Lending Audit

Smart contract security audit report

Audit Number:202102081815 Report Query Name: ONX

Smart Contract Address Link

https://github.com/onx-audit/ONX-lending-contract/tree/main/contracts

Original Commit Hash:

d02ad00e05b61c2adb68b793025d1c85058db02e

Final Commit Hash:

f402103a6f59636ce4f658e9600a94b22b8cddad

Start Date:2021.01.26 Completion Date:2021.02.08 Overall Result:Pass

Audit Team: Beosin (Chengdu LianAn) Technology Co. Ltd.

Audit Categories and Results:

Disclaimer: This audit is only applied to the type of auditing specified in this report and the scope of given in the results table. Other unknown security vulnerabilities are beyond auditing responsibility. Beosin (Chengdu LianAn) Technology only issues this report based on the attacks or vulnerabilities that already existed or occurred before the issuance of this report. For the emergence of new attacks or vulnerabilities that exist or occur in the future, Beosin (Chengdu LianAn) Technology lacks the capability to judge its possible impact on the security status of smart contracts, thus taking no responsibility for them. The security audit analysis and other contents of this report are based solely on the documents and materials that the contract provider has provided to Beosin (Chengdu LianAn) Technology before the issuance of this report, and the contract provider warrants that there are no missing, tampered, deleted; if the documents and materials provided by the contract provider are missing, tampered, deleted, concealed or reflected in a situation that is inconsistent with the actual situation, or if the documents and materials provided are changed after the issuance of this report, Beosin (Chengdu LianAn) Technology assumes no responsibility for the resulting loss or adverse effects. The audit report issued by Beosin (Chengdu LianAn) Technology is based on the documents and materials provided by the contract provider, and relies on the technology currently possessed by Beosin (Chengdu LianAn). Due to the technical limitations of any organization, this report conducted by Beosin (Chengdu LianAn) still has the possibility that the entire risk cannot be completely detected. Beosin (Chengdu LianAn) disclaims any liability for the resulting losses.

The final interpretation of this statement belongs to Beosin (Chengdu LianAn).

Audit Results Explained:

Beosin (Chengdu LianAn) Technology has used several methods including Formal Verification, Static Analysis, Typical Case Testing and Manual Review to audit three major aspects of smart contracts project ONX, including Coding Standards, Security, and Business Logic. The ONX project passed all audit items. The overall result is Pass. The smart contract is able to function properly.

Coding Conventions

Check the code style that does not conform to Solidity code style.

Compiler Version Security

    • Description: Check whether the code implementation of current contract contains the exposed solidity compiler bug.

    • Result: Pass

Deprecated Items

    • Description: Check whether the current contract has the deprecated items.

    • Result: Pass

Redundant Code

    • Description: Check whether the contract code has redundant codes.

    • Result: Pass

SafeMath Features

    • Description: Check whether the SafeMath has been used. Or prevents the integer overflow/underflow in mathematical operation.

    • Result: Pass

require/assert Usage

    • Description: Check the use reasonability of 'require' and 'assert' in the contract.

    • Result: Pass

Gas Consumption

    • Description: Check whether the gas consumption exceeds the block gas limitation.

    • Result: Pass

Visibility Specifiers

    • Description: Check whether the visibility conforms to design requirement.

    • Result: Pass

Fallback Usage

    • Description: Check whether the Fallback function has been used correctly in the current contract.

    • Result: Pass

General Vulnerability

Check whether the general vulnerabilities exist in the contract.

Integer Overflow/Underflow

    • Description: Check whether there is an integer overflow/underflow in the contract and the calculation result is abnormal.

    • Result: Pass

Reentrancy

    • Description: An issue when code can call back into your contract and change state, such as withdrawing ETH.

    • Result: Pass

Pseudo-random Number Generator (PRNG)

    • Description: Whether the results of random numbers can be predicted.

    • Result: Pass

Transaction-Ordering Dependence

    • Description: Whether the final state of the contract depends on the order of the transactions.

    • Result: Pass

DoS (Denial of Service)

    • Description: Whether exist DoS attack in the contract which is vulnerable because of unexpected reason.

    • Result: Pass

Access Control of Owner

    • Description: Whether the owner has excessive permissions, such as malicious issue, modifying the balance of others.

    • Result: Pass

Low-level Function (call/delegatecall) Security

    • Description: Check whether the usage of low-level functions like call/delegatecall have vulnerabilities.

    • Result: Pass

Returned Value Security

    • Description: Check whether the function checks the return value and responds to it accordingly.

    • Result: Pass

tx.origin Usage

    • Description: Check the use secure risk of 'tx.origin' in the contract.

    • Result: Pass

Replay Attack

    • Description: Check whether the implement possibility of Replay Attack exists in the contract.

    • Result: Pass

Overriding Variables

    • Description: Check whether the variables have been overridden and lead to wrong code execution.

