Decentralized Bank (DeBa) - Smart Contract Audit Report
Summary
Decentralized Bank (DeBa) provides high-return compound interest on assets and rewards. The platform enables users to earn compounding interest on their assets while also earning the platform's native token as a reward.
The DeBa suite of contracts includes a token, a rewards management protocol, and a series of seperate pools for smarter yield farming.
Audit Findings Summary:
- Users can stake a series of assets or LP tokens to earn interest/fees as well as DeBa's native reward token.
- The 'Agent' address that controls the ecosystem is an EOA wallet, not a governance contract. This wallet has the abiliity to move users' funds deposited in vault/strategy contracts.
- The 'Agent' can update vault's strategy and governance (controller) addresses at any time. The 'Agent' also has the ability to mint tokens and lock/unlock users' ability to deposit/withdraw.
- Flash loan protections are applied inconsistently and can be circumvented via a whitelist on some vaults.
- Investing requires placing considerable trust in the project team. They have substantial power in the ecosystem.
- No security issues from outside attackers were identified.
- Date: December 16th, 2020
General Contracts
Name | Address | Description |
Storage | Governance storage for Reward Token. | |
Reward Token | DEBA Reward Token. | |
UniSwap Reward Token Pair WETH | Uniswap Pool for DEBA-ETH. | |
Fee Forwarder | Fee Forwarder which pays the DIVIDEND staking vault its share of profit. | |
Agent | Off-chain agent handling minting, distribution, harvesting profits and other infrastructure controls. | |
Treasury | Treasury for developer operations, R&D & marketing. Receives 10% of minted DEBA. | |
Dividend Autostake | The AUTOSTAKE contract for the DIVIDEND vault which compounds staked DEBA. |
Vault Contracts
Notes on the Vault Contracts:The vault contract attempt to implement flash loan/arbitrage protection; but it does so inconsistnetly across the vault contracts. The team has been unable to provide a good reason why this difference in protection is present; though they claim it exists so some vaults, but not others, can interact with each other in the future. The project team can whitelist any address to bypass the flash loan protections of the vaults. The project team can update the strategy at any time; potentially to a malicious strategy that could steal users funds.
There are 3 variants of the Vault contracts:USDT, USDC, DAI, SUSHI_DAI_ETH, SUSHI_WBTC_ETH, SUSHI_USDC_ETH, SUSHI_USDT_ETH, SUSHI_YFI_ETH CURVE_3POOL, CURVE_YPOOL, CURVE_COMPPOOL, CURVE_SBTCPOOL
- Function Graph.
- Inheritance Chart.
- The difference between these two sets is one line, meant to protect the contracts from flash loan attacks (or allow them from whitelisted addresses). The first set of vaults drops all flash loan protections for whitelisted addresses when withdrawing; while this second set always protects against attacks utilizing tx.origin.
dCrvRenWBTC
Vault | Address | Description + Notes |
DAI | Deposit receipt for DeBa DAI vault. | |
USDT | Deposit receipt for DeBa USDT vault. | |
USDC | Deposit receipt for DeBa USDC vault. | |
dCrvRenWBTC | Deposit receipt for DeBa dCrvRenWBTC vault. | |
SUSHI_WBTC_ETH | Deposit receipt for DeBa SUSHI_WBTC_ETH vault. | |
SUSHI_DAI_ETH | Deposit receipt for DeBa SUSHI_DAI_ETH vault. | |
SUSHI_USDC_ETH | Deposit receipt for DeBa SUSHI_USDC_ETH vault. | |
SUSHI_USDT_ETH | Deposit receipt for DeBa SUSHI_USDT_ETH vault. | |
SUSHI_YFI_ETH | Deposit receipt for DeBa SUSHI_YFI_ETH vault. | |
CURVE_3POOL | Deposit receipt for DeBa CURVE_3POOL vault. | |
CURVE_YPOOL | Deposit receipt for DeBa CURVE_YPOOL vault. | |
CURVE_COMPPOOL | Deposit receipt for DeBa CURVE_COMPPOOL vault. | |
CURVE_SBTCPOOL | Deposit receipt for DeBa CURVE_SBTCPOOL vault. |
Strategy Contracts
Notes on the Strategy Contracts:The project team can update the vault and governance for the strategy at any time. The governance is currently an EOA wallet; therefore the project team can gain full control of users' funds via vault and strategy updates.
Strategies | Address | Description + Notes |
DAI | Uses COMP to generate yields. | |
USDT | Uses COMP to generate yields. | |
USDC | Uses COMP to generate yields. | |
dCrvRenWBTC | Uses CURVE to generate yields. | |
SUSHI_WBTC_ETH | Uses SUSHI to generate yields. | |
SUSHI_USDC_ETH | Uses SUSHI to generate yields. | |
SUSHI_USDT_ETH | Uses SUSHI to generate yields. | |
SUSHI_YFI_ETH | Uses SUSHI to generate yields. | |
CURVE_3POOL | Uses CURVE to generate yields. | |
CURVE_YPOOL | Uses CURVE to generate yields. | |
CURVE_COMPPOOL | Uses CURVE to generate yields. | |
CURVE_SBTCPOOL | Uses CURVE to generate yields. |
Reward Pool Contracts
Notes on the Reward Pool Contracts:These contracts handle the distribtuion of rewards from the platform. All of the reward contracts are generated from the same contract:
Reward Pools | Address | Description + Notes |
DIVIDEND | Reward Distribution for DIVIDEND Vault. | |
$DEBA LP | Reward Distribution for providing liquidity in the WETH-DEBA Uniswap Pool. | |
DAI | Reward Distribution for DAI Vault. | |
USDT | Reward Distribution for USDT Vault. | |
USDC | Reward Distribution for USDC Vault. | |
dCrvRenWBTC | Reward Distribution for dCrvRenWBTC Vault. | |
SUSHI_WBTC_ETH | Reward Distribution for SUSHI_WBTC_ETH Vault. | |
SUSHI_USDC_ETH | Reward Distribution for SUSHI_USDC_ETH Vault. | |
SUSHI_USDT_ETH | Reward Distribution for SUSHI_USDT_ETH Vault. | |
SUSHI_YFI_ETH | Reward Distribution for SUSHI_YFI_ETH Vault. | |
CURVE_3POOL | Reward Distribution for DeBa CURVE_3POOL vault. | |
CURVE_YPOOL | Reward Distribution for DeBa CURVE_YPOOL vault. | |
CURVE_COMPPOOL | Reward Distribution for DeBa CURVE_COMPPOOL vault. | |
CURVE_SBTCPOOL | Reward Distribution for DeBa CURVE_SBTCPOOL vault. |
External Threats - Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | Warning |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | Protections are applied inconsistently and can be avoided via a whitelist. | Warning |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |