Minterest Announces the Successful Completion of its Hacken Security Audit

Shortly after successfully completing our first smart contract security audit carried out by Trail of Bits, Minterest is delighted to announce the completion of a second security audit by Hacken, a leading security consulting company that focuses on blockchain security.

The full audit report is now public and available on our website.

Why Security Matters

When making a decision to place your funds in a DeFi protocol, or for that matter, when you make any transaction that involves handing over your money to an institution or third party, security and safety of funds is one of the most important considerations. As the total value locked (TVL) within the DeFi sector climbs to all-time highs – with the latest peak surpassing $240 billion – the risk of potential exploitation is an increasing concern on DeFi protocols. In particular, code exploits are a common vector of attack, so smart contract security is front of mind for any Defi protocol.The industry has significantly stepped up measures to protect funds by employing more rigorous external and internal code audits and overall platform security processes.

Minterest views security as its top priority, which is why we have hired several top-level security companies to review our entire development process. We commissioned Trail of Bits and Hacken to ensure that our code meets the most stringent standards of code security.

What’s Inside the Hacken Report?

The smart contract security audit was performed with several methodologies in mind, namely:

  • Architecture Review
  • Functional Testing
  • Computer-Aided
  • Verification
  • Manual Review.

Minterest scored a 10 out of 10 for both documentation and architecture quality. In the initial audit, security engineers found 2 high, 4 medium, and 4 low severity issues. These issues were quickly resolved by the team during the second audit. The security score after the second audit was 10 out of 10.

Here is a breakdown of issues found by the Hacken team pertaining to four different severity levels.

Critical

Security engineers found no critical issues whatsoever.

High

Insufficient vesting balance – The audit has shown that the “Vesting.sol” contract’s code validated that there are enough tokens only for every single vesting. However, there was no validation verifying that the contract balance was enough to fulfil all those vesting records. The contract did not guarantee that all users would receive their funds.

Status: Fixed

Unrestricted function access – The function “updateBorrowIndexesHistory” from the “EmmisionBooster.sol” contract could be called by anyone, which could lead to an undesired contract state.

Status: Fixed

Medium

Missing events emitting – “MemberAdded” events from the “Whitelist.sol” contract were not emitted in the constructor when new addresses were whitelisted. If there was some off-chain logic that depended on the “MemberAdded” event, it could have worked incorrectly.

Status: Fixed

Redundant modifiers – The contract “MToken.sol” has redundant “nonReentrant” modifiers. As soon as no external calls are performed, “nonReentrant” modifier is redundant.

Status: Acknowledged

TODO notices – The code contained a lot of ‘TODO’ notices. This could indicate that the code was not finalised.

Status: Fixed

Costly loops – The code in the contract “EmmisionBooster.sol” did not allow emission boost enabling for different markets in batches and processed everything in a single call. The function could fail if the number of the markets returned by “supervisor.getAllMarkets()” was big enough.

Status: Mitigated

Low

The contract can be declared as abstract – The contract “SupervisorV1Storage.sol” had some functions that should be implemented and never used separately.

Status: Fixed

Misleading naming – The function name “redeemAllowedInternal” in the contract “Supervisor.sol” said that it redeems something. However, it’s a simple view function used for validation purposes.

Status: Fixed

Redundant addition – Adding 30 seconds for the current timestamp in functions “swapTokensForExactTokens, swapExactTokensForTokens” in contract “DeadDrop.sol” is redundant because the swap will be performed during the same call and using “block.timestamp” as the deadline is enough.

Summary

Minterest cares about security, after passing the second security audit with no issues, we are pleased to be delivering a fully-operational platform that you can trust to securely hold your funds.


About Minterest

Minterest is a unique borrowing/lending protocol built by industry leaders to service the billions in Total Value Locked (TVL), in DeFi lending projects, with the specific aim of putting user benefits at its core. It provides users with a decentralised financial platform that is fair and inclusive.

The Minterest protocol has the world’s first buyback mechanism, which automatically passes on surpluses to participating platform users. This way, users get protocol rewards on top of industry leading borrowing/lending rates, creating the potential for the highest long-term yields in DeFi. The protocol also has an on-chain treasury which captures and passes on liquidation surpluses to users.

03, May 2022