Altr
Summary
In this audit we reviewed Lucidao's peer-to-peer NFT lending contract. Users can make request for loans in USD stablecoins within the contract; the selected loan duration will specify the interest rate to be paid. The user also has to specify an NFT to be used as collateral, which will be assessed by an external, out-of-scope oracle. Loans can be paid back fully by anyone, with a dynamic penalty factor in case of early repayment or with an additional fee if paid back within a certain grace period after the loan ended. In case the loan was not repaid on time, the lender can either claim the collateral-NFT or any user can liquidate the loan by repaying it fully with an additional liquidation fee, getting the NFT in return. In the course of the audit significant concerns arose. The main concern is the fact that the custom oracle contract returning the NFT prices is out of scope of the audit; with that, we only audited the protocol partially. Any failure in the oracle contract would result in severe issues in the lending contract. But even with the limited knowledge on the behaviour of the oracle, we still deem its output to be insufficiently checked (ALT-2) We also noticed that the protocol does not enable early liquidations of a loan in case of the loan becoming undercollateralized due to falling NFT prices (ALT-3). This significant lender-side risk is currently undocumented. Furthermore, we deem the test quality to be insufficient (ALT-4). It was not able to discover a basic inconsistency in the use of basis points (ALT-1), resulting in e.g. exorbitantly high liquidation and grace period fees. The tests merely seem to compare smart contract results to hardcoded constants, which appear to mirror the output of the contracts themselves; so their usefulness is questionable. **Update Fix-Review** All identified issues have been fully resolved by the client and the quality of the test suite has significantly increased.
Issues (18)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | - | - | - | - | 0 |
Fixed | 12 | 4 | 2 | - | 18 |
| Total | 12 | 4 | 2 | 0 | 18 |