Coder Social home page Coder Social logo

microfinance-dapp-evm's Introduction

Acumen Stabledapp

Acumen Stabledapp connects DeFi and TradFi in a regulatory compliant manner transforming emerging capital markets. Acumen is growing the overall DeFi ecosystem by tokenizing Real World Assets (RWA) bringing the significant benefits of tokenization to TradFi. The Acumen protocol acts as a bridge connecting TradFi with DeFi, and opens up a new asset class with attractive stable uncorrelated yield to traditional DeFi participants.

Audited By Omniscia

https://omniscia.io/reports/acumen-staking-token-system/

Documentation

https://docs.acumen.network/general/introduction

Website

https://acumen.network

Support

For support, please join our Discord https://discord.com/invite/yAjWTM6xRj

microfinance-dapp-evm's People

Contributors

devacumen avatar devtode avatar

Forkers

alagbe003

microfinance-dapp-evm's Issues

Inexistent Sanitization of Maximum Utilization

MSC-07M: Inexistent Sanitization of Maximum Utilization

Type Severity Location
Input Sanitization MicrofinanceStakingContract.sol:L998

Description:

The maxUtilisation of depositLimiters is not being sanitized in the createPool function permitting a pool to be overloaded with loans that tap into the reserves of other pools in the system.

Impact:

An improperly configured pool would cause loans to tap into the reserves of other pools incorrectly, leading to an insufficiency of funds in the system.

Example:

function createPool(PoolInfo memory _poolInfo, PoolType _poolType)
    external
    onlyOwner
{
    if (_poolType != PoolType.Loan) {
        require(
            _poolInfo.depositLimiters.startTime <
                _poolInfo.depositLimiters.endTime,
            'end time should be after start time'
        );
    }

    _poolInfo.funds.balance = 0;
    _poolInfo.funds.loanedBalance = 0;
    _poolInfo.uniqueUsers = 0;

    poolInfoPrivate.push(_poolInfo);
}

Recommendation:

We advise the maxUtilisation to have an upper cap of 100 (or whatever the 100% value is set to based on our other findings) to ensure that the utilization rate of a pool cannot exceed its available collateral.

Inexistent Lending System Incentives

MSC-13M: Inexistent Lending System Incentives

Type Severity Location
Logical Fault MicrofinanceStakingContract.sol:L800-L846, L848-L894

Description:

The borrowers of the protocol can acquire assets without providing any form of collateral. As a result, they have no incentive to repay their loan via the repay function as they would have to provide the original funds plus interest to acquire nothing in return.

Impact:

There is no positive economical loop in the system for loans causing borrowers to be incentivized to never repay their loans and keep user funds.

Example:

function borrow(uint256 _pid, uint256 _amount) public {
    require(isWhitelisted[_pid][msg.sender], 'Only whitelisted can borrow');

    PoolInfo storage pool = poolInfoPrivate[_pid];
    UserInfo[] storage loans = userInfo[_pid][msg.sender];

    require(pool.poolType == PoolType.Loan, 'no loans from here');

    require(!pool.paused, 'Pool Paused');

    require(pool.funds.balance > 0, 'Nothing deposited');

    uint256 projectedUtilisation = calculatePercentage(
        pool.funds.loanedBalance.add(_amount),
        pool.funds.balance
    );

    require(
        projectedUtilisation < pool.depositLimiters.maxUtilisation,
        'utilisation maxed out'
    );

    pool.tokenInfo.token.safeTransfer(msg.sender, _amount);

    loans.push(
        UserInfo({
            transactionType: TransactionType.Borrow,
            amount: _amount,
            time: block.timestamp,
            paidOut: 0
        })
    );

    totalUserAmountBorrowed[_pid][msg.sender] = totalUserAmountBorrowed[
        _pid
    ][msg.sender].add(_amount);

    pool.funds.loanedBalance = pool.funds.loanedBalance.add(_amount);

    if (!isAPoolUser[_pid][msg.sender]) {
        pool.uniqueUsers = pool.uniqueUsers.add(1);
    }

    isAPoolUser[_pid][msg.sender] = true;

    emit Borrowed(msg.sender, _pid, _amount);
}

Recommendation:

This poses a significant economical flaw in the protocol whereby borrowers would simply create positions they never intend to repay, causing user funds to be permanently lost. We advise this point of the system to be significantly revised to be considered viable.

