# Lending Audit ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-ZxypMvsMm_C98W%2F0.png?generation=1612810031134903\&alt=media) Smart contract security audit report ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-Zy9aZbPVjW62uo%2F1.png?generation=1612810031252570\&alt=media) ### Audit Number:202102081815 Report Query Name: ONX ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-ZzC371vdVdbKLs%2F2.jpeg?generation=1612810031200825\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_-wjbqJ03a86JU%2F3.png?generation=1612810031209802\&alt=media) **Smart Contract Address Link**: ### Original Commit Hash: d02ad00e05b61c2adb68b793025d1c85058db02e ### Final Commit Hash: f402103a6f59636ce4f658e9600a94b22b8cddad ### Start Date:2021.01.26 Completion Date:2021.02.08 Overall Result:Pass **Audit Team: Beosin (Chengdu LianAn) Technology Co. Ltd.** **Audit Categories and Results:** | No. | Categories | Subitems | Results | | -------------------------------------------------- | --------------------- | -------------------------- | ------- | | 1 | Coding Conventions | Compiler Version Security | Pass | | Deprecated Items | Pass | | | | Redundant Code | Pass | | | | SafeMath Features | Pass | | | | require/assert Usage | Pass | | | | Gas Consumption | Pass | | | | Visibility Specifiers | Pass | | | | Fallback Usage | Pass | | | | 2 | General Vulnerability | Integer Overflow/Underflow | Pass | | Reentrancy | Pass | | | |

Pseudo-random Number Generator

(PRNG)

| Pass | | | | Transaction-Ordering Dependence | Pass | | | | DoS (Denial of Service) | Pass | | | | | | Access Control of Owner | Pass | | ----------------------------------------------- | ----------------- | ----------------------- | ---- | | Low-level Function (call/delegatecall) Security | Pass | | | | Returned Value Security | Pass | | | | tx.origin Usage | Pass | | | | Replay Attack | Pass | | | | Overriding Variables | Pass | | | | 3 | Business Security | Business Logics | Pass | | Business Implementations | Pass | | | Note: Audit results and suggestions in code comments![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_0-bRLC-tGhmta%2F4.jpeg?generation=1612810031213240\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_1KPG8QBnYHgUz%2F5.png?generation=1612810031187214\&alt=media) Disclaimer: This audit is only applied to the type of auditing specified in this report and the scope of given in the results table. Other unknown security vulnerabilities are beyond auditing responsibility. Beosin (Chengdu LianAn) Technology only issues this report based on the attacks or vulnerabilities that already existed or occurred before the issuance of this report. For the emergence of new attacks or vulnerabilities that exist or occur in the future, Beosin (Chengdu LianAn) Technology lacks the capability to judge its possible impact on the security status of smart contracts, thus taking no responsibility for them. The security audit analysis and other contents of this report are based solely on the documents and materials that the contract provider has provided to Beosin (Chengdu LianAn) Technology before the issuance of this report, and the contract provider warrants that there are no missing, tampered, deleted; if the documents and materials provided by the contract provider are missing, tampered, deleted, concealed or reflected in a situation that is inconsistent with the actual situation, or if the documents and materials provided are changed after the issuance of this report, Beosin (Chengdu LianAn) Technology assumes no responsibility for the resulting loss or adverse effects. The audit report issued by Beosin (Chengdu LianAn) Technology is based on the documents and materials provided by the contract provider, and relies on the technology currently possessed by Beosin (Chengdu LianAn). Due to the technical limitations of any organization, this report conducted by Beosin (Chengdu LianAn) still has the possibility that the entire risk cannot be completely detected. Beosin (Chengdu LianAn) disclaims any liability for the resulting losses. The final interpretation of this statement belongs to Beosin (Chengdu LianAn). **Audit Results Explained:** Beosin (Chengdu LianAn) Technology has used several methods including Formal Verification, Static Analysis, Typical Case Testing and Manual Review to audit three major aspects of smart contracts project ONX, including Coding Standards, Security, and Business Logic. **The ONX project passed all audit items. The overall result is Pass. The smart contract is able to function properly.** ## Coding Conventions Check the code style that does not conform to Solidity code style. ### Compiler Version Security ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_2OvCQIp4CSzLl%2F6.jpeg?generation=1612810031206384\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_3lEuXVtbrySsO%2F7.png?generation=1612810031178377\&alt=media) * * **Description**: Check whether the code implementation of current contract contains the exposed solidity compiler bug. * **Result**: Pass ### Deprecated Items * * **Description**: Check whether the current contract has the deprecated items. * **Result**: Pass ### Redundant Code * * Description: Check whether the contract code has redundant codes. * Result: Pass ### SafeMath Features * * **Description**: Check whether the SafeMath has been used. Or prevents