CFC-01
We are aware of risks that come with 3rd party contracts and are monitoring them.
CFC-02
We are aware of risks and will not support fee-on-transfer tokens.
MCC-01
Using x <= 0 is not cheaper compared to x == 0 (both use equal amount of gas).
MCC-02
MCC-03
MCC-04
addPendingClaims was deprecated in favor of adding pendingRewards when they would be harvested (deposit and withdraw).
https://github.com/CubFinance/polycub-contracts/blob/master/contracts/MasterChef.sol#L479
https://github.com/CubFinance/polycub-contracts/blob/master/contracts/MasterChef.sol#L528
MCC-05
Already resolved on jan-19-2022
See: https://github.com/CubFinance/polycub-contracts/blob/master/contracts/MasterChef.sol#L346
https://github.com/CubFinance/polycub-contracts/blob/master/contracts/MasterChef.sol#L396
MCC-06
Already resolved
See: https://github.com/CubFinance/polycub-contracts/blame/master/contracts/MasterChef.sol#L381
MCC-07
PENALTY_ADDRESS will be set to xStaker contract (fees are ditributed back to stakers), while governance will be set to a timelock.
MCC-08
Already resolved, see: https://github.com/CubFinance/polycub-contracts/blame/master/contracts/MasterChef.sol#L404
MCC-09
Resolved: https://github.com/CubFinance/polycub-contracts/commit/b324fa5a22591069d68d2c4ec98d485c7a2cf16a, instead of using require we just set limit to array length
MCC-10
MCC-11
Function is now used here: https://github.com/CubFinance/polycub-contracts/blame/master/contracts/MasterChef.sol#L381
MCC-12
MCC-13
We are aware of dangers of centralization, ownership will be transferred to a timelock (and maybe DAO later).
SCF-01
SCF-02
SCF-03
We are aware of centralization risks.
SCF-04
Tokens in xStaker are not meant to be deposited in MasterChef, see: https://docs.sushi.com/products/yield-farming/the-sushibar
xStaker contract is collecting penalty tokens, so by depositing tokens, users buy share of the penalty (+ part of the inflation).
SCF-05
Yes, users only deposit/withdraw Polycub tokens to xStaker. Only deposited token is "fake" token, so xStaker contract can also receive part of the inflation, which is then distributed to xPolycub holders. Rewards from masterchef are claimed every time someone tries to withdraw.
SCF-06
SVC-01
We are aware of centralization risks.
SVC-02
We are aware of risks that come with integration of 3rd party contracts.
SVC-03
SVC-04
We are aware of centralization risks.
SVC-05
Gov cannot get want and reward tokens (see: https://github.com/CubFinance/polycub-contracts/blob/master/contracts/vaults/SushiVault.sol#L2162), and underlying tokens should never stored in the contact, when compounding, they are immediately added to lp.
SVC-06
In my opinion, zero address checks in constructor are unnecessary, since they aren't deployed by anyone else than the team.
SVC-07
Yes
TCF-01
Owner is masterchef address.