Decentralized Bank (DeBa) - Audit Report

Summary

DeBa Audit Report Decentralized Bank (DeBa) provides high-return compound interest on assets and rewards. The platform enables users to earn compounding interest on their assets while also earning the platform's native token as a reward.
The DeBa suite of contracts includes a token, a rewards management protocol, and a series of seperate pools for smarter yield farming.

Audit Findings Summary:
  • Users can stake a series of assets or LP tokens to earn interest/fees as well as DeBa's native reward token.
  • The 'Agent' address that controls the ecosystem is an EOA wallet, not a governance contract. This wallet has the abiliity to move users' funds deposited in vault/strategy contracts.
  • The 'Agent' can update vault's strategy and governance (controller) addresses at any time. The 'Agent' also has the ability to mint tokens and lock/unlock users' ability to deposit/withdraw.
  • Flash loan protections are applied inconsistently and can be circumvented via a whitelist on some vaults.

  • Investing requires placing considerable trust in the project team. They have substantial power in the ecosystem.
  • No security issues from outside attackers were identified.
  • Date: December 16th, 2020

General Contracts

Name

Address

Description

Storage

0xBd26108CEdCD6408EFb2FB8f2D91FDd0a25af887

Governance storage for Reward Token.
Function Graph.

Reward Token

0xB565CaD9DfDd50D48396672DF7aE4979f7832437

DEBA Reward Token.
Function Graph.   Inheritance Chart.

UniSwap Reward Token Pair WETH

0x9245c872cb8404e3f89bb5c39410a82303faa566

Uniswap Pool for DEBA-ETH.
Note: This contract was deployed by the Uniswap Factory and was not audited.

Fee Forwarder

0x08180336c8AD0B986B74C7CcC2779275B05F20d1

Fee Forwarder which pays the DIVIDEND staking vault its share of profit.
Function Graph.   Inheritance Chart.

Agent

0x89DaCFd0793750cf91a2Cd7B27615862149b293B

Off-chain agent handling minting, distribution, harvesting profits and other infrastructure controls.
Note: Agent is an EOA wallet, not a contract.

Treasury

0x1F6da7159E36c05b88EE67Db907188D6b4B6F0D8

Treasury for developer operations, R&D & marketing. Receives 10% of minted DEBA.
Note: The Treasury is a Gnosis Safe; deployed by the Gnosis Safe Proxy Factory and not audited by our team.

Dividend Autostake

0x7532AA488acE3BB2Fe72170BD62B77bd00e91d68

The AUTOSTAKE contract for the DIVIDEND vault which compounds staked DEBA.
Function Graph.   Inheritance Chart.


Vault Contracts

Notes on the Vault Contracts:
  • The vault contract attempt to implement flash loan/arbitrage protection; but it does so inconsistnetly across the vault contracts. The team has been unable to provide a good reason why this difference in protection is present; though they claim it exists so some vaults, but not others, can interact with each other in the future.
  • The project team can whitelist any address to bypass the flash loan protections of the vaults.
  • The project team can update the strategy at any time; potentially to a malicious strategy that could steal users funds.

  • There are 3 variants of the Vault contracts:
  • USDT, USDC, DAI, SUSHI_DAI_ETH, SUSHI_WBTC_ETH, SUSHI_USDC_ETH, SUSHI_USDT_ETH, SUSHI_YFI_ETH
  • CURVE_3POOL, CURVE_YPOOL, CURVE_COMPPOOL, CURVE_SBTCPOOL
    • Function Graph.
    • Inheritance Chart.
    • The difference between these two sets is one line, meant to protect the contracts from flash loan attacks (or allow them from whitelisted addresses). The first set of vaults drops all flash loan protections for whitelisted addresses when withdrawing; while this second set always protects against attacks utilizing tx.origin.
  • dCrvRenWBTC
  • Vault

    Address

    Description + Notes

    DAI

    0x49E0d63F1b5D42508508029Ce05d786a28F65bEA

    Deposit receipt for DeBa DAI vault.

    USDT

    0x9A24a229FcA050Cd7C08563d1f64E03A57dd8A25

    Deposit receipt for DeBa USDT vault.

