Vidma team has conducted a smart contract audit for the given codebase.
The contracts are in good condition. Based on the fixes provided by the Xend Finance team and on the quality and security of the codebase provided, Vidma team can give a score of 97.60 to the audited smart contracts.
During the auditing process, the Vidma team has found 1 critical issue, 2 issues with a medium level of severity, 2 issues with a low level of severity, a couple of informational issues.
Evaluating the findings, we can assure that the contract is safe to use and all the issues found are performed only by certain conditions and cases. Under the given circumstances we can set the following risk level:
Vidma auditors are evaluating the initial commit given for the scope of the audit and the last commit with the fixes. Hence, it helps to adequately evaluate the development quality. Code style, optimization of the contracts, amount, and risk level of the issues are taken into consideration. The Vidma team has developed the transparent scoring system presented below.
Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:
Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.
Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.
Credit Unions, Cooperatives, and Individuals anywhere in the world can now earn higher interests in stable currencies on their savings.
Within the scope of this audit, two independent auditors deeply investigated the given codebase and analyzed the overall security and performance of smart contracts.
The debrief took place from Jan 12th to Feb 14th, 2021 and the final results are present in this document.
Vidma auditing team has made a review of the following contracts :
The source code was taken from the following source:
https://github.com/xendfinance/x-vault
Initial commit submitted for the audit :
88df2de128b097bc89f3e2480b9c033337d901fc
Last commit:
b2d07c2b8e923601c2b92367c3bdacc673ff0331
To conduct a more detailed audit, Xend Finance has provided the following documentation:
https://drive.google.com/drive/folders/1ZxqTao1fuq41rnr9BbMDV4wdkxWEWL9V?usp=sharing
During the manual phase of the audit, Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract.
Within the testing part, Vidma auditors run integration tests using the Truffle testing framework. The test coverage and the tests themselves are inserted into this audit report.
Vidma team uses the most sophisticated and contemporary methods and techniques to ensure the contract does not have any vulnerabilities or security risks:
For the convenience of reviewing the findings in this report, Vidma auditors classified them in accordance with the severity of the issues. (from most critical to least critical). The acceptance criteria are described below.
All issues are marked as "Resolved" or "Unresolved", depending on whether they have been fixed by Xend Finance or not. The latest commit, indicated in this audit report should include all the fixes made.
To ease the explanation, the Vidma team has provided a detailed description of the issues and recommendations on how to fix them.
Hence, according to the statements above, we classified all the findings in the following way:
Critical | Resolved
When testing the setEmergencyExit() function, the withdraw() function is called from the alpacaFarm contract, which checks the caller in the require
To satisfy this condition, it is logical that you first need to call the deposit() function from the same contract. However, for correct work, the caller should be a strategy, not just a call from the user directly. The contract does not find a call for this function.
Add the deposit() function in the strategy.
Medium | Resolved
As the AlpacaStrategy contract should be upgradable by Proxy pattern it is required to not use initial values in field declarations in such cases.
Consider moving initialization of variables minAlpacaToSell and forceMigrate into the initialize() function. Also, as a recommendation, you can avoid directly initializing forceMigrate with false value as by default bool variables equal false.
Medium | Resolved
In the AlpacaStrategy contract there is distributeRewards() function which has no implementation.
Consider adding an implementation to the function or provide any information why AlpacaStrategy contract doesn't need this logic.
Medium | Resolved
In the AlpacaStrategy contract in function prepareMigration() there is check if migration is allowed. In the current code, there is a possibility to call prepareMigration() when the forceMigrate variable is equal to false instead of true. In this case, the prepareMigration() function will be able to call immediately after the contract deployment.
Consider fixing the condition in the prepareMigration() function.
An explanation was provided by the Xend Finance team:
“Generally, forceMigrate is false so it forces to withdraw all assets from alpaca protocol and do the migration, but when facing an issue with alpaca protocol so can't withdraw assets, then set forceMigrate true, so enables to do the migration without withdrawing assets from alpaca protocol”.
Low | Resolved
In the contract AlpacaStrategy used the function delegatedAssets() that was declared in the contract BaseStrategy without any changes.
Remove function from AlpacaStrategy contract to follow the DRY pattern.
Low | Resolved
The implementation for distributeRewards() was added to correct a previously found issue regarding the not added implementation of this function. But it is the same as the implementation in BaseStrategy contract so it makes sense to not override distributeRewards() in AlpacaStrategy but keep it only in BaseStrategy contract to follow the DRY pattern.
Remove function from AlpacaStrategy contract to follow the DRY pattern.
Informational | Resolved
Interface IAlpacaVault doesn't match with its filename which is IVault.sol. According to the style guide contract, library and interface names should also match their filenames.
Consider keeping the same name for the interface and the filename
Informational | Resolved
The layout contract elements in the BaseStrategy contract are not logically grouped.
Inside each contract, library or interface, use the following order:
Functions should be grouped according to their visibility and ordered in the following way:
Consider changing layout and functions order according to solidity style guide documentation.
Informational | Resolved
In both AlpacaStrategy and BaseStrategy contracts there is an empty constructor. As the constructor function is optional you can avoid using it in case of no implementation.
Consider removing the empty constructor.
Informational | Resolved
Requires in the functions of the BaseStrategy contract without comments.
Add comments to the requirements where needed.
Informational | Resolved
The condition in function expectedReturn() of the AlpacaStrategy contract is not provided for all possible options, it is better to include all possible options for testing.
Сhange condition (line 92) to if debt >= estimatedAssets.
Informational | Resolved
In the contract, BaseStrategy used unneeded import of interface IERC20.sol because it imports from another interface VaultAPI.sol that was also imported in this contract.
Remove IERC20 from import in BaseStrategy contract.
Informational | Resolved
In the contract BaseStrategy the value of the variable maxReportDelay is assigned. The same value is assigned in the contract AlpacaStrategy.
Remove reassigning a value to a variable from AlpacaStrategy contract to follow the DRY pattern.
Informational | Resolved
In the contract AlpacaStrategy used unneeded imports of SafeERC20 for IERC20, SafeMath for uint256, because it is importing in the BaseStrategy contract.
Remove SafeERC20 and SafeMath (lines 11, 13) from AlpacaStrategy contract to follow the DRY pattern.
To verify the contract security and performance a bunch of integration tests were made using the Truffle testing framework.
Tests were based on the functionality of the code, business logic, and requirements and for the purpose of finding the vulnerabilities in the contacts.
In this section, we provide tests written by Vidma auditors.
Vidma Coverage – 95%
Industry Standard – 95%
It’s important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the Xend Finance repo. We write totally separate tests with code coverage of a minimum of 95%, to meet the industry standards.
We are delighted to have a chance to work together with Xend Finance team and contribute to their success by reviewing and certifying the security of the smart contracts.
The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.