DESCRIPTION
The target of this audit is the code repository of Lista Lending of Lista. This audit focuses on the smart contracts located in the src/folder of the repository, excluding the following directories:
- src/moolah/mocks/*
- src/moolah-vault/mocks/*
- src/vault-allocator/mocks/*
Please refer to the report for the detailed audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we did not find any critical issues within the audited codebase. However, we have identified some non-critical issues that should be addressed. Additionally, we have put forth recommendations to further strengthen the code logic, along with notes that should be taken into consideration. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 5 potential issues in the smart contract. We also have 3 recommendations and 4 notes, as follows:
| ID | Severity | Description | Status |
|---|---|---|---|
| 1 | Medium | Potential inflation attacks | Fixed |
| 2 | Low | Lack of validation checks in the createMarket() function |
Fixed |
| 3 | Low | Bypass of the bad debt handling mechanism in the liquidate() function |
Fixed |
| 4 | Low | Potential replay attacks due to the chain hard fork | Confirmed |
| 5 | Low | Potential DoS risk in the reallocate() function |
Confirmed |
| 6 | - | Remove the improperly used and unused code | Confirmed |
| 7 | - | Revise the method used for the transfer of native tokens | Confirmed |
| 8 | - | Unify the use of the _updateLastTotalAssets() function for updating the variable lastTotalAssets |
Confirmed |
| 9 | - | Potential centralization risks | - |
| 10 | - | Return value of the functions maxDeposit()/maxMint() |
- |
| 11 | - | Potential griefing risk | - |
| 12 | - | MoolahVault’s assets may be redistributed through flash loans | - |
More details are provided in the audit report.