DESCRIPTION
Cakepie is a yield optimization protocol built upon PancakeSwap. It enables users to manage PancakeSwap V2/V3 positions and claim rewards and convert their CAKE token or locked CAKE positions from PancakeSwap on Cakepie. Users with voting powers can vote in Cakepie and votes will be cast to Pancake’s GaugeVoting. Cakepie also incorporates a bribe market where users can add bribes that are distributed to active voters. This audit only covers the contracts listed in the report. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope. Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we did not find any critical issues within the audited codebase. However, we have identified six non-critical issues that should be addressed. Additionally, we have put five recommendations to further strengthen the code logic, along with one note that should be taken into consideration. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 6 potential issues in the smart contract. We also have 5 recommendations and 1 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | Uninitialized state variables | Software Security | Fixed |
| 2 | Medium | Incorrect interface used for CakepieBribeManager |
Software Security | Fixed |
| 3 | Medium | Potential DoS to native token transfer due to insufficient gas | Software Security | Fixed |
| 4 | Low | Potential inconsistent pool identifier | Software Security | Fixed |
| 5 | Low | Potential inconsistent token pairs | DeFi Security | Fixed |
| 6 | Low | Insufficient check on the Pancakeswap pool | DeFi Security | Fixed |
| 7 | - | Implement usages for unused isActive flags |
Recommendation | Acknowledged |
| 8 | - | Add sanity checks before setting parameters | Recommendation | Fixed |
| 9 | - | Remove unused logic | Recommendation | Fixed |
| 10 | - | Fix typo in CakepieBribeRewardDistributor |
Recommendation | Fixed |
| 11 | - | Remove unused payable attribute |
Recommendation | Fixed |
| 12 | - | Centralization risk | Note | - |
More details are provided in the audit report.