateFunders, setMoveBurnRate, setBurnRate, setUnstakeEpochs, setPaused, setRedistributor Description: \-Simple setter function with only owner access.

    • getRedistributor, getMoveBurnRate, getBurnRate, getUnstakeEpochs, getPaused Description: \-Simple getters.

    Farmsol

    Description

    Farm is a liquidity pool with rewards in ERC-20 tokens.

    Inheritance

    Farm does not inherit anything.

    Usage

    Farm contract has following usages:

    • SafeMath for uint256

    • SafeERC20 for IERC20

    Structs

    Farm contract has following data structures:

    • UserInfo

    • PoolInfo

    Enums

    Farm contract has no enums.

    Events

    Farm contract has the following events:

    • Deposit

    • Withdraw

    • Claim

    • Unstake

    • Initialize

    Modifiers

    Farm has no custom modifiers.

    Fields

    Farm contract has following fields and constants:

    • IERC20 public erc20

    • uint256 public paidOut = 0

    • uint256 public rewardPerBlock

    • IFarmManager public manager

    • PoolInfo[] public poolInfo

    • mapping (uint256 => mapping (address => UserInfo)) public userInfo • uint256 public totalAllocPoint = 0

    • uint256 public startBlock

    • uint256 public endBlock

    • uint256 public constant SECS_EPOCH = 86400

    Functions

    Farm has following public functions:

    • constructor Description: \-Sets initial values of the contract. Visibility: \-public Input parameters: \-IERC20 _erc20 \-uint256 _rewardPerBlock \-uint256 _startBlock \-address _manager Constraints: \-None Events emit: \-Emits the Initialize event. Output: \-None

    • add Description: \-Add a new lp to the pool. Visibility: \-public Input parameters: \-uint256 _allocPoint \-IERC20 _stakingToken \-bool _withUpdate Constraints: \-Can only be called by the FarmManager. Events emit: \-None Output: \-None

    • set Description: \-Update the given pool's allocation point Visibility: \-public Input parameters: \-uint256 _pid \-uint256 _allocPoint \-bool _withUpdate Constraints: \-Can only be called by the FarmManager. Events emit: \-None Output: \-None

    • massUpdatePools Description: \-Update reward variables for all pools. Visibility: \-public Input parameters: \-None Constraints: \-None Events emit: \-None Output: \-None

    • updatePool Description: \-Update reward variables of the given pool to be up-to-date. Visibility: \-public Input parameters: \-uint256 _pid Constraints: \-None Events emit: \-None Output: \-None

    • move Description: \-Moves LP tokens to another farm. Visibility: \-external Input parameters: \-uint256 _pid Constraints: \-Can only be called from the FarmManager. Events emit: \-Emits the Withdraw event. Output: \-None

    • deposit Description: \-Deposit LP tokens. Visibility: \-external Input parameters: \-uint256 _pid \-uint256 _amount Constraints: \-The contract should not be paused. \-Unstake should not be requested. Events emit: \-Emits the Deposit event. Output: \-None

    • withdraw Description: \-Creates a request to unstake all LP tokens. Visibility: \-external Input parameters: \-uint256 _pid Constraints: \-The contract should not be paused. \-A message sender should have active balance. \-Should not be requested yet. Events emit: \-Emits the Withdraw event. Output: \-None

    • unstake Description: Withdraw LP tokens. Fee may be applied if unstakeEpochs did not passed yet. Visibility: \-external Input parameters: \-uint256 _pid Constraints: \-Unstake should not be requested. Events emit: \-Emits the Unstake event. Output: \-None

    • claim Description: \-Claims LP tokens from Farm. Visibility: \-external Input parameters: \-None Constraints: \-None Events emit: \-The contract should not be paused yet. Output: None

    • emergencyWithdraw Description: \-Allows the FarmManager contract to withdraw all rewards to a tx origin. Visibility: \-public Input parameters: \-None Constraints: \-None Events emit: \-Can only be called by the FarmManager. Output: \-None

    • poolLength Description: \-Returns a number of LPs.

    • deposited Description: \-Returns deposited amount of a user to a pool.

    • pending Description: \-Returns total rewards that have to be payed to a used for a specified pid.

    • totalPending Description: Returns total rewards that have to be paid to all users.

    • getUserInfo Description: Returns a user info.

    Conclusion

    Smart contracts within the scope were manually reviewed and analyzed with static analysis tools. For the contract, high-level description of functionality was presented in As-Is overview section of the report.

    Audit report contains all found security vulnerabilities and other issues in the reviewed code.

    Security engineers found 3 high, 4 medium, and 1 informational issue during the audit.

    After the second review Customers` smart contracts contains 1 high severity issues.

    Violations in the following categories were found and addressed to Customer:

    Risks

    The Farm contract may be stopped by owners.

    Findings

    Code
    Title
    Status
    Severity
    F-2021-011Farm contract may be stopped by owner
    unfixed

    High
    F-2021-0115Unsafe unstake function
    fixed

    High
    F-2021-012Tautology
    fixed

    Medium
    F-2021-0119Contract isolation
    fixed

    Medium
    F-2021-0118Missing validation for staking contract
    fixed

    Medium
    F-2021-011No validation during farm creation
    fixed

    Medium
    I-2021-0105Style guide violations
    unfixed

    Observation
    1-7 of 7 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/daomaker/staking-contract-new/
    Commit2144f6b0af21786be5ff96d42f2737d79cab3275

    Contracts in Scope

    Farm.sol - Farm.sol
    FarmManager.sol - FarmManager.sol

    Disclaimer