DESCRIPTION
The target of this audit is the code repository of Bitway App Chain of Bitway Labs. Note that this repository is rebranded and migrated to a new repository. The Bitway App Chain of the Bitway Lab is a L1 blockchain, facilitating to unlock the value of underutilized Bitcoins. To support full Bitcoin compatibilities, the Bitway App Chain is de- signed to enable transactions to be signed with standard Bitcoin wallets for flexibility. The Bitway App Chain natively integrate lending and farming services, powered by Discreet Log Contracts (i.e., DLC). For the Bitcoin-collateralized lending system of the Bitway App Chain, it enables native Bitcoin-backed loans, integrating decentralized oracles (i.e., Oracle++), per- missionless liquidity pools, and liquidations. Specifically, The Bitway App Chain implements a liquidity pool-based lending protocol that allows Bitcoin holders to borrow while enabling lenders to earn returns. Loan assets are managed on the Bitway App Chain, removing the need for third-party custodians during the loan period. In addition to lending, the Bitway App Chain also provides a farming service that rewards users for staking their coins. By participating in farming, users can lock their assets and earn incentives, distributed on an epoch basis.
Please refer to the report for the detailed audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains 2 high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Bitway App Chain team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 15 potential issues in the smart contract. We also have 6 recommendations and 4 notes, as follows:
| ID | Severity | Description | Status |
|---|---|---|---|
| 1 | High | Lack of distributing liquidation bonuses | Fixed |
| 2 | High | Loss of funds due to duplicate deposit transactions | Fixed |
| 3 | Medium | Prevention of loan repayments | Fixed |
| 4 | Medium | Incorrect calculation of the share price | Confirmed |
| 5 | Medium | Potential DoS due to the lack of status updates | Fixed |
| 6 | Medium | Lack of deducting the redundant protocol fee | Fixed |
| 7 | Low | Improper validation of the liquidation bonus factor | Fixed |
| 8 | Low | Lack of checks when updating the configuration PoolConfig |
Fixed |
| 9 | Low | Potential DoS due to unlimited loan applications | Fixed |
| 10 | Low | Potential runtime panic due to unrestricted staking requests | Fixed |
| 11 | Low | Potential runtime panic due to the improper update of RewardPerEpoch |
Fixed |
| 12 | Low | Incorrect reward estimation | Fixed |
| 13 | Low | Potential DoS in the DKG completion process | Confirmed |
| 14 | Low | Improper design of disabling the farming module | Fixed |
| 15 | Low | Lack of patching the cosmos-sdk package | Fixed |
| 16 | - | Review the incorrect formula annotation | Fixed |
| 17 | - | Revise the typos | Fixed |
| 18 | - | Add duplicate checks for Maturity when configuring the pool’s tranches |
Fixed |
| 19 | - | Remove redundant code | Confirmed |
| 20 | - | Refactor the fee fetching logic | Fixed |
| 21 | - | Perform proper cleanup in the function Unstake() |
Confirmed |
| 22 | - | The design of the loan’s Authorizations field |
- |
| 23 | - | The design of liquidation and bad debt management | - |
| 24 | - | The design of price queries | - |
| 25 | - | Potential centralization risks | - |
More details are provided in the audit report.