Decentralized Bank (DeBa) - Smart Contract Audit Report
Decentralized Bank (DeBa) provides high-return compound interest on assets and rewards. The platform enables users to earn compounding interest on their assets while also earning the platform's native token as a reward.
The DeBa suite of contracts includes a token, a rewards management protocol, and a series of seperate pools for smarter yield farming.
Audit Findings Summary:
- Users can stake a series of assets or LP tokens to earn interest/fees as well as DeBa's native reward token.
- The 'Agent' address that controls the ecosystem is an EOA wallet, not a governance contract. This wallet has the abiliity to move users' funds deposited in vault/strategy contracts.
- The 'Agent' can update vault's strategy and governance (controller) addresses at any time. The 'Agent' also has the ability to mint tokens and lock/unlock users' ability to deposit/withdraw.
- Flash loan protections are applied inconsistently and can be circumvented via a whitelist on some vaults.
- Investing requires placing considerable trust in the project team. They have substantial power in the ecosystem.
- No security issues from outside attackers were identified.
- Date: December 16th, 2020
Governance storage for Reward Token.
UniSwap Reward Token Pair WETH
Uniswap Pool for DEBA-ETH.
Off-chain agent handling minting, distribution, harvesting profits and other infrastructure controls.
Treasury for developer operations, R&D & marketing. Receives 10% of minted DEBA.
Notes on the Vault Contracts:
The vault contract attempt to implement flash loan/arbitrage protection; but it does so inconsistnetly across the vault contracts. The team has been unable to provide a good reason why this difference in protection is present; though they claim it exists so some vaults, but not others, can interact with each other in the future. The project team can whitelist any address to bypass the flash loan protections of the vaults. The project team can update the strategy at any time; potentially to a malicious strategy that could steal users funds.
There are 3 variants of the Vault contracts:
USDT, USDC, DAI, SUSHI_DAI_ETH, SUSHI_WBTC_ETH, SUSHI_USDC_ETH, SUSHI_USDT_ETH, SUSHI_YFI_ETH CURVE_3POOL, CURVE_YPOOL, CURVE_COMPPOOL, CURVE_SBTCPOOL
- Function Graph.
- Inheritance Chart.
- The difference between these two sets is one line, meant to protect the contracts from flash loan attacks (or allow them from whitelisted addresses). The first set of vaults drops all flash loan protections for whitelisted addresses when withdrawing; while this second set always protects against attacks utilizing tx.origin.
Description + Notes
Deposit receipt for DeBa DAI vault.
Deposit receipt for DeBa USDT vault.
Deposit receipt for DeBa USDC vault.
Deposit receipt for DeBa dCrvRenWBTC vault.
Deposit receipt for DeBa SUSHI_WBTC_ETH vault.
Deposit receipt for DeBa SUSHI_DAI_ETH vault.
Deposit receipt for DeBa SUSHI_USDC_ETH vault.
Deposit receipt for DeBa SUSHI_USDT_ETH vault.
Deposit receipt for DeBa SUSHI_YFI_ETH vault.
Deposit receipt for DeBa CURVE_3POOL vault.
Deposit receipt for DeBa CURVE_YPOOL vault.
Deposit receipt for DeBa CURVE_COMPPOOL vault.
Deposit receipt for DeBa CURVE_SBTCPOOL vault.
Notes on the Strategy Contracts:
The project team can update the vault and governance for the strategy at any time. The governance is currently an EOA wallet; therefore the project team can gain full control of users' funds via vault and strategy updates.
Description + Notes
Reward Pool Contracts
Notes on the Reward Pool Contracts:
These contracts handle the distribtuion of rewards from the platform. All of the reward contracts are generated from the same contract:
Description + Notes
Reward Distribution for DIVIDEND Vault.
Reward Distribution for providing liquidity in the WETH-DEBA Uniswap Pool.
Reward Distribution for DAI Vault.
Reward Distribution for USDT Vault.
Reward Distribution for USDC Vault.
Reward Distribution for dCrvRenWBTC Vault.
Reward Distribution for SUSHI_WBTC_ETH Vault.
Reward Distribution for SUSHI_USDC_ETH Vault.
Reward Distribution for SUSHI_USDT_ETH Vault.
Reward Distribution for SUSHI_YFI_ETH Vault.
Reward Distribution for DeBa CURVE_3POOL vault.
Reward Distribution for DeBa CURVE_YPOOL vault.
Reward Distribution for DeBa CURVE_COMPPOOL vault.
Reward Distribution for DeBa CURVE_SBTCPOOL vault.
External Threats - Audit Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||Warning|
|Flash Loans||Protections are applied inconsistently and can be avoided via a whitelist.||Warning|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||PASS|