DESCRIPTION
Pancake launched a governance project VECake for voting. VECake enables users to acquire voting powers by depositing their CAKE tokens. These voting powers empower users to vote on Pancake Gauge weights.
The core contracts covered in this audit include VECake and GaugeVoting. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Pancake team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 6 potential issues in the smart contract. We also have 2 recommendations and 2 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Low | Inconsistent lock time limits | Software Security | Fixed |
| 2 | High | Incorrect operator precedence | Software Security | Fixed |
| 3 | Low | Flawed code logic that cannot update the first added gauge info | Software Security | Fixed |
| 4 | Low | Lack of sanity check on admin voting weight | Software Security | Fixed |
| 5 | High | Lack of updates on gaugeChangesWeight and gaugeTypeChangesSum |
Software Security | Fixed |
| 6 | High | Inconsistent designs related to boostMultiplier |
DeFi Security | Fixed |
| 7 | - | Fix typos | Recommendation | Fixed |
| 8 | - | Remove debugging codes | Recommendation | Fixed |
| 9 | - | Potential centralization risk | Note | - |
| 10 | - | Ensure the proper use of function totalSupplyAtTime and balanceOfAtTime |
Note | - |
More details are provided in the audit report.