    USDC

    0xEd07C05A810F2d4ac9a709379827A4D6BD246a72

    Deposit receipt for DeBa USDC vault.

    dCrvRenWBTC

    0x592B99A8014777021A146924307fe1D0Ea082771

    Deposit receipt for DeBa dCrvRenWBTC vault.

    SUSHI_WBTC_ETH

    0x103A414713b430c7a2d1324B9f5A3f01A4B40768

    Deposit receipt for DeBa SUSHI_WBTC_ETH vault.

    SUSHI_DAI_ETH

    0x9aDbeaBcFf736206007d2426E0A20D92154d35f0

    Deposit receipt for DeBa SUSHI_DAI_ETH vault.

    SUSHI_USDC_ETH

    0xf0A9Bed53091C3dB7Bcae2f87b9abC0533334C04

    Deposit receipt for DeBa SUSHI_USDC_ETH vault.

    SUSHI_USDT_ETH

    0xfE3d3911e87B75c4802A5e1589f1fCD386363d1E

    Deposit receipt for DeBa SUSHI_USDT_ETH vault.

    SUSHI_YFI_ETH

    0xFFfC7C6d0bDBABC51ba6b1d9C59ba9dd599571E5

    Deposit receipt for DeBa SUSHI_YFI_ETH vault.

    CURVE_3POOL

    0xFC786f9804a386836555cFA79aB84f7f7cC46246

    Deposit receipt for DeBa CURVE_3POOL vault.

    CURVE_YPOOL

    0xe8680563E246b4fB8BFbdbb7517B140A68513aC5

    Deposit receipt for DeBa CURVE_YPOOL vault.

    CURVE_COMPPOOL

    0x8933dC714dD1AAb0b16Bc5448881a30ed0FD83d8

    Deposit receipt for DeBa CURVE_COMPPOOL vault.

    CURVE_SBTCPOOL

    0x67476715B60aa9b1b617D340B989fb95d1a5dd1F

    Deposit receipt for DeBa CURVE_SBTCPOOL vault.


    Strategy Contracts

    Notes on the Strategy Contracts:
  • The project team can update the vault and governance for the strategy at any time.
  • The governance is currently an EOA wallet; therefore the project team can gain full control of users' funds via vault and strategy updates.
  • Strategies

    Address

    Description + Notes

    DAI

    0xdF94fdE58eea90fe7DA5C68a096B0B8c32D0B773

    Uses COMP to generate yields.
    Function Graph.   Inheritance Chart.

    USDT

    0x6824beD878Cf2e4Fd6D834CCCd73B8319ac319e1

    Uses COMP to generate yields.
    Function Graph.   Inheritance Chart.

    USDC

    0x270B682EC9B272b623F1e72B8EE2CF27cDC9C18e

    Uses COMP to generate yields.
    Function Graph.   Inheritance Chart.

    dCrvRenWBTC

    0x965F36cf5942426b6C57F1E0b61F6cB2A5556217

    Uses CURVE to generate yields.
    Function Graph.   Inheritance Chart.

    SUSHI_WBTC_ETH

    0x2445F5dD31df8e7b0bfBFacFD7357e58a51D147d

    Uses SUSHI to generate yields.
    Function Graph.   Inheritance Chart.

    SUSHI_USDC_ETH

    0xa5786c32f998F472Faf6A12EC8c895DBf11bE241

    Uses SUSHI to generate yields.
    Function Graph.   Inheritance Chart.

    SUSHI_USDT_ETH

    0xD38b3bbDE24931bA52D306fd3aD8939807F14De9

    Uses SUSHI to generate yields.
    Function Graph.   Inheritance Chart.

    SUSHI_YFI_ETH

    0x6820b692071e9ae88297D1019dB845428310e8Ce

    Uses SUSHI to generate yields.
    Function Graph.   Inheritance Chart.

    CURVE_3POOL

    0x308bef3Dbc77bb7b87064374Fd41E7A85f9c7089

    Uses CURVE to generate yields.
    Function Graph.   Inheritance Chart.

