Omniscia Congruent Audit
MasterChef Manual Review Findings
MasterChef Manual Review Findings
MCF-01M: Inexistent Validation of Minted Amount
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | MasterChef.sol:L186 |
Description:
The cCRV token opportunistically mints the specified reward amount and in case insufficient minter allowance exists, an amount less than cCRVReward may be minted.
Example:
186cCRV.mint(address(this), cCRVReward);187pool.accTokenPerShare = pool.accTokenPerShare.add(188 cCRVReward.mul(1e12).div(lpSupply)189);Recommendation:
We advise the actual amount minted to be guaranteed to be equal to cCRVReward as otherwise the reward system will be compromised leading to unredeemable deposits.
Alleviation:
The code in the mint function of the cCRV token was updated to instead require that the minter has sufficient allowance preventing an amount less than the one requested to be minted and alleviating this exhibit.
MCF-02M: Inexistent Update of Existing Pools
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | MasterChef.sol:L76-L78 |
Description:
The setTokenPerBlock function overwrites the previously set cCRVPerBlock without updating all currently active pools.
Example:
76function setTokenPerBlock(uint256 amount) external onlyOwner {77 cCRVPerBlock = amount;78}Recommendation:
We advise the massUpdatePools function to be invoked prior to the assignment of the new cCRV per block to ensure the system acts consistently.
Alleviation:
The pools are now properly updated whenever the token per block value is adjusted thereby ensuring that the pools are always in sync.
MCF-03M: Overly Centralized Operator Control
| Type | Severity | Location |
|---|---|---|
| Logical Fault | | MasterChef.sol:L80-L82 |
Description:
The operator of the contract is in full control of the reward funds in the system as they can arbitrarily set the balances of each account.
Example:
80function setOperator(address op_) external onlyOwner {81 operator = op_;82}Recommendation:
We advise the operator to only be set once as otherwise the security guarantees of the virtual balances do not uphold.
Alleviation:
The operator is now properly set only once and consequent invocations will result in a failure thereby alleviating this exhibit.
MCF-04M: Inexistent Initialization of UUPS Dependency
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | MasterChef.sol:L64-L68 |
Description:
The UUPS dependency remains uninitialized in the proxy implementation.
Example:
64function initialize(65 IcCRV _cCRV,66 uint256 _cCRVPerBlock,67 uint256 _startBlock68) external initializer {69 __Ownable_init();70
71 cCRV = _cCRV;72 cCRVPerBlock = _cCRVPerBlock;73 startBlock = _startBlock;74}Recommendation:
Although it currently bears no impact, we advise it to be initialized to ensure future upgrades do not break its functionality by invoking the __UUPSUpgradeable_init function.
Alleviation:
The UUPS dependency is now properly initialized in the initialize hook of the contract.