DESCRIPTION
Radiant V2 is a cross-chain DeFi lending protocol developed by Radiant Capital. Radiant Capital has engaged us to perform security testing (as the red team) on the smart contracts of Radiant V2 to identify potential risks. Demonstrating their commitment to security, Radiant Capital has invested additional effort into safeguarding these smart contracts, which have already undergone audits by several security firms.
We adopted a multifaceted approach that included static analysis, dynamic analysis, semi-automatic, and manual verification to detect potential security issues. It is important to note that security testing differs from a security audit in terms of objectives and scope. Security testing specifically seeks to uncover vulnerabilities by simulating attacker behavior to breach the system, whereas a security audit provides a more comprehensive assessment of security by systematically identifying possible attack vectors. Consequently, security testing may not reveal some complex logical bugs that a security audit could identify due to time and resource constraints.
In conclusion, our findings reveal several high-risk issues within the codebase that demand immediate resolution. We have also pinpointed other less critical concerns and provided security enhancement recommendations. The Radiant team has swiftly addressed the issues we discovered. It is crucial to recognize that our evaluation pertains solely to the final reported versions of the codebase. Any changes made after our review would necessitate a new assessment.
KEY FINDINGS
In total, we find 17 potential issues in the smart contract. We also have 3 recommendations and 1 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | No Reserved Interface for Resetting Function Pointers | Software Security | Fixed |
| 2 | Medium | Improper Calculation of the Oracle | DeFi Security | Fixed |
| 3 | High | Potential Drain of Funds through BaseBounty | DeFi Security | Fixed |
| 4 | Low | Potential Invalid Emission Schedules | DeFi Security | Fixed |
| 5 | Low | Skippable Emission schedules | DeFi Security | Confirmed |
| 6 | Medium | Changeable Exchange Rate during Migration | DeFi Security | Fixed |
| 7 | High | Improper Implementation of _transfer() (I) |
DeFi Security | Fixed |
| 8 | Low | Lack of Check on Period in UniV2TwapOracle |
DeFi Security | Fixed |
| 9 | Medium | Non-Refundable Dust Tokens | DeFi Security | Fixed |
| 10 | Medium | Improper Implementation of _transfer() (II) |
DeFi Security | Fixed |
| 11 | Medium | Manipulatable Compound Rewards | DeFi Security | Fixed |
| 12 | Medium | Lack of Access Control in setLeverager() |
DeFi Security | Fixed |
| 13 | Medium | No Slippage Check in addLiquidityWETHOnly() |
DeFi Security | Confirmed |
| 14 | Low | Lack of Check of borrowRatio in loopETH() |
DeFi Security | Fixed |
| 15 | Low | Lack of Check of Length between assets and poolIDs in setPoolIDs() |
DeFi Security | Fixed |
| 16 | Low | Lack of mint Privilege Revoke in addBountyContract() |
DeFi Security | Confirmed |
| 17 | Low | Minters Can Only be Assigned Once | DeFi Security | Confirmed |
| 18 | - | Gas Optimization (zapVestingToLp() in Mfd) |
Recommendation | Fixed |
| 19 | - | Non-empty Bounty Reserve in BountyManager |
Recommendation | Fixed |
| 20 | - | Inconsistent Naming in requiredUsdValue() |
Recommendation | Confirmed |
| 21 | - | Depreciated MFDPlus |
Note | Confirmed |
More details are provided in the audit report.