About Trader Joe
Trader Joe is a multi-functional DeFi trading platform on the Avalanche Blockchain. Users can trade, lend, stake, and participate in launch events for newly issued tokens.
Trader Joe’s differentiates itself from classic decentralized exchanges such as Uniswap by combining DEX with lending and leveraged trading.
At the time of writing this post, Trader Joe is offering users these features:
- trade between tokens using AMM;
- farm and earn rewards by staking LP tokens;
- stake JOE tokens to earn rewards in the form of stablecoins or more JOE tokens;
- borrow other token through Banker Joe platform;
- participate in the launch events for newly issued tokens.
To learn more about Trader Joe, read the official documentation here.
About the audit
Between February 7 and March 4, 2022, the Ackee Blockchain security team performed an audit of Trader Joe’s following contracts:
During the audit, the Trader Joe and Ackee Blockchain teams agreed on the extension of the audit scope based on issues found in the audit. The whole auditing process was performed with a total time donation of 15 engineering days.
During the security review, special attention was paid to the following questions:
- Is the correctness of the two contracts ensured?
- Do the contracts correctly use dependencies or other contracts they rely on, namely JoePair?
- Are access controls not too relaxed or too strict?
- Are the upgradeable contracts subject to common upgradeability pitfalls?
- Is the code vulnerable to re-entrancy attacks, either through ERC777-style contracts, or maliciously supplied user input?
The audit methodology for Trader Joe consisted of:
- Technical specification/documentation – a brief overview of the system is requested from the client, and the scope of the audit is defined.
- Tool-based analysis – deep check with automated Solidity analysis tools and Slither is performed.
- Manual code review – the code is checked line by line for common vulnerabilities, code duplication, best practices and the code architecture is reviewed.
- Local deployment + hacking – the contracts are deployed locally and we try to attack the system and break it.
- Unit and fuzzy testing – run unit tests to ensure that the system works as expected, potentially write missing unit or fuzzy tests.
The Trader Joe development team is aware that the security of smart contracts is a crucial aspect of every cryptocurrency protocol, and that’s why Trader Joe engaged Ackee Blockchain to conduct a follow-up audit of the new BoostedMasterChefJoe contract. The follow-up audit was performed between March 14 and March 18, 2022.
Findings
In the first audit, we identified 18 findings: 4 warning severity, 3 informational severity, 1 low severity, 3 medium severity and 7 high severity issues. The most critical was that a denial of service could occur in BoostedMasterChefJoe under relatively common circumstances (see H1 in the audit report).
It is worth mentioning that the contract was not deployed on the mainnet, and we at Ackee Blockchain are happy to contribute to the security of the Trader Joe protocol.
As mentioned above, based on the first audit report (especially on the critical issue), the Trader Joe team decided to re-write the whole BoostedMasterChefJoe smart contract, and then the follow-up audit was conducted. It resulted in 7 findings: 2 warning severity, 1 informational severity, 1 low severity, 1 medium severity and 2 high severity issues.
Conclusion
After the first audit, we recommended Trader Joe to:
- heavily test BoostedMasterChefJoe with our fuzzing model;
- address all reported issues;
- build on top of the fuzzing model during future development and use it to test the safety and correctness of any future code.
After the follow-up audit, we recommended Trader Joe to:
- expand on our earlier fuzzing model to heavily test the new BoostedMasterChefJoe contract;
- address all reported issues;
- build on top of the fuzzing model during future development and use it to test the safety and correctness of any future code.
We were delighted to audit Trader Joe and look forward to working with them again.
The full Ackee Blockchain audit report of Trader Joe with a more detailed description of all findings and recommendations can be found here. The follow-up audit of the new BoostedMasterChefJoe can be found here.