the integer overflow/underflow in mathematical operation. * **Result**: Pass ### require/assert Usage * * **Description**: Check the use reasonability of 'require' and 'assert' in the contract. * **Result**: Pass ### Gas Consumption * * **Description**: Check whether the gas consumption exceeds the block gas limitation. * **Result**: Pass ### Visibility Specifiers * * **Description**: Check whether the visibility conforms to design requirement. * **Result**: Pass ### Fallback Usage * * **Description**: Check whether the Fallback function has been used correctly in the current contract. * **Result**: Pass ## General Vulnerability Check whether the general vulnerabilities exist in the contract. ### Integer Overflow/Underflow * * **Description**: Check whether there is an integer overflow/underflow in the contract and the calculation result is abnormal. * **Result**: Pass ### Reentrancy * * **Description**: An issue when code can call back into your contract and change state, such as withdrawing ETH. ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_45NmHtyBaBMUf%2F8.jpeg?generation=1612810031249628\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_5x8ziLfTGX18r%2F9.png?generation=1612810031199105\&alt=media) * * **Result**: Pass ### Pseudo-random Number Generator (PRNG) * * **Description**: Whether the results of random numbers can be predicted. * **Result**: Pass ### Transaction-Ordering Dependence * * **Description**: Whether the final state of the contract depends on the order of the transactions. * **Result**: Pass ### DoS (Denial of Service) * * **Description**: Whether exist DoS attack in the contract which is vulnerable because of unexpected reason. * **Result**: Pass ### Access Control of Owner * * **Description**: Whether the owner has excessive permissions, such as malicious issue, modifying the balance of others. * **Result:** Pass ### Low-level Function (call/delegatecall) Security * * **Description**: Check whether the usage of low-level functions like call/delegatecall have vulnerabilities. * **Result**: Pass ### Returned Value Security * * **Description**: Check whether the function checks the return value and responds to it accordingly. * **Result**: Pass ### tx.origin Usage * * **Description**: Check the use secure risk of 'tx.origin' in the contract. * **Result**: Pass ### Replay Attack * * **Description**: Check whether the implement possibility of Replay Attack exists in the contract. * **Result**: Pass ### Overriding Variables * * **Description**: Check whether the variables have been overridden and lead to wrong code execution. * **Result**: Pass ## Business Security ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_6Qm7IcOgrGeHD%2F10.jpeg?generation=1612810031184134\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_7hTOe9EJi7qE3%2F11.png?generation=1612810031178590\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_8_1CT4tp0gtnI%2F12.jpeg?generation=1612810031180389\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_9X_sa3N4GDnMv%2F13.jpeg?generation=1612810031189862\&alt=media) The ONX project mainly implements the deposit/borrow function. Users can deposit the supply tokens to become the lending maker, they can borrow through deposits collateral tokens. In addition, users can get rewards through deposit and borrow, and the collateral tokens provided by users will be transferred to ONXFarm for profit. ### ONXPlatform * * **Description**: This contract mainly implements the router function, and users can make deposits, withdraw, borrow, repay, liquidation, and settlement profit through the functions provided in this contract. The contract owner can also use this contract to set parameters of each pool and set the users’ collateralToken invest strategy. In addition, it can also perform emergency shutdown of various functions. 1. The user can call the *deposit* function to deposit *supplytoken* in the contract. The *supplytoken* will be used for external borrowing, and the interest earned will be evenly distributed to the holders of the *supplytoken*. Figure 1 source code of deposit 1. The user can withdraw the *supplytoken* and the interest and *collateralToken* in proportion to the withdrawal of *supplytoken* from the contract by calling *withdraw.* Figure 2 source code of withdraw 1. The user can borrow the *supplyToken* by sending the *collateralToken* to the contract by calling *borrow*. ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_AmbLIS6gjtagq%2F14.jpeg?generation=1612810031189324\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_BXlr8FOWyJakK%2F15.png?generation=1612810031181582\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_CxftCbssTaLpi%2F16.jpeg?generation=1612810031201323\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_DQXxRJOq7AklE%2F17.jpeg?generation=1612810031195084\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_EPAg2j_q2T4kp%2F18.png?generation=1612810031191282\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_FHG89eo7tHQTm%2F19.png?generation=1612810031202466\&alt=media) Figure 3 source code of borrow 1. The user can return the loaned *supplyToken* and the interest generated to the contract by calling *repay.