Navigation

Connect your wallet

Audit Report

PROFIT PARADISE
  • Security Score :  9/10
  • Tags :   yield farm, roi dapp
  • Address :   0x483D00Bd34f0C0adB24A73c87bC77229FCb333d0
  • Blockchain :  BNB Smart Chain
  • Website :   https://profitparadise.org

EXECUTIVE SUMMARY

Profit Paradise is a yield farming decentralized application (dApp) designed to provide simple rewards to users. The core incentive is a daily return of 3% on deposits, plus an additional 0.5% return each week, until a new cycle begins. When a new cycle starts, all previous deposits and state are reset to zero, creating a fresh start, and increases the base daily return by 1%. However, the total value locked in the protocol remains from the past cycle, which can help fund new participants.

This mechanics create a cyclical system reliant on continued community participation and attracting new investments over time. As revenue depends on new entrants depositing funds each cycle, there is an inherent gambling dynamic with specific game theory at play. Profit Paradise is tied to the profit paradox concept, whereby sustainability requires a critical mass of users rolling over funds across cycles.

We did not identify any vulnerability in this smart contract.

SCOPE

  1. The audit focuses on the smart contract deployed on BNB Smart Chain.
  2. The audit does not cover any off-chain components or systems associated with the contract.
  3. The audit does not cover any user interfaces or user experience associated with the contract.
  4. The audit does not cover any legal or regulatory compliance of the contract.

FUNDAMENTALS

Contest System:

  • New contest starts when previous winner claims reward.
  • Top depositor during claim window gets 5% of pool.
  • Top depositor can't claim prize on claim day, must wait 1 day.
  • Contests last 1 day.

Deposit Rules:

  • 10 USDT minimum deposit.
  • smart contracts can't deposit.
  • First deposit of cycle gets +10% value (+20% for referrer).
  • Whitelisted first deposit of cycle doubled up to 250 USDT.

Reset Cycles:

  • The first cycle starts on Tuesday, August 1, 2023 9:00:00 PM GMT+0.
  • Resets deposits array and cycle state.
  • Carries over TVL to new cycle.
  • Cycle start time begins next day.
  • When a new cycle starts, the base daily return increases by 1%.
  • A cycle resets if the TVL falls below 20% of the cycle's TVl ATH.

Claim Rewards:

  • Allowed 7 days from start, for 1 day window.
  • User can tip deployer on claim.

Redeeming Deposit:

  • 20% fee subtracted from claimed total.
  • Fee stays in contract.

Allocation Breakdown:

  • 5% deposit fee to 1st top depositor.
  • 3% deposit fee to 2nd top depositor.
  • 1% deposit fee to 3rd top depositor.
  • 10% deposit fee to marketing.
  • 10% top depositor prize fee to marketing.
  • 20% redeem fee stays in contract.

FINDINGS

TITLE SEVERITY
[CPFL-1] denial-of-service on cycle reset LOW

CPFL-1: In Profit Paradise, user deposits are stored in an array that gets reset when a new cycle begins by looping through and resetting all deposits. This creates a potential denial-of-service (DOS) vulnerability where an attacker could overflow the deposit array to reach the gas limit of a BNB Smart Chain block, freezing the contract. However, this is considered a low severity risk because the minimum deposit amount is 10 USDT. An attack would need to deposit an expansive amount of funds to reach the gas limit, making it economically infeasible. While the contract logic introduces a theoretical DOS vector, the economic costs of an attack provide mitigation, thus the risk is viewed as low severity given the deposit size requirements.

UNIT TESTS

INTERACTION RESULT
deposit OK
redeem initial OK
claim rewards OK
claim prize OK
claim profit share OK
common vulnerabilities OK

Unit testing was conducted to verify the proper execution of the smart contract and its functions. The tests simulated usage scenarios and interactions with the contract by comparing the expected theoretical output to the actual returns from executing the code.

The smart contract was evaluated for common vulnerabilities like flash loan attacks and reentrancy. Testing methodology included verifying proper access controls in the deposit function, which restricts deposits only from user EOA wallets by checking msg.sender == tx.origin. This test validates that smart contracts cannot call the deposit function, mitigating potential flashloan risks. Overall, the tests conducted were straightforward given the access restrictions coded into core functions like deposit. By validating expected behavior for common attack vectors, the test methodology provides assurance that the smart contract is hardened against typical vulnerabilities that plague DeFi protocols.

PRIVILEGES

The smart contract's access control only allows the contract owner to set whitelisted accounts. This was configured upon deployment on August 1, 2023, and cannot be changed afterwards.

RECOMMENDATIONS

There is potential for gas optimization in the smart contract code by removing unused variables that appear to be leftovers from a forked codebase. The presence of these unused declarations creates waste in the compiled bytecode, resulting in higher gas costs for contract interactions.