    • Result: Pass

Business Security

The ONX project mainly implements the deposit/borrow function. Users can deposit the supply tokens to become the lending maker, they can borrow through deposits collateral tokens. In addition, users can get rewards through deposit and borrow, and the collateral tokens provided by users will be transferred to ONXFarm for profit.

ONXPlatform

    • Description:

This contract mainly implements the router function, and users can make deposits, withdraw, borrow, repay, liquidation, and settlement profit through the functions provided in this contract. The contract owner can also use this contract to set parameters of each pool and set the users’ collateralToken invest strategy. In addition, it can also perform emergency shutdown of various functions.

  1. The user can call the deposit function to deposit supplytoken in the contract. The supplytoken will be used for external borrowing, and the interest earned will be evenly distributed to the holders of the supplytoken.

Figure 1 source code of deposit

  1. The user can withdraw the supplytoken and the interest and collateralToken in proportion to the withdrawal of supplytoken from the contract by calling withdraw.

Figure 2 source code of withdraw

  1. The user can borrow the supplyToken by sending the collateralToken to the contract by calling borrow.

Figure 3 source code of borrow

  1. The user can return the loaned supplyToken and the interest generated to the contract by calling repay.

Figure 4 source code of repay

  1. When 90%(adjustable by owner) of the value of a borrower’s collateralToken is less than the value of the loaned supplyToken and the interest generated, any user who provides the supplyToken can liquidate the user’s loan by calling the liquidation function. After the liquidation, the user’s collateral will be distributed proportionally to the supplier of supplyToken.

Figure 5 source code of liquidation

  1. The user can call the reinvest to convert the interest generated through the deposited tokens into the principal that can generate interest.

Figure 6 source code of reinvest

    • Related function: deposit, withdraw, borrow, repay, updatePoolParameter, setCollateralStrategy, reinvest, liquidation

    • Safety Notification: The owner has high authority. If the owner's private key is stolen, the user's collateral can be stolen by changing the strategy contract address.

    • Fix Result: The project party stated that the strategy needs to be adjusted in the later stage of the project and must retain this permission and promise to keep the private key properly.

    • Audit Result: Pass

ONXConfig

    • Description:

This contract mainly stores various parameters that need to be used in the project, which is mainly divided into project parameter params and poolParams corresponding to each pool. The owner can set the parameters. In addition, this contract also provides an interface for uploading off-chain token price data, which is used for price conversion when converting the value of collateral.

    • Related function: setWallets, setTokenPrice, setValue, setPoolValue, convertTokenAmount

    • Safety Suggestion: The owner address and wallets address have high authority. Once lost, they can be maliciously liquidated by modifying the token price.

    • Fix Result: The project party stated that in order to avoid risks such as flash loan attacks, it will continue to retain the offline pricing method and promise to properly keep the private key.

    • Audit Result: Pass

ONXFactory

    • Description:

This contract stores pool-related information. The owner can add pool-related information by calling the

createPool function and initialize the pool.

    • Related function: createPool, countPools

    • Result: Pass

ONXStrategyCollateral

    • Description:

This contract implements the management of the user's collateral. When the user makes a borrow, if the pool sets the strategy contract address, the collateral paid will be sent to the strategy contract, and the strategy contract will deposit them to ONXfarm for profit.

    • Related contract: invest, withdraw, liquidation, claim, mint

    • Result: Pass

ONXPool

    • Description:

This contract implements the core logic of the deposit/borrow function. The main functions include deposits, withdrawals, borrowing, repayment, liquidation and settlement profit, etc. Most of the functions can only be called through the platform contract. The interest on deposits and borrowing is dynamic. As the loan amount increases, the interest rate will also increase. When 90% (initial setting, adjustable by owner) of the value of the collateral is lower than the sum of the loan amount plus interest, any user who have deposit balance can initiate liquidation. Both deposits and borrowings will accumulate "Productivity" and get rewards.

    • Related contract: deposit, reinvest, withdraw, borrow, repay, liquidation, mint

Safety Suggestion:

During the liquidation, the liquidated collateral will be calculated corresponding to each supply tokens, but the part of these supply tokens contain the interest when the user repay. This leads to a deviation in the proportion of supply tokens and collateral tokens when they withdraw funds (the total value is correct and will not cause the user to lose funds).

    • Fix Result: After evaluation by the project party, when the project is running normally, it will not cause user’s losses, therefore, choose to ignore this problem.

    • Result: Pass

Conclusion

Beosin (Chengdu Lian'an) conducted a detailed audit on the design and code implementation of the ONX project smart contract. The problems discovered by the audit team during the audit process have been notified to the project party. The biggest risk point of the project comes from the project party’s private key management. if the private key is lost, the project will not be able to function properly. The overall audit result of the smart contract of the ONX project is Pass.

https://twitter.com/Beosin_com

PreviousonSynthetics AuditNextAlpha Audit