PolyFund
- Completed
-
Audit Report
Commissioned
31 Jul 2021
Completed
04 Aug 2021
Contracts Audited
FundToken 0x4b0f2da2c4e7cc60f3b918461ec4f16ccc974622 EmissionOracle 0xd31f67b07da248e0f68eabd110143a8a4537d2dd MasterChef 0xdA30Aae916417C9Ad8DE97Bb1d59395f2Dd905e4 PolyReferral 0xE42ce9eAC4b912471D724BCAd46A86Ae32D49082 SeedVault 0xdcfd912b50904B4d5745DfFe0D4d7a5097c82849 View Audit Report
IssuesRisk SummaryFound Resolved Partially Resolved Acknowledged
(no change made)High 4 3 – 1 Medium 5 1 – 4 Low 10 2 – 8 Informational 20 1 – 19 Total 39 7 – 32 From the technical side of things, PolyFund has taken a few reasonable steps in rectifying the issues identified in our audit report, though a majority remain unresolved as their contracts have already been deployed to the Polygon network and the project owner does not seem keen on redeployment. As a result, the contracts are not entirely secure from a user’s perspective as there remains significant residual risk from vectors including but not limited to:
- Exploitation of the Masterchef contract if tokens with transfer taxes are added as pools.
- Users’ deposits and withdrawals reverting due to the Emission Oracle.
- Users’ deposits and withdrawals reverting when fee address is set to the zero address.
- Excessive token minting from referral rewards.
The points above above represent a small fraction, but are the most severe of issues that remain in the PolyFund contracts. Users wishing to interact with this project should exercise increased caution, and to monitor any queued Timelock transactions especially with regards to those concerning the Token and Masterchef.
In addition to the aforementioned risks, there is no reasonable guarantee that the protocol will be successful or profitable to the average investor. The native token often drops very rapidly after launch so we recommend you carefully do your research on the project and team and whether they are appropriate for you.
The following steps are recommended minimum checks you as a potential/current user should perform:
- Setting alerts for and monitoring Timelock transactions.
- Ensuring that the contract you approve and stake in matches the one we audited. This can be done by comparing the address with the one present in the contracts page in our audit.
- The risk that the native token’s value might drop rapidly simply due to the nature of yield farming. Carefully evaluating the team and project could help with assessing this.