Introduction
We express our gratitude to the Rebalance team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The Rebalance Lending System is a set of smart contracts designed for managing and generating yield on assets deposited by users. It provides a vault-like structure where users can deposit assets, receive tokenized shares representing their stake, and earn interest from various yield-generating providers.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Rebalance |
| Audited By | Kaan Caglan |
| Approved By | Ataberk Yavuzer |
| Website | https://www.rebalance.finance/→ |
| Changelog | 25/06/2024 - Preliminary Report |
| 27/06/2024 - Final Report | |
| Platform | EVM |
| Language | Solidity |
| Tags | Lending, ERC20 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Rebalance
- Audited By
- Kaan Caglan
- Approved By
- Ataberk Yavuzer
- Changelog
- 25/06/2024 - Preliminary Report
- 27/06/2024 - Final Report
- Platform
- EVM
- Language
- Solidity
- Tags
- Lending, ERC20
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/REBALANCE-Finance/lending-contracts→ |
| Commit | dd4033d |
Review Scope
- Commit
- dd4033d
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are missed.
Technical description is not provided.
Code quality
Some of the best practices are missing.
Test coverage
Code coverage of the project is 90.96% (branch coverage),.
Not all branches are covered with tests.
System Overview
The Rebalance Lending System is a set of smart contracts designed for managing and generating yield on assets deposited by users. It provides a vault-like structure where users can deposit assets, receive tokenized shares representing their stake, and earn interest from various yield-generating providers. The system also includes functionality for locking tokens, managing vaults, and interacting with yield providers.
Contracts
InterestVaultV1
Definition: An abstract ERC4626-compliant vault contract defining common functions and interfaces for all vault types.
Functions:
deposit,mint,withdraw,redeem: Basic ERC4626 functions for managing user deposits and withdrawals.initializeVaultShares: Initializes vault shares with a specified amount of assets.setActiveProvider,setDepositLimits,setTreasury,setWithdrawFee,setMinAmount: Admin functions for setting various parameters.rebalance: Rebalances assets across providers.
Attributes:
_asset: The main ERC20 asset managed by this vault._underlyingDecimals: Decimals of the underlying asset._providers: Array of yield providers.activeProvider: Currently active provider for yield generation.minAmount,vaultDepositLimit,userDepositLimit,withdrawFeePercent,treasury: Configuration parameters for deposits and withdrawals.initialized: Boolean indicating if the vault has been initialized.
Privileged Roles:
DEFAULT_ADMIN_ROLE: Full administrative access.REBALANCER_ROLE: Role allowed to perform rebalancing operations.
InterestLocker
Definition: A contract to lock and unlock ERC20 tokens, intended for locking rebalancer tokens.
Functions:
lockTokens: Allows users to lock tokens for a specified duration.unlockTokens: Allows users to unlock tokens after the lock duration has passed.setTokens: Admin function to set supported tokens.
Attributes:
MIN_DURATION: Minimum duration for locking tokens (30 days).nextLockId: Incremental ID for tracking locks._tokens: Array of supported tokens.lockInfo: Mapping of lock ID to lock information._beneficiaries: Mapping of lock ID to beneficiary address._totalLocked: Mapping of token address to total locked amount.
Privileged Roles:
owner: Only the contract owner can set supported tokens.
VaultManager
Definition: Manages the rebalancing of vaults.
Functions:
rebalanceVault: Rebalances assets across providers within a vault.
Privileged Roles:
DEFAULT_ADMIN_ROLE: Full administrative access.EXECUTOR_ROLE: Role allowed to execute rebalancing operations.
VaultRebalancerV1
Definition: An implementation vault that handles pooled single-sided asset lending strategies for yield generation.
Functions:
rebalance: Rebalances assets across providers.
Attributes:
Inherits attributes and functions from
InterestVaultV1.
Attributes
Tokens:
name: The name of the token-shares managed in the vault.symbol: The symbol of the token-shares managed in the vault.decimals: The number of decimals used to get user representation.totalSupply: The total supply of token-shares in the vault.balanceOf: The balance of token-shares held by a user.
Providers: Various yield-generating providers like AaveV3Arbitrum.
Functions to interact with providers include
deposit,withdraw,getDepositBalance,getDepositRateFor,getOperator, andgetProviderName.
Privileged Roles
DEFAULT_ADMIN_ROLE: Complete control over the system, including setting active providers, deposit limits, treasury, and withdrawal fees.
REBALANCER_ROLE: Authorized to perform rebalancing of assets across providers.
EXECUTOR_ROLE: Allowed to execute rebalancing operations.
Owner: In
InterestLocker, the owner can set supported tokens for locking.
This structured system ensures secure and efficient management of user deposits, yield generation through multiple providers, and controlled access for administrative tasks.
Risks
block.number means different things on different L2s.
Scope Definition and Security Guarantees: The audit does not cover all code in the repository. Contracts outside the audit scope may introduce vulnerabilities, potentially impacting the overall security due to the interconnected nature of smart contracts.
Dependency on External Logic for Implemented Logic: The implemented InterestVaultV1 logic highly depends on external contracts not covered by the audit. This reliance introduces risks if these external contracts are compromised or contain vulnerabilities, affecting the audited project's integrity.
Interactions with External DeFi Protocols: Dependence on external DeFi protocols inherits their risks and vulnerabilities. This might lead to direct financial losses if these protocols are exploited, indirectly affecting the audited project.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-3983 | Fee-on-Transfer Accounting-Related Issues | accepted | Medium | |
| F-2024-3993 | Inefficient Use of String Parameter in Internal Function | fixed | Observation | |
| F-2024-3992 | Event is not properly indexed | fixed | Observation | |
| F-2024-3991 | Unneeded initializations of uint256 and bool variable to 0/false | fixed | Observation | |
| F-2024-3990 | Avoid Using State Variables Directly in emit for Gas Efficiency | fixed | Observation | |
| F-2024-3989 | Optimization of Loop Control for Early Termination | fixed | Observation | |
| F-2024-3988 | Unused Error Definition | fixed | Observation | |
| F-2024-3987 | Custom Errors in Solidity for Gas Efficiency | fixed | Observation | |
| F-2024-3986 | Cache State Variable Array Length In For Loop | fixed | Observation | |
| F-2024-3985 | Use Ownable2Step rather than Ownable | fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/REBALANCE-Finance/lending-contracts→ |
| Commit | dd4033dad8d77595565f8fdfd510d83831bb7377 |
| Whitepaper | N/A |
| Requirements | N/A |
| Technical Requirements | N/A |
Scope Details
- Commit
- dd4033dad8d77595565f8fdfd510d83831bb7377
- Whitepaper
- N/A
- Requirements
- N/A
- Technical Requirements
- N/A