I am a Senior Blockchain Developer.

Hello, I am Elias from the USA.
Having reviewed your company's website, I wanted to reach out to express my interest in potential collaboration opportunities. With over 6 years of experience as a Senior blockchain developer, I specialize in React, Next.js, and Web3.js technologies. Additionally, I have a strong background in Smart Contract development for Ethereum mainnet and Layer2 solutions using Solidity and Golang.
My expertise lies in the DeFi and Solidity space, where I have dedicated the past three years to honing my skills. I am well-versed in writing Solidity code and have hands-on experience with frameworks like Truffle and Hardhat. I have successfully developed, tested, and deployed smart contracts on the Ethereum blockchain, prioritizing security and functionality.
Should you have any upcoming projects or ideas, I would be grateful for the opportunity to contribute. My commitment is to work diligently until your satisfaction is achieved, striving to bring your vision to life.
I am eager to engage in further discussions at your convenience. Thank you for considering my candidacy.
Warm regards, Elias
This is My GitHub address: https://github.com/hcrypto7
This is my telegram Number: +1 229 785 3856

Test Value of Quarterly Pay-Outs

MSC-02M: Test Value of Quarterly Pay-Outs

Type Severity Location
Code Style MicrofinanceStakingContract.sol:L506-L507, L972, L979

Description:

The quarterly pay-outs system does not currently function properly as it uses a placeholder value of 3 minutes that needs to be updated to 90 days as indicated by the referenced TODO comment.

Example:

uint256 quartersPassed = (timeDiff).div(3 minutes);

require(quartersPassed > 0, 'too early');

transferRewards(
    _pid,
    _index,
    quartersPassed.mul(3 minutes),
    transaction[_index].amount
);

Recommendation:

We advise the value to be swapped prior to a main-net deployment as otherwise the quarterly rewards would be improperly calculated.

Misleading Limitation Naming Convention

MSC-01M: Misleading Limitation Naming Convention

Type Severity Location
Code Style MicrofinanceStakingContract.sol:L605

Description:

The limitation of deposits is specified as limitPerUser yet the limit is imposed as a limitPerTransaction.

Example:

require(
    _amount <= pool.depositLimiters.limitPerUser,
    'amount exceeds limit per transaction'
);

Recommendation:

We advise the actual desired limit to be imposed here and to be aptly named as such.

Unconditional Transfer of Funds

MSC-06M: Unconditional Transfer of Funds

Type Severity Location
Language Specific MicrofinanceStakingContract.sol:L789

Description:

The referenced safeTransfer of claimableRewards may perform a transfer of zero funds which some tokens revert on.

Impact:

An external token contract may revert on zero-value transfers which would cause the transferRewards flow to fail executing properly if rewards were claimed recently.

Example:

uint256 claimableRewards;

if (reward > transaction[_index].paidOut) { 
    claimableRewards = reward.sub(transaction[_index].paidOut);
} else {
    claimableRewards = 0;
}

pool.tokenInfo.token.safeTransfer(msg.sender, claimableRewards);

Recommendation:

We advise the transfer to be performed conditionally as otherwise the reward system may fail to execute properly. The increment of paidOut can also be included in this conditional to further optimize the codebase.

Test Value of Quarterly Pay-Outs

MSC-02M: Test Value of Quarterly Pay-Outs

Type Severity Location
Code Style MicrofinanceStakingContract.sol:L506-L507, L972, L979

Description:

The quarterly pay-outs system does not currently function properly as it uses a placeholder value of 3 minutes that needs to be updated to 90 days as indicated by the referenced TODO comment.

Example:

uint256 quartersPassed = (timeDiff).div(3 minutes);

require(quartersPassed > 0, 'too early');

transferRewards(
    _pid,
    _index,
    quartersPassed.mul(3 minutes),
    transaction[_index].amount
);

Recommendation:

We advise the value to be swapped prior to a main-net deployment as otherwise the quarterly rewards would be improperly calculated.

