Since the protocol has no specification for which ERC20s will be used with their Staking
and Lender
contracts, I am obligated to point out potential issues, some of the well known and not so well known issues that some ERC20 tokens can cause.
In both contracts mentioned above, as well as the Fees
contract, token transfers' return value is not checked and since some tokens to not revert on failure, issues can arise regarding debts and staking rewards.
Some tokens implement a FEE-ON-TRANSFER mechanism, which too can lead to miscalculations and false assumptions, such as less tokens being sent, but the balance being incremented more in the Staking
, less collateral or loan tokens being received in the Lender
, etc.
Not all tokens have 18 decimals, as such tokens with a large amount of decimals can lead to more rewards being yielded, and vice versa - less rewards for less decimals tokens.
Again, some of these issues, by digging deeper, can cause HIGH impact losses, but due to the unknown nature of the protocol, until sponsor confirmation, I will keep this a MEDIUM, letting the judges decide.
User and protocol fund losses, miscalculations, unexpected behavior.
Manual Review
Use OpenZeppelin's SafeERC20
library and its safe
methods for ERC20 transfers. For fee-on-transfer tokens, check the balance before and after the deposit (stake) and use the difference between the two as the actual transferred value. Consider scaling the balances
mapping values in the Staking
to a chosen decimal, 1e18 most commonly, to make sure for a fair reward distribution.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.