Smart contract security audit report
Smart Contract Address Link:
https://github.com/onx-audit/ONX-lending-contract/tree/main/contracts
d02ad00e05b61c2adb68b793025d1c85058db02e
f402103a6f59636ce4f658e9600a94b22b8cddad
Audit Team: Beosin (Chengdu LianAn) Technology Co. Ltd.
Audit Categories and Results:
No. | Categories | Subitems | Results |
1 | Coding Conventions | Compiler Version Security | Pass |
Deprecated Items | Pass | ||
Redundant Code | Pass | ||
SafeMath Features | Pass | ||
require/assert Usage | Pass | ||
Gas Consumption | Pass | ||
Visibility Specifiers | Pass | ||
Fallback Usage | Pass | ||
2 | General Vulnerability | Integer Overflow/Underflow | Pass |
Reentrancy | Pass | ||
Pseudo-random Number Generator (PRNG) | Pass | ||
Transaction-Ordering Dependence | Pass | ||
DoS (Denial of Service) | Pass |
Access Control of Owner | Pass | ||
Low-level Function (call/delegatecall) Security | Pass | ||
Returned Value Security | Pass | ||
tx.origin Usage | Pass | ||
Replay Attack | Pass | ||
Overriding Variables | Pass | ||
3 | Business Security | Business Logics | Pass |
Business Implementations | Pass |
Disclaimer: This audit is only applied to the type of auditing specified in this report and the scope of given in the results table. Other unknown security vulnerabilities are beyond auditing responsibility. Beosin (Chengdu LianAn) Technology only issues this report based on the attacks or vulnerabilities that already existed or occurred before the issuance of this report. For the emergence of new attacks or vulnerabilities that exist or occur in the future, Beosin (Chengdu LianAn) Technology lacks the capability to judge its possible impact on the security status of smart contracts, thus taking no responsibility for them. The security audit analysis and other contents of this report are based solely on the documents and materials that the contract provider has provided to Beosin (Chengdu LianAn) Technology before the issuance of this report, and the contract provider warrants that there are no missing, tampered, deleted; if the documents and materials provided by the contract provider are missing, tampered, deleted, concealed or reflected in a situation that is inconsistent with the actual situation, or if the documents and materials provided are changed after the issuance of this report, Beosin (Chengdu LianAn) Technology assumes no responsibility for the resulting loss or adverse effects. The audit report issued by Beosin (Chengdu LianAn) Technology is based on the documents and materials provided by the contract provider, and relies on the technology currently possessed by Beosin (Chengdu LianAn). Due to the technical limitations of any organization, this report conducted by Beosin (Chengdu LianAn) still has the possibility that the entire risk cannot be completely detected. Beosin (Chengdu LianAn) disclaims any liability for the resulting losses.
The final interpretation of this statement belongs to Beosin (Chengdu LianAn).
Audit Results Explained:
Beosin (Chengdu LianAn) Technology has used several methods including Formal Verification, Static Analysis, Typical Case Testing and Manual Review to audit three major aspects of smart contracts project ONX, including Coding Standards, Security, and Business Logic. The ONX project passed all audit items. The overall result is Pass. The smart contract is able to function properly.
Check the code style that does not conform to Solidity code style.
Description: Check whether the code implementation of current contract contains the exposed solidity compiler bug.
Result: Pass
Description: Check whether the current contract has the deprecated items.
Result: Pass
Description: Check whether the contract code has redundant codes.
Result: Pass
Description: Check whether the SafeMath has been used. Or prevents the integer overflow/underflow in mathematical operation.
Result: Pass
Description: Check the use reasonability of 'require' and 'assert' in the contract.
Result: Pass
Description: Check whether the gas consumption exceeds the block gas limitation.
Result: Pass
Description: Check whether the visibility conforms to design requirement.
Result: Pass
Description: Check whether the Fallback function has been used correctly in the current contract.
Result: Pass
Check whether the general vulnerabilities exist in the contract.
Description: Check whether there is an integer overflow/underflow in the contract and the calculation result is abnormal.
Result: Pass
Description: An issue when code can call back into your contract and change state, such as withdrawing ETH.
Result: Pass
Description: Whether the results of random numbers can be predicted.
Result: Pass
Description: Whether the final state of the contract depends on the order of the transactions.
Result: Pass
Description: Whether exist DoS attack in the contract which is vulnerable because of unexpected reason.
Result: Pass
Description: Whether the owner has excessive permissions, such as malicious issue, modifying the balance of others.
Result: Pass
Description: Check whether the usage of low-level functions like call/delegatecall have vulnerabilities.
Result: Pass
Description: Check whether the function checks the return value and responds to it accordingly.
Result: Pass
Description: Check the use secure risk of 'tx.origin' in the contract.
