Summary

Since the protocol has no specification for which ERC20s will be used with their Staking and Lender contracts, I am obligated to point out potential issues, some of the well known and not so well known issues that some ERC20 tokens can cause.

Vulnerability Details

1. In both contracts mentioned above, as well as the Fees contract, token transfers' return value is not checked and since some tokens to not revert on failure, issues can arise regarding debts and staking rewards.

2. Some tokens implement a FEE-ON-TRANSFER mechanism, which too can lead to miscalculations and false assumptions, such as less tokens being sent, but the balance being incremented more in the Staking, less collateral or loan tokens being received in the Lender, etc.

3. Not all tokens have 18 decimals, as such tokens with a large amount of decimals can lead to more rewards being yielded, and vice versa - less rewards for less decimals tokens.

Again, some of these issues, by digging deeper, can cause HIGH impact losses, but due to the unknown nature of the protocol, until sponsor confirmation, I will keep this a MEDIUM, letting the judges decide.

Impact

User and protocol fund losses, miscalculations, unexpected behavior.

Tools Used

Manual Review

Recommendations

Use OpenZeppelin's SafeERC20 library and its safe methods for ERC20 transfers. For fee-on-transfer tokens, check the balance before and after the deposit (stake) and use the difference between the two as the actual transferred value. Consider scaling the balances mapping values in the Staking to a chosen decimal, 1e18 most commonly, to make sure for a fair reward distribution.