- $47,500 USDC main award pot
- $2,500 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts March 17, 2022 00:00 UTC
- Ends March 21, 2022 23:59 UTC
This scope of this audit includes the following repos, all with corresponding release tags:
- maple-labs/loan
- maple-labs/erc20
- maple-labs/mpl-migration
- maple-labs/revenue-distribution-token
- maple-labs/xmpl
These contracts include inheritance, so the scope of the audit will be expressed as the contracts at the lowest end of the hierarchy, as these are what will be deployed to mainnet. Since there are no external libraries used, all of the code that these flattened contracts use is in scope for audit (excpet for loan, which will be expressed as a diff between releases).
This release includes an alteration of the original v2.0.0 release that includes the following changes:
- Updates fee structure to move from an upfront establishment fee to an ongoing fee that is paid on every payment.
- Updates the refinancing capabilities to include a refinance deadline as well as the ability to reject refinance terms.
- Adds unpaid interest to the subsequent payment after a refinance
The diff of the code can be found here, which contains all code that is in scope for the audit: https://github.com/maple-labs/loan/compare/v2.0.0...v3.0.0-beta.1
The files to be audited are:
MapleLoan.solMapleLoanInitializer.solMapleLoanInternals.sol
The files to be audited are:
ERC20.sol
The files to be audited are:
Migrator.sol
The files to be audited are:
RevenueDistributionToken.sol
xMPL has dependencies on:
erc20revenue-distribution-tokenmpl-migration(not a direct dependency, but it is supposed to interact with Migrator.sol)
The files to be audited are:
xMPL.sol(which includes all code from dependencies listed above)
If any clarification on scope is needed, or if there are any other questions, please comment below this issue.
- Locked funds: Ensure that there is no way for funds to get locked in the xMPL, Migrator or Loan smart contracts.
- Stoten funds: Ensure that any funds that are held custody by contracts cannot be withdrawn maliciously.
- Invariants: Ensure that all invariants outlined in the xMPL and RDT repos are upheld.
- Accounting Exploitation: Ensure that no users can perform any actions to exploit/manipulate accounting to their favor.
- Refinancing: Ensure that the Refinancer contract cannot be used maliciously to exploit the Loan.
In all repos, all dependencies can be found in the ./modules directory. All repo READMEs include instructions on how to get the environment up and running for testing. All repos have their own unit testing suite, including verbose unit testing fuzz testing, and invariant testing.
All technical documentation related to this release for Loan will be located in the maple-labs/loan wiki. We HIGHLY recommend reviewing this wiki before beginning the audit.
There is also a wiki for our V1 protocol if any further context is needed on how deployed V1 contracts work (Pools, StakeLocker, etc.)
It is recommended to clone our integration testing repo contract-test-suite locally in order to provide clearer context with how these contracts interact with the rest of the protocol.
It is also recommended to clone our economic simulation testing repo loan-simulations locally in order to provide clearer context with how the refinancing functionality is expected to behave from a business perspective.
In the wiki, there's a page called List of Assumptions which outlines some basic conditions/assumptions that we assume that will always hold true. Therefore any issue that does not abide by these assumptions will likely be considered invalid.