Smart contract read — Advanced Crypto Strategies

Advanced Crypto Strategies ($ACS) is an auto yield farming protocol on the Binance Smart Chain, focusing on optimizing yield returns from pancakeswap ($CAKE) offerings at the moment.

This complementary protocol extends pancakeswap offerings, and possibly preserving the “total value locked” (TvL) for pancakeswap by encouraging yield farmers to commit their pancakeswap LP and $CAKE tokens for a longer term strategic play.

We will attempt a Smart Contract read here, explaining the code in a simple way, in the hope that the non-tech audience may understand the contracts they are interacting with a little better.

short disclaimer: the goal of this article is to highlight the key changes made on the various known smart contracts used for ACS deployment. We will attempt to explain the various changes as simply as possible, keeping technical content to a minimum. This article is not a smart contracts audit, nor to be used as a way to interpret the safety of the protocol.

it’s a long read, grab a coffee. While the language is kept simple, an attentive mind will be required …

Non technical readers may skip the red and green blocks

Developer doctrine

ACryptoS, the developer for this protocol/project, attempts to create value by reusing battle tested known code from other projects with minimal changes. The idea is to minimize the possibility of introducing new smart contract bugs or exploits.

By keeping the modifications minimal and simple, the smart contract risk for the protocol can be minimized.

The following smart contracts were cloned :

1. Yearn Finance’s Vault Controller
2. Sushiswap’s masterchef Farm Controller
3. Yearn Finance’s Yvault for the various Vault
4. Yearn Finance’s strategies

Full Contract List : https://app.acryptos.com/contracts/

Scope of this contract reading

We will be covering the following :

1. Farm controller contract
2. Vault controller contract
3. ACS Token
4. Cake Vault *
5. ACS4 stableswap

*The other vault contracts are copies of the original Cake Vault contract. A full verification for the copies will not be covered here.

Farms Controller Contract

Farm Contract : 0xeaE1425d8ed46554BF56968960e2E567B49D0BED

Original Contract : Sushiswap Masterchef Contract

Key changes :

• removal of migrator
• changeable reward parameters
• withdrawal fee — goes to acsACS (ACS Vault)
• acsACSReward minting — 33% of supply, 10% for dev

Migrator

The original sushiswap’s migrator functions are scrub off the farm contract entirely. We’ve screenshot sushiswap original code here for clarity. These code are NOT found in acryptos’s deployment.

These migrator functions are notoriously used by various malicious projects to drain user’s LP pairs. ACS is safe from such unauthorized migration.

original sushiswap migrator function, not found in ACS contracts

original sushiswap migrate and setMigrator function, not found in ACS contracts

Fees

Fee’s and variables within the code matches the ACS documentation

(divide the number by 100 ~ 3333 = 33.33%)

various variable denoting ‘$acs to vault’ and devfees.

farm yield minting (to LP holders + dev)

Harvest fees

To enable the harvest fees mechanism, changes are made to the deposit and withdrawal function (default 10 ACS withdrawal fees).

deposit function

withdrawal function

Developer accessible variables

There are some additional hooks that the developer can use to tweak the farm fees and structures.

These hooks allow the developer to change these variable through a timelock contract.

Timelock contract : a common operational security deployment for many deFI projects. Developer initiated action will have a set delay before activation, for ACS case 6hrs, rendering such action transparent to all user. However user of the protocol should monitor the transaction of the timelock contract as part of the due-diligence, check and balance. (everyone has a role to play!)

bonus :

setWithdrawalFee(uint256 _withdrawalFee) { }

the harvest fee is an integer (whole number) and can’t be a percentage of the harvest.

only Owner callable function set.

owner for the farm contract is the timelock contract

for example the current ACS emission per block is setup with the following tx:

0xac5e16b0809fb8dd9281570f8e1ca7567797888c74aca6a9a9f43c7b773a2cb9

edited (24th Nov 2020) : the emission is corrected from 88888888888888900 to 88888888888888888 via the following transaction (timelocked)

88888888888888900 / 10¹⁸ = 0.088888888888889 ACS per block (as per documentations)

Vault Controller Contract

Vaults Controller: 0xeb8f15086274586f95c551890A29077a5b6e5e55

Original Contract: Yearn’s Vault Controller

Key changes: NONE!

Apart from a variable name change from “IStrategy” to “Strategy” throughout the contract, it is an exact copy of yearn vault controller.

yearn’s original

acryptos’ implementation

ACS Platform Token

Token Contract : ACS Token (BEP-20 Token)

Developer initial mint of ACS Token (dev share) :
(note divide by 10¹⁸ ~ 8888.88 ACS)

Initial Mint transaction

Only developer have minting access (performed through a timelock contract).

Timelock Contract: 0xfd6e996C8960D521E3D2624cc4c6648cFA1217b7

Cake Vault

Cake Vault: 0xB6eB654FBDc697edD73174a19B074BC67c00a0C0

Original Contract : Yearn’s Vault

Key Changes :

• Default to zero minimum token in vault (100% of the cake balance are utilized).
• Calls earn() at end of deposit().

(note: 10000 divide by 100)

Changes are minimal ..

earn() function is called upon every deposit (free compounding!!)

Cake Strategy Contract: 0x4Fb1ba482A7F66863317452D0835d87aD8AB17f5

This Strategy Contract is pretty much the original work of acryptos, a custom contract to interact with cake farms/pools. A full reading of the contract will be too technical for the purpose of this article. Chunks of code were lifted off curve, pancake, uniswap and yearn to form the strategy.

Some key variables of interest are highlighted here :

fee’s are as per documented (note to divide by 100)

ACS4 stableswap

Pool: 0xb3F0C9ea1F05e312093Fdb031E789A756659B0AC

Original Contract : Curve FI ‘s stableswap (Vyper Language)

Key Changes :

• addition of publicly called admin_fee_address for strategy contract changes. (developer have access to this function externally)

only developer can set admin_fee_address (good)

The stableswap pool contract is largely a clone of Curve’s offering, with minimum code changes.

only dev or admin_fee_address can do a withdrawal of admin fees to admin_fee_address

At the time of writing, this latest offering from ACS is just a few days old, it is naturally not placed under any timelock contract yet, for further tweaks. However the risk is low, with a maximum potential loss being the admin_fee getting redirected, while the underlying assets stay safe.

Some final words

We are supportive of Acryptos’ approach for the ACS project.

The ACS project code is functional and for most code geeks easy to understand. The usage of known contracts (some audited by third-party as well) greatly help to secure the protocol. A diffchecker or good old unix diff will aid the reading greatly.

Clone codes ~ the beauty of the open source movement and the blockchain community in general; anyone and everyone can contribute to the code base if they wish. Innovate beyond the original protocol, build code on top instead of re-hashing similar concepts from the ground again.

We hope this article helps the reader who doesn’t code or who are less familiar with the Solidity language to be able to grasp some of the finer details of a contract read.

Spotting vulnerability within a smart contract is an entirely different ball game. Experience helps greatly, and we humans still miss some of the obvious ones at times.

In code we trust.