EXECUTIVE SUMMARY
Delta Ventures is a decentralized finance application that acts as a hedge fund, on the BNB Smart Chain. Users deposit funds into the application with the expectation of receiving returns generated through trading activities conducted by the deployer team.
Notably, the deployer team requires access to the contract balance and has the ability to withdraw funds from the contract.
During our thorough audit of the project, we have identified one medium and one informational severity issue. It relates to the fact that the owner has complete access to the contract balance, which introduces potential risks. While it aligns with the project's design, we believe it is crucial to consider safer alternatives to mitigate associated risks. The informational finding relates only to monitoring and external interactions.
SCOPE
FUNDAMENTALS
Delta Ventures uses USDT (0x55d398326f99059fF775485246999027B3197955) as the currency for staking and withdrawals. Users can stake their USDT and receive a daily interest rate of 0.8% or 24.8% monthly interest rate. The claimed source of funding for the project is trading activities conducted by the Delta Ventures team.
There is a minimum period of 7 days between compounds. Stakes can be increased by making additional deposits or by compounding interests and/or rewards from upline partners. Withdrawals are subject to a 50% fee if made within 45 days from the last deposit, down to a 10% fee thereafter.
The platform features a partner system similar to a referral program. Users can have up to 5 upline partners, starting with the direct partner who receives 0.8% of the deposited or claimed/withdrawn value. Subsequent partners receive decreasing percentages, with the partner of the partner receiving 0.6%, and so on down to 0.1% for the fifth partner. To be eligible to receive a cut, partners must have made at least one deposit on the contract.
FINDINGS
INTERACTION | SEVERITY |
---|---|
[CPFM-1] owner can withdraw contract balance | MEDIUM |
[CPFI-1] deposit & compound emits the same event | INFORMATIONAL |
CPFM-1: While it is mentioned in the project fundamentals that withdrawing the contract balance is part of the project's design, we consider this to be a potential security concern, although medium as it is by design. Granting unrestricted access to the contract balance introduces a higher level of risk, as it provides the deployer team with the ability to freely access and potentially misuse the funds. To mitigate this risk and enhance the security of the smart contract, we recommend considering an alternative approach. One such approach could involve implementing a significant deposit fee that is specifically designated for trading purposes. By adopting this strategy, funds dedicated to trading would be separated and isolated, preventing malicious activities by the deployer team or any potential compromise due to external attacks.
CPFI-1: Both the deposit and compoundRewards functions in the smart contract emits the same event when called. This event serves as an informational log for users and external systems, providing visibility into deposit and rewards compounding activities. It does not impact the contract's functionality, but enhances transparency and facilitates external monitoring.
UNIT TESTS
INTERACTION | RESULT |
---|---|
[CPUT-1] deposits | PASS |
[CPUT-2] compounding | PASS |
[CPUT-3] withdrawals | PASS |
[CPUT-4] interest rate | PASS |
[CPUT-5] owner-only functions | PASS |
[CPUT-6] partners | PASS |
[CPUT-7] common vulnerabilities | PASS |
All unit tests were successfully executed during our audit process.
PRIVILEGES
RECOMMENDATIONS
While it is typically recommended for teams to renounce ownership of such smart contract, in the case of this project, renouncing ownership would hinder the deployer team's ability to use funds as intended.
An alternative approach to renouncing ownership of the smart contract is to use a multisig wallet and transfer ownership to it. This mitigates individual risk associated with directly interacting with the contract funds by distributing control and decision-making authority among multiple trusted parties.