    CURVE_YPOOL

    0x740753499eD073197A7aB98FA7222553698f8810

    Uses CURVE to generate yields.
    Function Graph.   Inheritance Chart.

    CURVE_COMPPOOL

    0x8542F7397A3CC88382A95341fB775945f29f00cb

    Uses CURVE to generate yields.
    Function Graph.   Inheritance Chart.

    CURVE_SBTCPOOL

    0x35Fd1Ed7B35E4d133BAf3F222643F27C571df8b0

    Uses CURVE to generate yields.
    Function Graph.   Inheritance Chart.


    Reward Pool Contracts

    Notes on the Reward Pool Contracts:
  • These contracts handle the distribtuion of rewards from the platform.
  • All of the reward contracts are generated from the same contract:
  • Reward Pools

    Address

    Description + Notes

    DIVIDEND

    0xf9f9cb6851f72e090284e63f13C13EEa72DB90db

    Reward Distribution for DIVIDEND Vault.

    $DEBA LP

    0x861d5B087588eA3922298DF9eBD15358e88a1058

    Reward Distribution for providing liquidity in the WETH-DEBA Uniswap Pool.

    DAI

    0xcdB3c086BD05A0175CD09F8ECC07933b667d8bf0

    Reward Distribution for DAI Vault.

    USDT

    0x0949fEcbcd26679592Ce7E1A2Aa89019c6015f9f

    Reward Distribution for USDT Vault.

    USDC

    0xA217eEF7A1275556fB1595B85F31588b3aD2FD5E

    Reward Distribution for USDC Vault.

    dCrvRenWBTC

    0xc87cD4757d3685402f8F2cE40b7227f4c27b8E89

    Reward Distribution for dCrvRenWBTC Vault.

    SUSHI_WBTC_ETH

    0x284d24c8dB4AC5269d35974Af93f901282f7Bc6F

    Reward Distribution for SUSHI_WBTC_ETH Vault.

    SUSHI_USDC_ETH

    0x0A079397C110fF5c37A48AA3e95406934Dd29f1c

    Reward Distribution for SUSHI_USDC_ETH Vault.

    SUSHI_USDT_ETH

    0x5E5FC9972a0db37982e9D64EEee2b60EA1A9C708

    Reward Distribution for SUSHI_USDT_ETH Vault.

    SUSHI_YFI_ETH

    0x79588f832b66EBe622d6Fb87b18dfcAC7f7aE56c

    Reward Distribution for SUSHI_YFI_ETH Vault.

    CURVE_3POOL

    0x65AcF81Dac9D5BeE860065a86323B8776C88684d

    Reward Distribution for DeBa CURVE_3POOL vault.

    CURVE_YPOOL

    0xBf732DDad54719Ea3F708ceFb505d5fffeCB1D63

    Reward Distribution for DeBa CURVE_YPOOL vault.

    CURVE_COMPPOOL

    0xA4873c2e0De379071f4F1DE771F1733d75c9eC87

    Reward Distribution for DeBa CURVE_COMPPOOL vault.

    CURVE_SBTCPOOL

    0xC2492210614eF160C4f52AdF2C8c841d953d13A6

    Reward Distribution for DeBa CURVE_SBTCPOOL vault.


    External Threats - Audit Results

    Vulnerability Category Notes Result
    Arbitrary Storage Write N/A PASS
    Arbitrary Jump N/A PASS
    Delegate Call to Untrusted Contract N/A PASS
    Dependence on Predictable Variables N/A Warning
    Deprecated Opcodes N/A PASS
    Ether Thief N/A PASS
    Exceptions N/A PASS
    External Calls N/A PASS
    Flash Loans Protections are applied inconsistently and can be avoided via a whitelist. Warning
    Integer Over/Underflow N/A PASS
    Multiple Sends N/A PASS
    Oracles N/A PASS
    Suicide N/A PASS
    State Change External Calls N/A PASS
    Unchecked Retval N/A PASS
    User Supplied Assertion N/A PASS
    Critical Solidity Compiler N/A PASS
    Overall Contract Safety   PASS