Between February 7 and March 4, 2022, the Ackee Blockchain Security Team performed an audit of Trader Joe’s following contracts:

  1. MoneyMaker 
  2. StableJoeStaking 
  3. VeJoeToken 
  4. VeJoeStaking 
  5. BoostedMasterChefJoe

During the audit the Trader Joe team and Ackee Blockchain team agreed on the extension of the audit scope based on issues found in the audit. The whole auditing process was performed with a total time donation of 15 engineering days. 

The Trader Joe development team is aware that the security of smart contracts is an absolutely crucial aspect of every cryptocurrency protocol and that’s why Trader Joe engaged Ackee Blockchain to conduct a follow-up audit of the new BoostedMasterChefJoe contract. Our Security team at Ackee Blockchain performed an audit between March 14 and March 18. This was a follow-up audit for our earlier audit, where we reviewed the previous BoostedMasterChefJoe contract.

What is Trader Joe?

Trader Joe is one stop hop for decentralized trading on Avalanche Network. Users are able to trade, lend, stake and participate in launch events for newly issued tokens.

traderjoe

Trader Joe’s differentiates itself from classic decentralized exchanges such as Uniswap by combining DEX with lending and leveraged trading.

At the time of writing this post Trader Joe offering users these features:

  • Trade between tokens using AMM
  • Farm and earn rewards by staking LP tokens
  • Stake JOE tokens to earn rewards in form of stablecoins or more JOE tokens
  • Borrow other token though Banker Joe platform
  • Participate in the Launch events for newly issued tokens

 

A summary of the audits and its findings follows up.

Our audist methodology for Trader Joe consisted of:

  1. Technical specification/documentation – a brief overview of the system is requested from the client and the scope of the audit is defined.
  2. Tool-based analysis – deep check with automated Solidity analysis tools and Slither is performed.
  3. Manual code review – the code is checked line by line for common vulnerabilities, code duplication, best practices and the code architecture is reviewed.
  4. Local deployment + hacking – the contracts are deployed locally and we try to attack the system and break it.
  5. Unit and fuzzy testing – run unit tests to ensure that the system works as expected, potentially write missing unit or fuzzy tests.

 

What were our findings?

In the first audit that was performed between February 7 and March 4, we’ve identified seven low severity issues, seven medium severity issues, two high severity issues, and one critical severity issue by using our toolset, manual code review, and unit testing.

High severity issues are security vulnerabilities, which require specific steps and conditions to be exploited, or bugs that make a system unusable or unreliable. These issues had to be fixed.

Critical severity issues are direct critical security threats that could be instantly misused to attack the system and lead to the direct loss of user funds. These issues had to be fixed immediately.

It is worth mentioning that the contract was not deployed on the mainnet and we at Ackee Blockchain are happy to contribute to the security of the Trader Joe protocol.

As we mentioned above, based on our audit report (especially on the basis of the critical issue), the Trader Joe team decided to re-write the whole BoostedMasterChefJoe smart contract and then we agreed with Trader Joe to perform follow-up audit of the newBoostedMasterChefJoe smart contract.

Follow-up audit was performed between March 14 and March 18. In the audit, we reviewed the new BoostedMasterChefJoe contract with newly added features.

In the follow-up, we’ve identified three low severity issues, three medium severity issues and one high severity issue by using our toolset, manual code review, and unit testing.

We are delighted to audit Trader Joe and we are looking forward to working with them again. 

The full Ackee Blockchain audit reports are here: 

Trader Joe x Ackee Blockchain audit-1

Trader Joe x Ackee Blockchain audit-2