Inexistent Lending System Incentives

MSC-13M: Inexistent Lending System Incentives

Type Severity Location
Logical Fault MicrofinanceStakingContract.sol:L800-L846, L848-L894

Description:

The borrowers of the protocol can acquire assets without providing any form of collateral. As a result, they have no incentive to repay their loan via the repay function as they would have to provide the original funds plus interest to acquire nothing in return.

Impact:

There is no positive economical loop in the system for loans causing borrowers to be incentivized to never repay their loans and keep user funds.

Example:

function borrow(uint256 _pid, uint256 _amount) public {
    require(isWhitelisted[_pid][msg.sender], 'Only whitelisted can borrow');

    PoolInfo storage pool = poolInfoPrivate[_pid];
    UserInfo[] storage loans = userInfo[_pid][msg.sender];

    require(pool.poolType == PoolType.Loan, 'no loans from here');

    require(!pool.paused, 'Pool Paused');

    require(pool.funds.balance > 0, 'Nothing deposited');

    uint256 projectedUtilisation = calculatePercentage(
        pool.funds.loanedBalance.add(_amount),
        pool.funds.balance
    );

    require(
        projectedUtilisation < pool.depositLimiters.maxUtilisation,
        'utilisation maxed out'
    );

    pool.tokenInfo.token.safeTransfer(msg.sender, _amount);

    loans.push(
        UserInfo({
            transactionType: TransactionType.Borrow,
            amount: _amount,
            time: block.timestamp,
            paidOut: 0
        })
    );

    totalUserAmountBorrowed[_pid][msg.sender] = totalUserAmountBorrowed[
        _pid
    ][msg.sender].add(_amount);

    pool.funds.loanedBalance = pool.funds.loanedBalance.add(_amount);

    if (!isAPoolUser[_pid][msg.sender]) {
        pool.uniqueUsers = pool.uniqueUsers.add(1);
    }

    isAPoolUser[_pid][msg.sender] = true;

    emit Borrowed(msg.sender, _pid, _amount);
}

Recommendation:

This poses a significant economical flaw in the protocol whereby borrowers would simply create positions they never intend to repay, causing user funds to be permanently lost. We advise this point of the system to be significantly revised to be considered viable.

Complete Control of User Funds

MSC-09M: Complete Control of User Funds

Type Severity Location
Centralization Concern MicrofinanceStakingContract.sol:L1081-L1084

Description:

The owner of the contract can withdraw all BEP-20 assets at will, a trait that is not necessary for the contract.

Impact:

The owner is able to withdraw all funds present in the system at will, inclusive of user funds.

Example:

function recoverBEP20(address _token, uint256 _amount) external onlyOwner {
    IBEP20(_token).safeTransfer(owner(), _amount);
    emit Recovered(_token, _amount);
}

Recommendation:

We advise the recoverBEP20 function to be omitted from the codebase as it poses a significant centralization risk to the protocol.

Incorrect Emergency Withdrawal Process

MSC-11M: Incorrect Emergency Withdrawal Process

Type Severity Location
Logical Fault MicrofinanceStakingContract.sol:L645-L660

Description:

The emergency withdrawal process does not properly update the totalUserAmountStaked and pool.funds.balance variables thus leading to significantly incorrect accounting in the system.

Impact:

Currently, variables that affect the utilization rate would not be properly updated in an emergency withdrawal thus permitting the system to go underwater.

Example:

function emergencyWithdraw(
    uint256 _pid,
    uint256 _index,
    uint256 _amount
) public {
    PoolInfo storage pool = poolInfoPrivate[_pid];
    UserInfo[] storage transaction = userInfo[_pid][msg.sender];

    pool.tokenInfo.collateralToken.burn(msg.sender, _amount);
    pool.tokenInfo.token.safeTransfer(msg.sender, _amount);

    transaction[_index].amount = transaction[_index].amount.sub(_amount);
    transaction[_index].time = block.timestamp;

    emit EmergencyWithdraw(msg.sender, _pid, _amount);
}

Recommendation:

We advise those variables to be properly updated in the emergencyWithdraw process as otherwise the accounting system of the contract is broken.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.