Yield Robot

Summary

This smart contract has been reviewed by Fair Stamp. This is a smart contract similar to StableFund, in that it stores user funds and they are used in some third party application to trade, to generate yield.

The owner can rug pull with coupon function.

Contract Details

Backdoors

On line no: 1092: require(coupon.owner == msg.sender, “Not signature
owner”);

The owner can specify any address to give any amount of coupons.

Coupons can withdraw dividends, but not principal.

Owner Privileges

resetContract – Owner can change
anytime dev wallet.

setSigner – Owner can change anytime
signer wallet.

deposit – This function has the referrer you can see it’s the referral address. In the UI there should be an option that people can by default put the referral address otherwise 80% traffic will be redirected to by default address which is given by the owner in the backend. If the function has two value for example (a,b) it’s mean both has to be enter then the function will work. In their smart contract (uint256 _amount, address _referrer) so it’s my request to the owner put the input field on the UI so people can know where their referral rewards are going.

setCoupon – First of all let me explain to all my audit brothers that learn how the upgradable policy work on the functions. The upgradable policy is applied on this function it is a big warning that only owner can withdraw funds. Here is 100% exploit involved. Let me tell you that this function can be call by owner only. He can send the amount that how much he wants to take out of the smart contract.

Team Trust

The team has fake KYC.

Main Risk

Just hope the owner don’t use the coupon to rug pull, use tradebot to support tvl and do the real kyc it would help.

This is still an ROI Dapp that relies on funds invested to payout existing users. If the contract reaches $0 investors will not be paid out.