Read the findings of the 2022 Web3 Security Report

The contract is serving as the underlying entity to interact with the third parties, the following is a list of contracts and interfaces. The scope of the audit treats 3rd party entities as black boxes and assumes their functional correctness. However, in the real world, 3rd parties can be compromised and this may lead to lost or stolen assets. In addition, upgrades of 3rd parties can possibly create severe impacts, such as increasing fees of 3rd parties, migrating to new LP pools, etc.

- `ITrimLp`
- `Iminer`
- `Iburn`
- `usd`
- `meer`
- `swapLP`
- `safeToken`

Third Party Dependencies

In the contract `MinterAccess` the role `_owner` has authority over the functions shown in the diagram below.

Any compromise to the `_owner` account may allow the hacker to take advantage of this authority.

![](https://accelerator-tasks-prod.s3.amazonaws.com/9c4f69fd971e4571b35ce515272e7928/diagrams/centralization-MinterAccess-_owner.svg)

---

In the contract `BMeer`, the role `Minter` has authority over the following functions:

- mint(): Add `amount` number of `MEER` tokens to any given address

Any compromise to the `Minter` account may allow a hacker to take advantage of this authority

Centralization Risk in BMeer.sol

The contract has unlocked compiler version. An unlocked compiler version in the source code of the contract permits the user to compile it at or above a particular version. This, in turn, leads to differences in the generated bytecode between compilations due to different compiler versions. This can lead to an ambiguity when debugging as compiler specific bugs may occur in the codebase that would be hard to identify over a span of multiple compiler versions rather than a specific one.

Unlocked Compiler Version

One or more state changes do not emit events to pass the changes out of the chain.

File: projects/Relation.sol (Line 28, Function `Relation.setMaxNmber`)
```solidity
        maxNmbrella =  _maxNmbrella;
```

---
File: projects/stake/StakeLP.sol (Line 177, Function `StakeMeerLp.setShareNetRate`)
```solidity
        shareNetRateEPX_RATE = _rate;
```

---
File: projects/stake/StakeLP.sol (Line 187, Function `StakeMeerLp.setMintRateEPX_RATE`)
```solidity
        mintMeerRate_EPX_RATE = _mintRate;
```

---
File: projects/stake/StakeLP.sol (Line 23, Function `Owner.setOwner`)
```solidity
        _owner = _owner_;
```

Missing Emit Events

In the contract `Relation` the role `_owner` has authority over the functions shown in the diagram below.

Any compromise to the `_owner` account may allow the hacker to take advantage of this authority.

![](https://accelerator-tasks-prod.s3.amazonaws.com/9c4f69fd971e4571b35ce515272e7928/diagrams/centralization-Relation-_owner.svg)

Centralization Risk in Relation.sol

In the contract `AssetCustody` the role `_owner` has authority over the functions shown in the diagram below.

These `withdraw()` methods can extract the assets of these vault contracts.

Any compromise to the `_owner` account may allow the hacker to take advantage of this authority.

![](https://accelerator-tasks-prod.s3.amazonaws.com/9c4f69fd971e4571b35ce515272e7928/diagrams/centralization-AssetCustody-_owner.svg)

In the contract `Owner` the role `_owner` has authority over the functions shown in the diagram below.

Any compromise to the `_owner` account may allow the hacker to take advantage of this authority.

![](https://accelerator-tasks-prod.s3.amazonaws.com/9c4f69fd971e4571b35ce515272e7928/diagrams/centralization-Owner-_owner.svg)

In the contract `StakeMeerLp` the role `_owner` has authority over the functions shown in the diagram below.

Any compromise to the `_owner` account may allow the hacker to take advantage of this authority.

![](https://accelerator-tasks-prod.s3.amazonaws.com/9c4f69fd971e4571b35ce515272e7928/diagrams/centralization-StakeMeerLp-_owner.svg)

Centralization Risk in StakeLP.sol

When the `stake()` function is called, the user deposits USDT and records the amount. However, when `unStake()` is called, there is no logic or code to return the USDT to the user.

Lack of Asset Transfer at unStake() Function

When users call the `_withdrawLpAllFor()` function, it is necessary to check if the current time matches the unlock time. The code for current verification is commented out.

Missing Check For Unlock Time

Without validating the caller of the `claimFor()` method, anyone can call the `claimFor()` method and specify the `_owner_` address. This may cause users to be forced to withdraw their own rewards.

Lack of Access Control on `claimFor()`

The return value of an external call is not stored in a local or state variable.

File: projects/stake/StakeLP.sol (Line 614, Function `StakeMeerLp._mining`)
```solidity
        IMiner(minerPool).mining();
```



Unused Return Value

The name of the variable `rewrods` has a spelling mistake, it should be `rewards`.

The name of the function `upDateNet()` has a case error, it should be `updateNets()`.

The comment of the `stake()` function is incorrect. It should be `添加质押` instead of `赎回`.

The comment of the `unstake()` function is incorrect. It should be `赎回` instead of `添加质押`.

Typo and incorrect comments

When calculating awards for deposits, there are two `EPX_RATE`s in the denominator. When calculating the award for a stock, there is only one `EPX_RATE` in the denominator.

Is this because the reward multiplier for deposits is the product of a time multiplier and a quantity multiplier? The code logic should match the design intent

Number of denominator EXP_RATE

Meerdefi

Meer Defi

Highlights & Alerts

This is just a placeholder

highlight placeholder lorem Ipsum...

highlight lorem

This is a alert demo

Alert demo

Code Audit History

12

0

11

0

1