YuzuSwap Staking Contracts Audit
Copyright © 2022 by Verilog Solutions. All rights reserved.
March 30, 2022
by Verilog Solutions

This report presents our second engineering engagement with YuzuSwap, one of the first DEX projects for the Emerald paratime on the Oasis Network. YuzuSwap is an AMM DEX with innovative trading incentive designs, such as the trading pool share token (TPST). After a successful launch of YuzuSwap on the Oasis Emerald chain, the YuzuSwap team asked Verilog to audit their newest feature, single token staking contracts.
Table of Content
Project Summary
YuzuSwap is a decentralized exchange on the Oasis Emerald paratime that includes incentive programs such as liquidity mining and trade mining. YuzuSwap follows a non-custodial, peer-to-peer, automated-market-maker model for swapping tokens within the Oasis ecosystem. The YuzuSwap platform itself is fully open to developers and members of the Yuzu DAO.
Service Scope
Our review focused on the main branch, specifically, commit hash 48aaf981151f52b639a88b5b6f2ef788c84c20ca.
Our second auditing service for YuzuSwap includes the following two stages:
- Audit Service
- Testing Service
-
Audit Service
The Verilog team conducted a thorough study of the YuzuSwap staking contract code. The list of findings, along with the severity and solution, is available under the section Findings & Improvement Suggestions.
-
Testing Service
The Verilog team conducted thorough testing of the YuzuSwap staking contract(YuzuStake.sol). Introduced new testing frameworks and new testing methods to the contract repo, as well as very detailed testing. Details can be found in the following PR:
https://github.com/Yuzu-swap/yuzuswap-contract/pull/1
Privileged Roles
- owner
a. setConfig()
b. addConfig()
The privileged roles in this smart contract can set and add config rules for staking. setConfig()
can update staking config such as staked last block count and xYUZU mint ratio. addConfig()
can add staking config such as staked last block count and xYUZU mint ratio.
Findings & Improvement Suggestions
InformationalMinorMediumMajorCritical
|
Total |
Acknowledged |
Resolved |
Critical |
0 |
0 |
0 |
Major |
0 |
0 |
0 |
Medium |
0 |
0 |
0 |
Minor |
0 |
0 |
0 |
Informational |
8 |
8 |
5 |
Critical
none ; )
Major
none ; )
Medium
none ; )
Minor
none ; )
-
nonReentrant
function stake()
, withdraw()
call external function yuzuTokenIns.safeTransferFrom()
(YuzuStake.sol
: L151, L237) Informational
Description: Functions marked as nonReentrant
may not call one another. Given yuzuTokenIns.safeTransferFrom()
is arbitrary, it is possible to have another nonReentrant
modifier.
Recommendation: Make stake()
, withdraw()
private (_stake()
, _withdraw()
), and then add external nonReentrant
entry points. Or alert deployer not to connect custom ERC20 contract with nonReentrant
functions.
Result: Acknolwdged
-
xYUZU
transfer issue Informational
Description: transfer of xYUZU
token to another address will cause xYUZU
unable to be redeemed from the staking contract
Recommendation: Verilog team will discuss this with YUZU team regarding whether this design has been done intentionally or not. If this feature is not the intended design, then the suggested change is to turn xYUZU
token into a non-transferable token.
Result: Discussed with YuzuSwap team, that this design is on purpose. Thus no actions are required. For users, please be aware that you can only redeem your xYUZU to YUZU token with the initial staking address.
-
YuzuStake.sol
function setConfig()
comment error(YuzuStake.sol
: 115) Informational
Description: The line 115 of YuzuStake.sol
function setConfig()
comment is wrong
Recommendation: change the comment to precision ratio base
Result: Resolved in PR
-
YuzuStake.sol
struct StakeConfig
(YuzuStake.sol
: 158) Informational
Description: The variable name is ratioBase10000
while the comment specifies the value is based of 100,000.
Recommendation: Please double-check the precision of the math calculation and make the variable name consistent with the comments.
Result: Resolved in PR
-
YuzuStake.sol
NatSpec comments wrong in function setConfig()
, addConfig()
Informational
Description: The comments for param
are wrong.
Recommendation: Please update the comments
Result: Resolved in PR
-
Lack of input check for YuzuStake.addConfig
. (YuzuStake.sol
: 131) Informational
Description: Lack of input check for _blockCount
and _ratioBase10000
in function addConfig
.
Recommendation: require _blockCount
and _ratioBase10000
non zero
Result: Resolved in PR
-
Be careful about overflow when stake
if the stakeConfig.blockCount
is accidentally set to a very big number. (YuzuStake.sol
: L179) Informational
Description: currentBlock + stakeConfig.blockCount
might overflow if the stakeConfig.blockCount
is accidentally set to a very big number.
Recommendation: Be careful when setting or adding config.
Result: Acknolwdged
-
Lack of indexed variables in events (YuzuStake.sol
: L70) Informational
Description: Lack of indexed variables (oid
, from
, cid
) in events (OrderCreated
, OrderUnstaked
, OrderWithdrawed
, ConfigChanged
).
Recommendation: Add indexed
modifier to event parameters accordingly.
Result: Acknolwdged
Disclaimer
Verilog receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog in no way claims any guarantee of security or functionality of the technology we agree to analyze.
