MasterChef Smart Contracts: A workaround for the vulnerabilities

 

MasterChef has some vulnerabilities that can be fixed during use. But only if users are aware of these vulnerabilities and know what to do. Here is the workaround proposed by HashEx 's Gleb Zykov and Vlad Korovnikov .

Decentralized exchanges (DEXs) were relatively rare two years ago. Today, however, it seems as if they are everywhere. Numerous projects have their own DEXs. This happens because if a blockchain project wants to launch a DEX, it doesn't have to develop it from scratch. Instead, the basis for the DEX code is often a fork of one of the two big DEXs , SushiSwap or PancakeSwap.

MasterChef Smart Contract

These two exchanges revolutionized the DEX space thanks to a special smart contract called MasterChef. MasterChef runs on both exchanges and therefore also on all other exchanges that arose from a fork of one of the two. Each new DEX has the same characteristics. However, this also means that everyone shares MasterChef's shortcomings and weaknesses.

So let's see what problems users and developers encounter when using MasterChef. What should you pay attention to? And how should the problems be addressed?

How does DEX work?

The first thing to note is that a MasterChef contract is a smart contract written in Solidity. This smart contract controls how crypto farming works. In most projects there are multiple smart contracts that share this responsibility and work. However, for protocols based on MasterChef, this single contract takes care of everything related to farming.

Decentralized exchanges make it possible to exchange cryptocurrencies without having deposited money in the wallet of the exchange. Instead, funds from your personal wallet are stored on a smart contract. This leaves you the only person in control and able to access your own money if the contracts have backdoors or vulnerabilities.

Another difference is that CEX uses order books for selling and buying. This means that they match buyers and sellers while DEX s uses AMM (Automated Market Maker) protocols for trading. They calculate the price of the assets depending on the invested liquidity.

Liquidity comes from liquidity pools. These are pools into which users can deposit their funds for specific couples, making them available for the record. Then, when someone tries to buy assets with that pair, their request is immediately executed with the funds from the pool. Individuals who have deposited funds into the liquidity pool will receive LP tokens for that specific pool. This gives them the right to receive rewards. And if they want their funds back, all they have to do is return the LP tokens they received.

As you may know, there are several ways to generate returns from crypto holdings. Farms allow additional rewards for providing liquidity. Users add liquidity to the DEXs, receive LP tokens and stake them in the farms.

MasterChef: Vulnerabilities and bugs

We have already explained to you how DEXs and liquidity pools work. So let's take a look at where MasterChef's weaknesses lie, how they affect the process, and what you need to do to keep things running smoothly.

Compromised Accounts

One of the biggest issues to watch out for is owner accounts being compromised. SushiSwap came up with a method that allowed it to gain an edge over Uniswap. This method involves migrating assets from one exchange to another. This is handled by the contract via a separate function that only the owner of the contract has access to.

However, this migration can be tailored to any contract without restrictions. That turned out to be a big mistake. If the owner is deemed compromised, this can result in a new migration contract, which then sends all LP tokens in the farming pools to any address. This would in turn lead to a massive loss of invested assets.

The problem is now known to the developers and will be removed immediately in future forks. However, if it persists, it is definitely a red flag.

Another point to note is that some MasterChef forks allow the contract owner to change the emission rate indefinitely. However, if the account is compromised, the attacker can set the emission rate himself. This could lead to a loss in value of the tokens.

There is an easy way to solve the problem. It must be ensured that all functions available to the owner of the contract require authorization through a multi-signature. So when individual addresses are compromised, there is not much that malicious actors can do with it. Another option is to add a temporary lock (timelock contract) when calling the migration function. This gives the user more time to make a decision. The exchange would also have to notify you of migrations or other suspicious transactions.  

Add identical farming pools

Another fairly obvious but overlookable problem occurs when the original contract does not allow for processing of identical farm pools. This causes the contract to miscalculate the farming profits.

Using MasterChef properly, however, this isn't a big issue since the owners don't intentionally add identical pools. In properly functioning exchanges, this is checked and creating a duplicate pool is strictly forbidden. So if you want to create a pool and are about to create a duplicate of an existing pool, the system should report an error. Or suggest you to add your funds to the already existing pool instead of creating a new one.

Amount of deposited tokens is not calculated

For some reason people forget to consider what might happen if tokens with transfer commissions or rebase tokens are added as pools to the MasterChef contract. What is happening is that there is a glitch in the calculation of the rewards since the contract code is only adding assets to pools by calling certain functions. This means that adding tokens to the address combines it with the assets already in the pool. However, the calculation of rewards for such tokens could be flawed, leading to security vulnerabilities.

Properly running platforms should calculate the amount of funds transferred for farming separately. To do this, they check the amount actually transferred, taking into account the commissions. This way the reward will be calculated correctly.

MasterChef: A conclusion

MasterChef is a single smart contract used for yield farming by offering liquidity to the DEXs. Unfortunately, there are some bugs that can be fixed while in use. However, only if the user is aware of the errors and what triggers them.

We have discussed some problems that can occur and how to solve them. However, it should be noted that there are more of them. These include reward dilution when tokens are not sent directly to the contract address, issues with starting block changes, gas optimization, and more.

In other words, there are vulnerabilities and issues that you need to keep an eye on. Overall, however, MasterChef is a revolutionary smart contract that makes decentralized exchanges possible in the first place. So if you use it carefully, are aware of the problems and know how to solve them, you should be fine.

My Top Picks
Honeygain - Passive earner that pays in BTC or PayPal
MandalaExchange -The Best no KYC crypto Exchange! 
BetFury - Play And Earn BFG for daily Bitcoin and ETH dividends!
Pipeflare - Faucet that pays in ZCash and Matic, Games pay in DAI
Womplay - Mobile dApp gaming platform that rewards in EOS and Bitcoin
Cointiply - The #1 Crypto Earning Site
Torum - Join the latest Social Network and earn TRM for Free! 
LiteCoinPay - The #1 FaucetPay earner for Litecoin 
LBRY/Odysee - YouTube Alternative that lets you earn Money by viewing videos!
FaucetPay - The #1 Microwallet Platform
FREEBTC - The #1 FaucetPay earner for Satoshi's
FaucetCrypto - An earning/faucet site that pays out instantly
FireFaucet - An earning site that pays better for some than Cointiply
DogeFaucet - Dogecoin Faucet
xFaucet - BTC, ETH, LTC, Doge, Dash, Tron, DGB, BCH, BNB, ZEC, FEY - Claim every 5 minutes
Konstantinova - BTC, ETH, LTC, Doge, Dash, Tron, DGB, BNB, ZEC, USDT, FEY, 25 Claims Daily