MasterChef Smart Contracts: A Workaround for the vulnerabilities
- Analysis
- May 16, 2022
MasterChef has some vulnerabilities that can be fixed during use. However, only if the users are aware of these vulnerabilities and know what to do. Here is the workaround suggested by Gleb Zykov and Vlad Korovnikov of HashEx.
Decentralized exchanges (DEXs) were relatively rare two years ago. Today, however, it seems as if they are everywhere. Many projects have their own DEXs. This happens because a blockchain project, if it wants to start a DEX, does not have to develop it from scratch. Instead, the basis for the DEX code is often a fork of one of the two major DEXs SushiSwap or PancakeSwap.
MasterChef Smart Contract
These two exchanges have revolutionized the DEX space thanks to a special smart contract, called MasterChef. MasterChef runs on both exchanges and thus also on all other exchanges that arose from a fork of one of the two. Each new DEX has the same features. However, this also means that everyone shares the shortcomings and weaknesses of MasterChef.
So let’s take a look at what problems users and developers encounter when using MasterChef. What should you pay attention to? And how should one approach the problems?
How do DEXs work?
First of all, it should be noted that a MasterChef contract is a smart contract written in Solidity. This smart contract controls how crypto farming works. In most projects, there are several smart contracts that share this responsibility and work. However, for protocols based on MasterChef, this single contract takes care of everything that concerns farming.
Decentralized exchanges make it possible to exchange cryptocurrencies without having deposited money in the wallet of the exchange. Instead, funds from your personal wallet are deposited on a smart contract. This makes you the only person who has control over it and can access your own money if the contracts have backdoors or vulnerabilities.
Another difference is that CEX use order books for selling and buying. This means that they bring buyers and sellers together, while DEXs use AMM (Automated Market Maker) protocols for trading. They calculate the price of assets depending on the invested liquidity.
Liquidity comes from liquidity pools. These are pools in which users can deposit their funds for certain pairs and make them available for the protocol. Then, if someone tries to buy assets with this pair, his application will be executed immediately with the funds from the pool. Individuals who have deposited funds into the liquidity pool will receive LP tokens for that particular pool. As a result, you have the right to receive rewards. And if you want your funds back, all you have to do is return the LP tokens you received.
As you may know, there are several ways to earn returns from crypto holdings. Farms allow additional rewards for providing liquidity. Users add liquidity to the DEXs, receive LP tokens and stake them in the farms.
MasterChef: Vulnerabilities and bugs
We have already explained to you how DEXs and liquidity pools work. So let’s take a look at where MasterChef’s vulnerabilities lie, how they affect the process, and what you need to do to make things run smoothly.
Compromised accounts
One of the biggest issues to keep in mind is the compromise of the owners’ accounts. SushiSwap has developed a method that has given it an advantage over Uniswap. This method involves the migration of assets from one exchange to another. This is handled by the contract via a separate function, which only the owner of the contract has access to.
However, this migration can be adapted to any contract without restrictions. This turned out to be a big mistake. If the owner is compromised, this can lead to a new migration contract, which then sends all LP tokens in the farming pools to any address. This, in turn, would lead to a massive loss of the invested assets.
The problem is now known to the developers and will be removed immediately with upcoming forks. However, if it persists, it is definitely a red flag.
Another point to keep in mind is that with some MasterChef forks, the contract owner can change the emission rate indefinitely. However, if the account is compromised, the attacker can set the emission rate himself. This could lead to a drop in the value of the tokens.
There is a simple way to solve the problem. It is necessary to ensure that all functions available to the owner of the contract require authorization by a multisignature. So if individual addresses are compromised, malicious actors can not do much with it. Another option is to add a temporary lock (timelock-Contract) when calling the migration function. This gives the user more time to make a decision. The exchange would also have to notify you in the event of migrations or other suspicious transactions.
Add identical farming pools
Another fairly obvious, but overlooked problem occurs when the original contract does not take into account the processing of identical farm pools. As a result, the contract incorrectly calculates the farming profits.
However, with proper use of MasterChef, this is not a big issue, since the owners do not intentionally add identical pools. In properly functioning exchanges, such a thing is checked and the creation of a duplicate pool is strictly prohibited. So if you want to create a pool and you are about to create a duplicate of an existing pool, the system should report an error. Or suggest that you add your funds to the existing pool instead of creating a new one.
Amount of deposited tokens will not be charged
For some reason, people forget to consider what could happen if tokens with transfer commissions or rebase tokens are added to the MasterChef contract as pools. What happens is that there is a glitch in the calculation of rewards, because the contract code adds assets to pools only by calling certain functions. This means that adding tokens to the address will combine them with the assets already in the pool. However, the calculation of the rewards for such tokens could be incorrect, which leads to security vulnerabilities.
Properly running platforms should separately calculate the amount of funds transferred for farming. To do this, they check the amount actually transferred, taking into account the commissions. In this way, the reward is calculated correctly.
MasterChef: A Conclusion
MasterChef is a single smart contract that is used for yield farming by offering liquidity to DEXs. Unfortunately, there are some bugs that can be fixed during use. However, only if the user knows the errors and knows what they trigger.
We have discussed some problems that may arise and how to solve them. However, it should be noted that there are even more of them. These include dilution of rewards when tokens are not sent directly to the contract address, problems with starting block changes, gas optimization and more.
In other words, there are vulnerabilities and problems that you need to keep an eye on. By and large, however, MasterChef is a revolutionary smart contract that makes decentralized exchanges possible in the first place. So if you use it carefully, are aware of the problems and know how to solve them, everything should be fine.
About the authors
Gleb Zykov is co-founder and CTO of the DeFi security and analytics company HashEX. Vlad Korovnikov is a Junior Smart Contract consultant and developer.
Disclaimer
All information contained on our website is researched to the best of our knowledge and belief. The journalistic articles are for general information purposes only. Any action taken by the reader on the basis of the information found on our website is done exclusively at his own risk.