* Figure 4 source code of repay 1. When 90%(adjustable by owner) of the value of a borrower’s *collateralToken* is less than the value of the loaned *supplyToken* and the interest generated, any user who provides the *supplyToken* can liquidate the user’s loan by calling the *liquidation* function. After the liquidation, the user’s collateral will be distributed proportionally to the supplier of *supplyToken.* Figure 5 source code of liquidation 1. The user can call the *reinvest* to convert the interest generated through the deposited tokens into the principal that can generate interest. Figure 6 source code of reinvest * * **Related function**: *deposit, withdraw, borrow, repay, updatePoolParameter, setCollateralStrategy, reinvest, liquidation* ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_GSbp3umm9qYHG%2F20.jpeg?generation=1612810031188521\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_HicxfEy8A0pzw%2F21.png?generation=1612810031186395\&alt=media) * * **Safety Notification**: The *owner* has high authority. If the owner's private key is stolen, the user's collateral can be stolen by changing the strategy contract address. * **Fix Result**: The project party stated that the strategy needs to be adjusted in the later stage of the project and must retain this permission and promise to keep the private key properly. * **Audit Result**: Pass ### ONXConfig * * **Description**: This contract mainly stores various parameters that need to be used in the project, which is mainly divided into project parameter *params* and *poolParams* corresponding to each pool. The *owner* can set the parameters. In addition, this contract also provides an interface for uploading off-chain token price data, which is used for price conversion when converting the value of collateral. * * **Related function**: *setWallets, setTokenPrice, setValue, setPoolValue, convertTokenAmount* * **Safety Suggestion**: The *owner* address and *wallets* address have high authority. Once lost, they can be maliciously liquidated by modifying the token price. * **Fix Result**: The project party stated that in order to avoid risks such as flash loan attacks, it will continue to retain the offline pricing method and promise to properly keep the private key. * **Audit Result**: Pass ### ONXFactory * * **Description**: This contract stores pool-related information. The *owner* can add pool-related information by calling the *createPool* function and initialize the pool. * * **Related function**: *createPool, countPools* * **Result**: Pass ### ONXStrategyCollateral * * **Description**: This contract implements the management of the user's collateral. When the user makes a borrow, if the pool sets the strategy contract address, the collateral paid will be sent to the strategy contract, and the strategy contract will deposit them to ONXfarm for profit. * * **Related contract**: *invest, withdraw, liquidation, claim, mint* ![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_IoDWPSovRIaBe%2F22.jpeg?generation=1612810031198836\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_JZx-yfjWEA113%2F23.png?generation=1612810031203594\&alt=media) * * **Result**: Pass ### ONXPool * * **Description**: This contract implements the core logic of the deposit/borrow function. The main functions include deposits, withdrawals, borrowing, repayment, liquidation and settlement profit, etc. Most of the functions can only be called through the platform contract. The interest on deposits and borrowing is dynamic. As the loan amount increases, the interest rate will also increase. When 90% (initial setting, adjustable by owner) of the value of the collateral is lower than the sum of the loan amount plus interest, any user who have deposit balance can initiate liquidation. Both deposits and borrowings will accumulate "Productivity" and get rewards. * * **Related contract**: *deposit, reinvest, withdraw, borrow, repay, liquidation, mint* ### Safety Suggestion: During the *liquidation*, the liquidated collateral will be calculated corresponding to each supply tokens, but the part of these supply tokens contain the interest when the user *repay*. This leads to a deviation in the proportion of supply tokens and collateral tokens when they withdraw funds (the total value is correct and will not cause the user to lose funds). * * **Fix Result**: After evaluation by the project party, when the project is running normally, it will not cause user’s losses, therefore, choose to ignore this problem. * **Result**: Pass ## Conclusion Beosin (Chengdu Lian'an) conducted a detailed audit on the design and code implementation of the ONX project smart contract. The problems discovered by the audit team during the audit process have been notified to the project party. **The biggest risk point of the project comes from the project party’s private key management. if the private key is lost, the project will not be able to function properly**. The overall audit result of the smart contract of the ONX project is **Pass**. **Official Website** **E-mail** **Twitter**![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_Kwb0o_55dACms%2F24.png?generation=1612810031292599\&alt=media)![](https://463224619-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2Fdocs%2F-MT1veaxGsWUIKGiZZ_g%2F-MT1y-_LjnplWgqYOIqU%2F25.png?generation=1612810031201290\&alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://onx-finance.gitbook.io/docs/audits-and-contracts/lending-audit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.