Minterest Security Update: Successful Security Audit for USDY Token Market by PeckShield

Minterest has successfully completed a security audit for the USDY contract, conducted by PeckShield, delivered on August 4, 2024. PeckShield is a leading cybersecurity firm specialising in blockchain technology and smart contract auditing. This audit is part of our ongoing commitment to ensure the security and integrity of our platform. Below, you will find a summary of the findings, recommendations, and resolutions.

Audit Overview

Coverage of Audit

This audit covers the MUSDY market support, i.e., the MUSDYToken contract, focusing on ensuring contract security, efficiency, and robustness against potential vulnerabilities. The investigation also includes holistic auditing coverage across all Minterest token markets on supported chains (Ethereum, Mantle Network, Taiko) by examining the related contracts required to support the MUSDYToken market, including MToken, MEther and Supervisor. 

MToken Contract Audit

The MToken contract, covered in the audit, is the parent smart contract to the MUSDYToken.sol contract. This base contract is integral to the majority of the other token markets, including: 

  • Mantle Network: USDT, USDC, mETH, and WETH
  • Taiko: TAIKO and USDC
  • Ethereum: USDC, USDT, and WBTC 

MEther Contract Audit

The MEther.sol contract, covered in the audit, is specifically used for native tokens on chains that can be wrapped into ERC20 token standards and then unwrapped back. This includes the following token markets:

  • Mantle Network: MNT/WMNT
  • Ethereum: ETH/WETH

PeckShield’s Audit Approach

PeckShield’s audit process is thorough, starting with automated scans for common vulnerabilities, followed by an in-depth manual review to identify more complex issues. Their methodology includes cross-comparison with industry standards and testing against a wide range of attack vectors. Findings are ranked from critical to informational, with the final result reflecting the overall security status of the contract.

Audit Findings

The following are the key findings from PeckShield’s audit of the USDY contract:

Audit Summary

The PeckShield team performed a thorough analysis of the MUSDY market implementation within the Minterest protocol. The audit process involved both automated and manual reviews of the smart contract code, examining the business logic, system operations, and potential vulnerabilities. The findings are categorised based on their severity:

  • Critical: 0
  • High: 0
  • Medium: 1
  • Low: 2
  • Informational: 0
  • Total: 3

Key Findings and Resolutions

1. Possible Precision Issue in Token::redeemFresh()/autoLiquidationSeize()
Severity:
Medium
Description: A precision issue in the redeem logic could lead to small numerical errors, potentially exploited under certain conditions.
Recommendation: Revise the routine to prevent precision loss and ensure markets are never empty by minting small MToken balances at market creation.
Status: Resolved. The team has ensured that all new markets start with a zero utilisation factor and provides an initial supply that will not be redeemed.

2. Inconsistent Non-Reentrancy Enforcement in Supervisor
Severity:
Low
Description: Inconsistent use of the nonReentrant modifier in the Supervisor contract’s routines could lead to reentrancy issues.
Recommendation: Add the nonReentrant modifier to the beforeLend() implementation for consistency.
Status: Resolved. This issue was fixed in commit d57385c2.

3. Improved Ether Transfer with Necessary Reentrancy Guard
Severity:
Low
Description: The use of the transfer() routine in MEther could lead to gas limit issues due to EIP-1884, and it is recommended to use call() instead.
Recommendation: Transfer ETH using call() to avoid potential gas limit issues and improve security.
Status: Resolved. The team has confirmed that the current implementations will remain until new requirements arise, prioritising user experience and preventing potential reentrancy attacks.

Next Steps

We have addressed all key issues identified in the audit. Detailed findings and resolutions have been implemented to enhance the overall security and robustness of our platform.

Thank you for your patience and continued support. For any questions or further information, please contact the mods on Discord/Telegram or send an email to nextlevel@minterest.com.

05, August 2024