Lender Contract Audit

[tarikbellamine]

Task

Need an audit of this smart contract to help identify attack vectors and other non-intended outcomes.

Description

The contract is a contract wallet that interact's with Compound's money market contracts (compound.finance), which have an ERC20 interface and are referred to as CTokens throughout the contract. CTokens accept a supply of an ERC20 (e.g., 1 DAI) and returns roughly 50x more of another ERC20 (e.g., 49 cDAI) to the sender in return. The only function calls to CTokens are of:

• mint: how to supply to the CToken contract
• redeem: how to withdraw from the CToken contract
• exchangeRateStored: pulls the current exchange rate for converting tokens to cTokens

Both mint and redeem return a non-zero integer if invalid inputs are provided. More information on the mint and redeem functions can be found here: https://compound.finance/developers#ctokens

Intended Functionality

• users transfer ERC20 tokens to their contract wallet (this contract)
• users or admin call the supply function to transfer the ERC20 to Compound's CToken contract and the user's contract wallet receives a cERC20 in return
• users or admin call the withdraw function to:
  • transfer cERC20 to the CToken contract and receive the requested amount of ERC20s in return
  • calculate how much the user has earned from having supplied to Compound's money market
  • transfer 9.5% of ERC20s earned to an admin account as a fee (covers gas costs, etc) then transfer the remaining ERC20s back to the user's address

Scope

Interested in auditing the logic and functionality of LenderContractWallet, rather than the CToken contract.

In-scope: LenderContractWallet.sol Out-of-scope: All else

Bounty

• Numerous meaningful deviations from Solidity best practices (15 DAI)
• Sending the incorrect amount of tokens to either the userAddress or feeHoldingAddress (25 DAI)
• Malicious (e.g., theft) actions that can be taken by an admin account (75+ DAI)
• Malicious actions that can be taken by a non-admin or user account (75+ DAI)

Any other non-trivial issues, critical or otherwise, will be compensated in some form as well.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 200.0 DAI (200.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  • $86,239.37 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 200.0 DAI (200.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  • $86,239.37 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Workers have applied to start work.

These users each claimed they can complete the work by 6 days, 1 hour from now. Please review their action plans below:

1) pauliax has applied to start work _(Funders only: approve worker | reject worker)_.

I am interested in reviewing LenderContractWallet for the issues related to security, gas optimisation and best practices.

Learn more on the Gitcoin Issue Details page.

[gitcoinbot]

Issue Status: 1. Open 2. Cancelled

---

Work has been started.

These users each claimed they can complete the work by 1 week, 2 days ago. Please review their action plans below:

1) pauliax has been approved to start work.

I am interested in reviewing LenderContractWallet for the issues related to security, gas optimisation and best practices.

Learn more on the Gitcoin Issue Details page.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 200.0 DAI (200.0 USD @ $1.0/DAI) has been submitted by:

1. @pauliax

@tarikbellamine please take a look at the submitted work:

• PR by @pauliax

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $86,126.47 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Cancelled

---

The funding of 200.0 DAI (200.0 USD @ $1.0/DAI) attached to this issue has been cancelled by the bounty submitter

• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $129,659.66 more funded OSS Work available on the Gitcoin Issue Explorer