Secured Finance
Summary
Quantstamp performed a security audit of the smart contracts implementing the Secured Finance lending protocol based on the code present in the listed repositories. Secured Finance operates as a decentralized finance (DeFi) platform, addressing liquidity challenges within the industry. The platform's protocol facilitates peer-to-peer lending and derivatives trading, emphasizing fixed-income investments and hedging. This solution aims to offer a more efficient and cost-effective alternative to conventional financial institutions. The protocol integrates lending markets, drawing inspiration from bond markets. Users can place lending and borrowing orders, mirroring the process of buying or selling zero-coupon bonds with varying maturity periods. Notably, these orders are maintained within an on-chain order book, eliminating the necessity for additional systems or privileged roles for order matching. All issues and recommendations are discussed in the *Findings* section of this document. After that, recommendations about documentation and best practices are discussed. We strongly recommend addressing all the issues before deployment. High and medium-severity issues were found, mainly related to missing validations and their potential misuse by privileged addresses, which can lead to blocked tokens or massive liquidations. The allowed operations of privileged roles controlled by the Secured Finance team are discussed in "Privileged Roles And Ownership", as well as its ability to upgrade any contract at any time ("Upgradability"). The documentation quality is good. Public and internal documentation was provided by the Secured Finance team. However, it is recommended to add detailed and updated public documentation focusing on critical parts of the protocol, as some pages are outdated and not detailed enough. Some examples could be lazy evaluation, haircuts, privileged accounts, and a list of addresses of the smart contracts deployed. Refer to the "Adherence to Specification" section for more details. Regarding testing, all tests passed, and the project implements code coverage metrics. It shows `76%` of branch coverage. We highly recommend improving the branch coverage to a minimum of `95%` and adding new tests to cover the proposed fixes. **Fix review:** The Secured Finance team has either fixed, mitigated, or acknowledged all issues found within the report, and provided a new commit containing fixes for the issues found. For the mitigated or acknowledged issues, we recommend considering completely fixing them and taking them into account when configuring or making changes to the protocol configuration, to avoid unintended behavior or liquidations. The auditing team found that the tests were improved during the fix review phase. The test suite was improved and the project shows an `87%` branch coverage. We recommend that the branch coverage be raised to at least `95%` and ideally as close to `100%` as possible.
Issues (45)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 18 | 4 | - | - | 22 |
Fixed | 13 | 6 | 4 | - | 23 |
| Total | 31 | 10 | 4 | 0 | 45 |