Risk on Ramen Swap

Overview

RamenSwap is a community driven Yield Farming and DeFi Yield Aggregator on Binance Smart Chain.

Investor

N/A

Partner

N/A

Stats

Total value locked: $ 2,283,755.109

Market Cap: $ 1,386,787,76

                                                             UTC 2021.04.14 06:40

Token

NAME: RAMEN

Type: BEP-20

RAMEN Token Distribution:

Total Supply: 1,793,291.43

Circulating Supply: 1,793,291.43

Usage:

Mining Rewards

Official Links

Website: https://ramenswap.finance/

Contracts on BSC: 0x4F47A0d15c1E53F3d94c069C7D16977c29F9CB6B

Audit Report: Certik:

Risk Framework

  1. The comment in line L122, mentioned // XXX DO NOT add the same LP token more than once. Rewards will be messed up if you do.
    The total amount of reward reward in function updatePool() will be incorrectly calculated if same LP token is added into the pool more than once in function add().
    However, the code is not reflect as the comment behaviors as there isn’t any valid restriction on preventing this issue.
    The current implementation is relying on the trust of the owner to avoid repeatedly adding same LP token to the pool, as the function will only be called by the owner

  2. An exploit in the interaction between the MasterChef contract and the RamenSoup contract was abused by bad actors. Previously when CAKE was staked, an equal amount of SYRUP tokens would be minted. Once the CAKE was unstaked and withdrawn, the SYRUP tokens would be burned. The specific exploit here was that if a user used the emergencyWithdraw() function in the MasterChef contract to withdraw their staked CAKE, the corresponding SYRUP tokens would not be burnt as intended. This allowed bad actors to repeatedly mint more SYRUP tokens with their CAKE tokens.