Bird.Money Lending Platform - Smart Contract Audit Report

Summary

Bird.Money ($BIRD)is building an off-chain oracle analytics and lending platform. We previously audited the team's token contract.

For this audit, we analyzed the project team's upcoming lending platform. The contracts are not yet deployed, but the mainnet addresses will be added to this report when available. We reviewed these contracts at commit 22a2bf5a784b9ab97c25edf2cab6b9d43e270968 on GitHub and at the addresses on Kovan below.

bToken Contracts & Market:
• These contracts allow users to mint bTokens for various assets (bUSDC, bBAT, etc.) in exchange for depositing collateral in the bToken's respective token. i.e. to mint bUSDC, deposit USDC as collateral. These bTokens are the assets used in the lending platform.
• Depositing assets to mint bTokens allows users to accrue interest on their deposits.
• Users also have the ability to borrow specific bTokens via their desired bToken contract.
• A new BirdPlus token is distributed to individuals who participate in the system as rewards.


• Each bToken (except bEther) has a Delegate (holding the true logic) and a Delegator (Proxy) contract.
• With the exception of name changes, all of these contracts are identical in logic (except bEther).
• The bEther contract does not have a proxy implementation and, while the result is the same (minting bETH using ETH), the underlying logic differs. This is primarily due to how tokens vs. ETH are dealt with in solidity.


• The admin has the ability to update the address of the bController address to use for the market and the interest rate model.
• The admin can also add and reduce the Reserves; transferring the excess to or from the admin.


SimplePriceOracle Contract:
• This contract holds price information on bTokens and their assets.
• Currently, anyone can set the price for a bToken in this contract.
• setDirectPrice and setUnderlyingPrice should not be publicly callable by any address.

BirdCore & BController Contract:
• These contracts allow the team to control and update key variables in the lending protocl.
• The BirdCore contract is controlled via a proxy contract (BController) and can be upgraded.
• The team can add & remove new token markets, update the address and rates associated with BirdPlus tokens, set the oracle address, and modify a few other key variables.
• The team can also pause borrowing, minting, liquidations, and transfers on the platform.

BirdPlus Contract:
• This contract holds BirdPlus tokens for various team members, associates, & a marketing fund; and releases them to those individuals after a certian period of time passes.
• The BirdPlus token contract did not appear in the GitHub we reviewed, but the one found on Kovan implements proper security to prevent overflows.

BirdOracle Contract:
• This contract is used by BIRD's off-chain oracle to provide pricing data to the ecosystem.
• The contract is secure but users must trust the BIRD off-chain oracle implementation.

Best Practices:
• Robust logging of events and errors.
• Usage of ReentrancyGuard in applicable functions to prevent re-entrancy attacks.
• Utilization of SafeMath to prevent overflows.
• The tokens properly follow the ERC20 standard.


Audit Findings Summary:
• No security issues from outside attackers were identified.
• Ensure trust in the team as they have substantial power in the ecosystem and are providing the oracle implementation. Their actions thus far have proven trustworthy.
• The team has agreed to use a multi-sig and/or timelock to control the platform based on our recommendation.
• Date: January 21st, 2021
• Update Date: January 26th, 2021 - Minor clarifications and notation of multi-sig ownership.
• Update #2 Date: January 30th, 2021 - Incorporation of minor recommended changes restricting functions to admins only and a name change of a function.

External Threats - Audit Results

• Go Home