Idle Finance
Summary
The Idle contracts are generally well documented and well designed. Our main concerns below relate to centralized components of the system, and ensuring that users are aware of the roles and responsibilities of the Idle Finance team as owners of the smart contracts. We also noted some potential access control issues associated with rebalancing, which may lead to sub-optimal token allocations. **Update:** Idle Finance has addressed our concerns as of commit [bcb6f09](https://github.com/bugduino/idle-contracts/commit/bcb6f097e6614bfa5aa9be3cb4dacb98d73992e7). **Update 2:** Recently, several attacks have occurred on bZx/Fulcrum (for reference, see [Attack 1](https://bzx.network/blog/postmortem-ethdenver) and [Attack 2](https://www.theblockcrypto.com/post/56207/bzx-attacked-again-645k-in-eth-estimated-to-be-lost)), allowing lenders to create highly under-collateralized loans. Since Fulcrum is one of the underlying protocols that Idle may lend on, we recommend investigating these attacks to determine how much impact this may have on the Idle protocol. It may be prudent to temporarily disable Fulcrum as a potential lending platform until the full extent of the issues has been investigated. As a simple approach, we believe this could be accomplished in the following manner: 1. Deploy a new "dummy" wrapper contract that returns zero whenever `nextSupplyRate()`or `nextSupplyRateWithParams()` are invoked. This essentially ensures that the rebalancer will always favor other wrappers when calculating the allocations. 1. As the owner, invoke `IdleToken.setProtocolWrapper("fulcrum address", "dummy wrapper address")`. Note that we also recommend adding additional tests to ensure that supply rates equal to zero do not cause any adverse affects. **Update 3:** We have reviewed version 3 of the contracts based on commit [a71a706](https://github.com/bugduino/idle-contracts-private/commit/a71a706501ef2984412fa63855c233e709380524). Our audit focused on the new wrapper contracts associated with `Aave` and `DyDx`, and the new `IdleTokenV3` and `IdleRebalancerV3`. We noted several new sources of centralization, parts of the code which required further documentation, and possible gas-constant related issues. We recommend addressing these concerns before deploying the V3 contracts to production. **Update 4:** Several of our concerns have been addressed as of commit [64f22d0](https://github.com/bugduino/idle-contracts-private/commit/64f22d0e41bafe4096dc7757b69535ab09951c2f). **Update 5:** Our concerns have been addressed as of commit [fefd01d](https://github.com/bugduino/idle-contracts-private/commit/fefd01da53ef49f63257ef85ea35399d8cb91368). **Update 6:** All concerns have been addressed as of commit [7d3b7e4](https://github.com/bugduino/idle-contracts-private/commit/7d3b7e4ff2f9d3f1a6eb3359ec48f51408cbb67a). **Update 7:** Quantstamp has reviewed updates to the contracts as of commit [93d3429](https://github.com/bugduino/idle-contracts-private/commit/93d342952a96ccf43a8216caae6a1a258f2f181f). **Update 8:** Quantstamp has reviewed updates as of commit [f9c02d1](https://github.com/bugduino/idle-contracts-private/commit/f9c02d136197d3b251952c218e7571c8aa113e22). **Update 9:** Quantstamp has reviewed updates as of commit [35d61ae](https://github.com/bugduino/idle-contracts-private/commit/35d61aee52fce637866957ad712b9da4bd821db5). In this iteration, only `IdleTokenV3_1.sol`, `IdleRebalancerV3_1.sol`, and `IdleCompound.sol` were audited (against the previously audited "V3" versions). New findings can be found in QSP-14 through QSP-20, and have been appended to the Best Practices and Documentation sections. **Update 10:** Quantstamp has reviewed updates as of commit [338ec24](https://github.com/bugduino/idle-contracts-private/commit/338ec241934cfa0c556cbf78385e05832239bbfa). All existing issues have been resolved. However, there are several contracts such as `GSTConsumer*.sol`, `IdleDSR.sol`, and `IdleDyDx.sol` which we suggest improving coverage for. **Update 11:** The Idle team has alerted Quantstamp of an issue in `IdleTokenV3_1._tokenPrice()`, in which the incorrect number of decimal places had been used. This issue has been resolved, and no new issues were found as of commit [1b40261](https://github.com/bugduino/idle-contracts-private/commit/1b402616465de49cb3299da4e87ac083d323ca9b). **Update 12:** Several new issues of varying severity were noted during the audit of commit [50da42b9](https://github.com/bugduino/idle-contracts-private/commit/50da42b97f0678e3435fa7541fe43f600ce897cd), as discussed in QSP-21 through QSP-31, and as appended to the best practices and documentation sections. Note that only `IdleTokenV3_1.sol` was reviewed in this iteration. **Update 13:** All issues have been addressed as of commit [bd40915](https://github.com/bugduino/idle-contracts-private/commit/bd409159972d5e6bb718af75015d20311f9e86d2). **Update 14:** The report has been updated based on the diff [b928e84...e09d4f5](https://github.
Issues (39)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 16 | 1 | - | - | 17 |
Fixed | 19 | 3 | - | - | 22 |
| Total | 35 | 4 | 0 | 0 | 39 |