In addition, Verilog reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog has the right to distribute the Report through other means, including via Verilog publications and other distributions. Verilog makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.
tags:
Final Report
YuzuSwap Staking Contracts Audit
This report presents our second engineering engagement with YuzuSwap, one of the first DEX projects for the Emerald paratime on the Oasis Network. YuzuSwap is an AMM DEX with innovative trading incentive designs, such as the trading pool share token (TPST). After a successful launch of YuzuSwap on the Oasis Emerald chain, the YuzuSwap team asked Verilog to audit their newest feature, single token staking contracts.
Table of Content
Project Summary
YuzuSwap is a decentralized exchange on the Oasis Emerald paratime that includes incentive programs such as liquidity mining and trade mining. YuzuSwap follows a non-custodial, peer-to-peer, automated-market-maker model for swapping tokens within the Oasis ecosystem. The YuzuSwap platform itself is fully open to developers and members of the Yuzu DAO.
Service Scope
Our review focused on the main branch, specifically, commit hash 48aaf981151f52b639a88b5b6f2ef788c84c20ca.
Our second auditing service for YuzuSwap includes the following two stages:
Audit Service
The Verilog team conducted a thorough study of the YuzuSwap staking contract code. The list of findings, along with the severity and solution, is available under the section Findings & Improvement Suggestions.
Testing Service
The Verilog team conducted thorough testing of the YuzuSwap staking contract(YuzuStake.sol). Introduced new testing frameworks and new testing methods to the contract repo, as well as very detailed testing. Details can be found in the following PR:
https://github.com/Yuzu-swap/yuzuswap-contract/pull/1
Privileged Roles
a.
setConfig()
b.
addConfig()
The privileged roles in this smart contract can set and add config rules for staking.
setConfig()
can update staking config such as staked last block count and xYUZU mint ratio.addConfig()
can add staking config such as staked last block count and xYUZU mint ratio.Findings & Improvement Suggestions
InformationalMinorMediumMajorCritical
Critical
none ; )
Major
none ; )
Medium
none ; )
Minor
none ; )
Informational
nonReentrant
functionstake()
,withdraw()
call external functionyuzuTokenIns.safeTransferFrom()
(YuzuStake.sol
: L151, L237) InformationalDescription: Functions marked as
nonReentrant
may not call one another. GivenyuzuTokenIns.safeTransferFrom()
is arbitrary, it is possible to have anothernonReentrant
modifier.Recommendation: Make
stake()
,withdraw()
private (_stake()
,_withdraw()
), and then add externalnonReentrant
entry points. Or alert deployer not to connect custom ERC20 contract withnonReentrant
functions.Result: Acknolwdged
xYUZU
transfer issue InformationalDescription: transfer of
xYUZU
token to another address will causexYUZU
unable to be redeemed from the staking contractRecommendation: Verilog team will discuss this with YUZU team regarding whether this design has been done intentionally or not. If this feature is not the intended design, then the suggested change is to turn
xYUZU
token into a non-transferable token.Result: Discussed with YuzuSwap team, that this design is on purpose. Thus no actions are required. For users, please be aware that you can only redeem your xYUZU to YUZU token with the initial staking address.
YuzuStake.sol
functionsetConfig()
comment error(YuzuStake.sol
: 115) InformationalDescription: The line 115 of
YuzuStake.sol
functionsetConfig()
comment is wrongRecommendation: change the comment to
precision ratio base
Result: Resolved in PR
YuzuStake.sol
structStakeConfig
(YuzuStake.sol
: 158) InformationalDescription: The variable name is
ratioBase10000
while the comment specifies the value is based of 100,000.Recommendation: Please double-check the precision of the math calculation and make the variable name consistent with the comments.
Result: Resolved in PR
YuzuStake.sol
NatSpec comments wrong in functionsetConfig()
,addConfig()
InformationalDescription: The comments for
param
are wrong.Recommendation: Please update the comments
Result: Resolved in PR
Lack of input check for
YuzuStake.addConfig
. (YuzuStake.sol
: 131) InformationalDescription: Lack of input check for
_blockCount
and_ratioBase10000
in functionaddConfig
.Recommendation: require
_blockCount
and_ratioBase10000
non zeroResult: Resolved in PR
Be careful about overflow when
stake
if thestakeConfig.blockCount
is accidentally set to a very big number. (YuzuStake.sol
: L179) InformationalDescription:
currentBlock + stakeConfig.blockCount
might overflow if thestakeConfig.blockCount
is accidentally set to a very big number.Recommendation: Be careful when setting or adding config.
Result: Acknolwdged
Lack of indexed variables in events (
YuzuStake.sol
: L70) InformationalDescription: Lack of indexed variables (
oid
,from
,cid
) in events (OrderCreated
,OrderUnstaked
,OrderWithdrawed
,ConfigChanged
).Recommendation: Add
indexed
modifier to event parameters accordingly.Result: Acknolwdged
Disclaimer
Verilog receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog in no way claims any guarantee of security or functionality of the technology we agree to analyze.
In addition, Verilog reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog has the right to distribute the Report through other means, including via Verilog publications and other distributions. Verilog makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.