Check out the Issue Explorer
Looking to fund some work? You can submit a new Funded Issue here.
Need an audit of this smart contract to help identify attack vectors and other non-intended outcomes.
The contract is a contract wallet that interact's with Compound's money market contracts (compound.finance), which have an ERC20 interface and are referred to as CTokens throughout the contract. CTokens accept a supply of an ERC20 (e.g., 1 DAI) and returns roughly 50x more of another ERC20 (e.g., 49 cDAI) to the sender in return. The only function calls to CTokens are of:
- mint: how to supply to the CToken contract
- redeem: how to withdraw from the CToken contract
- exchangeRateStored: pulls the current exchange rate for converting tokens to cTokens
Both mint and redeem return a non-zero integer if invalid inputs are provided. More information on the mint and redeem functions can be found here: https://compound.finance/developers#ctokens
- users transfer ERC20 tokens to their contract wallet (this contract)
- users or admin call the supply function to transfer the ERC20 to Compound's CToken contract and the user's contract wallet receives a cERC20 in return
- users or admin call the withdraw function to:
- transfer cERC20 to the CToken contract and receive the requested amount of ERC20s in return
- calculate how much the user has earned from having supplied to Compound's money market
- transfer 9.5% of ERC20s earned to an admin account as a fee (covers gas costs, etc) then transfer
the remaining ERC20s back to the user's address
Interested in auditing the logic and functionality of LenderContractWallet, rather than the CToken contract.
Out-of-scope: All else
- Numerous meaningful deviations from Solidity best practices (15 DAI)
- Sending the incorrect amount of tokens to either the userAddress or feeHoldingAddress (25 DAI)
- Malicious (e.g., theft) actions that can be taken by an admin account (75+ DAI)
- Malicious actions that can be taken by a non-admin or user account (75+ DAI)
Any other non-trivial issues, critical or otherwise, will be compensated in some form as well.