Vidma team has conducted a smart contract audit for the given codebase.
The contracts are in good condition. Based on the fixes provided by the Xend Finance team and on the quality and security of the codebase provided, Vidma team can give a score of 99 to the audited smart contracts.
During the auditing process, the Vidma team has found a couple of informational issues, 7 issues with a low level of severity, 3 issues with a medium level of severity, and 7 issues with a high level of severity. No critical issues were supposed.
Evaluating the findings, we can assure that the contract is safe to use and all the issues found are performed only by certain conditions and cases. Under the given circumstances we can set the following risk level:
Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.
Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:
Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.
Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.
Credit Unions, Cooperatives, and Individuals anywhere in the world can now earn higher interests in stable currencies on their savings.
Within the scope of this audit, two independent auditors deeply investigated the given codebase and analyzed the overall security and performance of smart contracts.
Vidma auditing team has made a review of the following contract:
The source code was taken from the following sources :
Initial commits submitted for the audit:
Last commits:
In order to conduct a more detailed audit, Xend Finance has provided the following documentation: https://drive.google.com/drive/folders/1ZxqTao1fuq41rnr9BbMDV4wdkxWEWL9V?usp=sharing
During the manual phase of the audit, Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract.
Within the testing part, Vidma auditors run integration tests using the Truffle testing framework. The test coverage and the tests themselves are inserted into this audit report.
Vidma team uses the most sophisticated and contemporary methods and techniques to ensure the contract does not have any vulnerabilities or security risks:
For the convenience of reviewing the findings in this report, Vidma auditors classified them in accordance with the severity of the issues. (from most critical to least critical). The acceptance criteria are described below.
All issues are marked as "Resolved" or "Unresolved", depending on whether they have been fixed by Xend Finance or not. The latest commit, indicated in this audit report should include all the fixes made.
To ease the explanation, the Vidma team has provided a detailed description of the issues and recommendations on how to fix them.
Hence, according to the statements above, we classified all the findings in the following way:
High | Resolved
Contract Strategy dependence on pre-deployed proxy contract crUSDT. It means that this proxy contract can be updated and the logic of the Strategy will be broken. In that case, xVault can not be able to withdraw funds from Strategy and return it to users.
Implement proxy pattern for Strategy to be able to fix deployed the contract.
High | Resolved
Contract xVault has a tokenBalance variable to store the number of tokens on it. It can’t be updated when someone transfers by calling token.transfer. In this case, balanceOf and tokenBalance will return different values which can lead to miscalculations and subtraction overflow.
Add update for tokenBalance on top of withdrawal method.
High | Resolved
Contract xVault has a tokenBalance variable to store the balance of tokens in the contract. It is updated whenever xVault receives or sends tokens except in cases when strategy withdrawn less than the user actually wants to receive.
In this case, the value of actually withdrawn tokens should be equal to tokenBalance but it’s not. So compile throws runtime error while trying to do subtraction after token transfer at:
Update the state of tokenBalance inside case mentioned above.
High | Resolved
Strategy contracts do not allow the withdrawal of protected tokens from contracts. To protect them from being withdrawn they should be added to the ‘protected’ list.
Use setProtectedToken in BaseStrategy constructor.
High | Resolved
Contract xVault withdraws tokens from Strategy if it doesn't have enough to pay users. Withdraw from strategy calculate the loss of investment. After all withdrawals there is a check for totalLoss to be less than allowed. But in the case when tokens after withdrawal are not enough check for loss so not included which may lead to an unexpected loss for the user.
Move check for a loss right before the actual transfer. And move the totalLoss variable to the top level of the function scope.
High | Resolved
Contracts xAAVE and xBUSD deposit their funds to fulcrum contract. It did not happen as expected because the call failed with the error SafeERC20: low-level call failed.
Recheck the logic behind interacting xAAVE and xBUSD with fulcrum contracts.
High | Resolved
Contracts xAAVE and xBUSD interact with different contracts to deposit users' funds in the best place and generate profit. It means that the contract should increase the pool of itself to allow users to withdraw more than they deposited initially. But it’s not happening.
Recheck logic of profit calculation and interact with aave, fulcrum, and fortube contracts.
In xUSDT contract in some cases ‘pool’ can be less than totalDepositedAmount which can lead to subtraction overflow. Test cases:
To verify the contract security and performance a bunch of integration tests were made using the Truffle testing framework.
Tests were based on the functionality of the code, business logic, and requirements and for the purpose of finding the vulnerabilities in the contacts.
In this section, we provide tests written by Vidma auditors.
Vidma Coverage – 96.82%
Industry Standard – 95%
It's important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the Xend Finance repo. We write totally separate tests with code coverage of a minimum of 95%, to meet the industry standards.
We are delighted to have a chance to work together with Xend Finance team and contribute to their success by reviewing and certifying the security of the smart contracts.
The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.