Result: Pass
Description: Check whether the implement possibility of Replay Attack exists in the contract.
Result: Pass
Description: Check whether the variables have been overridden and lead to wrong code execution.
Result: Pass
The ONX project mainly implements the deposit/borrow function. Users can deposit the supply tokens to become the lending maker, they can borrow through deposits collateral tokens. In addition, users can get rewards through deposit and borrow, and the collateral tokens provided by users will be transferred to ONXFarm for profit.
Description:
This contract mainly implements the router function, and users can make deposits, withdraw, borrow, repay, liquidation, and settlement profit through the functions provided in this contract. The contract owner can also use this contract to set parameters of each pool and set the users’ collateralToken invest strategy. In addition, it can also perform emergency shutdown of various functions.
The user can call the deposit function to deposit supplytoken in the contract. The supplytoken will be used for external borrowing, and the interest earned will be evenly distributed to the holders of the supplytoken.
Figure 1 source code of deposit
The user can withdraw the supplytoken and the interest and collateralToken in proportion to the withdrawal of supplytoken from the contract by calling withdraw.
Figure 2 source code of withdraw
The user can borrow the supplyToken by sending the collateralToken to the contract by calling borrow.
Figure 3 source code of borrow
The user can return the loaned supplyToken and the interest generated to the contract by calling repay.
Figure 4 source code of repay
When 90%(adjustable by owner) of the value of a borrower’s collateralToken is less than the value of the loaned supplyToken and the interest generated, any user who provides the supplyToken can liquidate the user’s loan by calling the liquidation function. After the liquidation, the user’s collateral will be distributed proportionally to the supplier of supplyToken.
Figure 5 source code of liquidation
The user can call the reinvest to convert the interest generated through the deposited tokens into the principal that can generate interest.
Figure 6 source code of reinvest
Related function: deposit, withdraw, borrow, repay, updatePoolParameter, setCollateralStrategy, reinvest, liquidation
Safety Notification: The owner has high authority. If the owner's private key is stolen, the user's collateral can be stolen by changing the strategy contract address.
Fix Result: The project party stated that the strategy needs to be adjusted in the later stage of the project and must retain this permission and promise to keep the private key properly.
Audit Result: Pass
Description:
This contract mainly stores various parameters that need to be used in the project, which is mainly divided into project parameter params and poolParams corresponding to each pool. The owner can set the parameters. In addition, this contract also provides an interface for uploading off-chain token price data, which is used for price conversion when converting the value of collateral.
Related function: setWallets, setTokenPrice, setValue, setPoolValue, convertTokenAmount
Safety Suggestion: The owner address and wallets address have high authority. Once lost, they can be maliciously liquidated by modifying the token price.
Fix Result: The project party stated that in order to avoid risks such as flash loan attacks, it will continue to retain the offline pricing method and promise to properly keep the private key.
Audit Result: Pass
Description:
This contract stores pool-related information. The owner can add pool-related information by calling the
createPool function and initialize the pool.
Related function: createPool, countPools
Result: Pass
Description:
This contract implements the management of the user's collateral. When the user makes a borrow, if the pool sets the strategy contract address, the collateral paid will be sent to the strategy contract, and the strategy contract will deposit them to ONXfarm for profit.
Related contract: invest, withdraw, liquidation, claim, mint
Result: Pass
Description:
This contract implements the core logic of the deposit/borrow function. The main functions include deposits, withdrawals, borrowing, repayment, liquidation and settlement profit, etc. Most of the functions can only be called through the platform contract. The interest on deposits and borrowing is dynamic. As the loan amount increases, the interest rate will also increase. When 90% (initial setting, adjustable by owner) of the value of the collateral is lower than the sum of the loan amount plus interest, any user who have deposit balance can initiate liquidation. Both deposits and borrowings will accumulate "Productivity" and get rewards.
Related contract: deposit, reinvest, withdraw, borrow, repay, liquidation, mint
During the liquidation, the liquidated collateral will be calculated corresponding to each supply tokens, but the part of these supply tokens contain the interest when the user repay. This leads to a deviation in the proportion of supply tokens and collateral tokens when they withdraw funds (the total value is correct and will not cause the user to lose funds).
Fix Result: After evaluation by the project party, when the project is running normally, it will not cause user’s losses, therefore, choose to ignore this problem.
Result: Pass
Beosin (Chengdu Lian'an) conducted a detailed audit on the design and code implementation of the ONX project smart contract. The problems discovered by the audit team during the audit process have been notified to the project party. The biggest risk point of the project comes from the project party’s private key management. if the private key is lost, the project will not be able to function properly. The overall audit result of the smart contract of the ONX project is Pass.
https://twitter.com/Beosin_com
Note: Audit results and suggestions in code comments
Official Website https://lianantech.com E-mail vaas@lianantech.com Twitter