DESCRIPTION
WEN Protocol is a decentralized, censorship-resistant, and community-owned protocol that enables users to secure loans using Liquidity Staking Derivatives (LSDs) as collateral. These loans have minimal fees and provide up to 7x leverage, with repayments made in wenUSD. The Wen Protocol codebase is derived from Liquity, retaining its features while also supporting multiple LSDs as collateral. In addition, the protocol also introduces a staking module where users can deposit esWen to receive rewards.
The core contracts covered in this audit include all the source code excluding testing code. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we have found that the codebase contains several critical issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered.The Wen Protocol team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 18 potential issues in the smart contract. We also have 2 recommendations and 1 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Incorrect Calculation of Staking Rewards in esWenstaking |
DeFi Security | Fixed |
| 2 | Medium | Front-Running of Reward Distribution in submit() |
DeFi Security | Confirmed |
| 3 | Medium | Improper Check of Input in setRewardEndTime() |
DeFi Security | Fixed |
| 4 | Medium | Precision Loss of Rewards in claim() |
DeFi Security | Fixed |
| 5 | High | Transferable esWen Token | DeFi Security | Fixed |
| 6 | High | Incapable Collateral Token within Protocol | DeFi Security | Fixed |
| 7 | High | Losses of Stakers in Stability Pool due to Flash Loan Liquidation | DeFi Security | Fixed |
| 8 | High | Incorrect Update of System Variable lastCollateralError_Offset |
DeFi Security | Fixed |
| 9 | Medium | Timely Redistribution of Liquidated Collateral and Debt among Troves | DeFi Security | Confirmed |
| 10 | Medium | Potential Centralization Issues | DeFi Security | Confirmed |
| 11 | Medium | The Last Trove with Bad Debt can Influence the TCR | DeFi Security | Fixed |
| 12 | Medium | Potential Revert in Batch Liquidation of Troves | DeFi Security | Fixed |
| 13 | Medium | Incorrect Rounding Direction in shareBurnt() |
DeFi Security | Confirmed |
| 14 | Medium | Lack of Check in Function setMaxSystemDebt() |
DeFi Security | Fixed |
| 15 | Low | Conflicts of Updating rewardEndTime During Initialization of LPStakingPool |
DeFi Security | Confirmed |
| 16 | High | Inappropriate Parameter Settings in initLockSettings |
DeFi Security | Fixed |
| 17 | Medium | Lack of Check in Function setMCR() |
DeFi Security | Fixed |
| 18 | High | Incorrect Calculation of Debt Interest | Recommendation | Fixed |
| 19 | - | Incorrect Function Name | Recommendation | Fixed |
| 20 | - | Inconsistency between Implementation and Comments | Recommendation | Fixed |
| 21 | - | Contract Supports Multiple Collateral Assets and Relies on Timely Updates from the Price Oracle | Note | Confirmed |
More details are provided in the audit report.