Swaylend's Invite-Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.
Evaluating
Triaged by Immunefi
PoC required
Vault program
Mid-Contest Changelog
These are new known issues added during the audit competition.
The fixes listed below are deployed for these known issues, which will be considered out of scope. However, if a fix can be bypassed it will no longer be considered a known issues and will be brought back into scope.
- Decrease Pyth confidence interval: https://github.com/Swaylend/swaylend-monorepo/commit/9d6e0d85641d7237f340e1f5d164638478591637
- Move Pyth params outside of configurables: https://github.com/Swaylend/swaylend-monorepo/commit/4f1491b86b10121b0ffa7ca68149cf4e3c641684
- Fix is_liquitable_internal calculation, present value calculated wrongly: https://github.com/Swaylend/swaylend-monorepo/commit/2805b3e437d61a128e7e12a359217ef6efaf3deb
- Improve how the confidence interval is handled in lending protocols, use lower and upper bounds: https://github.com/Swaylend/swaylend-monorepo/commit/46f29d0ffb852747c8971280f38651ea8eee2f00
- Withdraw collateral can now also be paused: https://github.com/Swaylend/swaylend-monorepo/commit/5b1e37743d19166a8aa34b13272e2828af155971
- Use present value with interest in absorb and when check if user is liquitable: https://github.com/Swaylend/swaylend-monorepo/commit/46fca2145111df359ed3177be41c464cf592d406
- Fix conversion from USD to base asset in available_to_borrow: https://github.com/Swaylend/swaylend-monorepo/commit/a348934f6e1f621d3a4379963deb7762eacb9e93
- Log set pyth contract id event: https://github.com/Swaylend/swaylend-monorepo/commit/c8f2cb1be7635c37b3b8917721752a0eb72bdda7
- Fix available_to_borrow should return base asset amount: https://github.com/Swaylend/swaylend-monorepo/commit/ba27e5994f92ff100de3965f9664e0ce2a755365
- Add check for base_borrow_min in supply_base: https://github.com/Swaylend/swaylend-monorepo/commit/d4c2d1f78ab00624841e4644cae055439b302125
- Fix wrong check in src-20 burn function: https://github.com/Swaylend/swaylend-monorepo/commit/070de40f9092cad1f50321b7a9c63e32fbde54e6
Whitehat Educational Resources & Technical Info
Documentation can be found at: https://docs.swaylend.com/
Is this an upgrade of an existing system? If so, which? And what are the main differences?
Swaylend is the port of Compound V3 lending protocol and architecture in the Sway programming language for the Fuel Network.
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?
The lending market smart contract supports Fuel's native assets - SRC-20 tokens. Both base assets and collateral assets are SRC-20.
Where do you suspect there may be bugs? Useful aspects of this question are:
- Which parts of the code are you most concerned about?
- What attack vectors are you most concerned about?
- Which part(s) of the system do you want whitehats to attempt to break the most?
- Are there any assumed invariants that you want whitehats to attempt to break?
Swaylend is the lending protocol that offers functionalities like other lending protocols, i.e., supplying base assets (in our case, USDC) and borrowing base assets in exchange for providing collateral assets. The most critical things that should be tested are:
- Withdrawing only assets that you supplied
- Borrowing only the amount you're allowed (based on supplied collateral asset and collateral factor)
- Repaying the borrowed amount before withdrawing collateral asset
What external dependencies are there?
There is one external dependency, which is an oracle that provides up-to-date prices for the tokens. In the current version, we use the Pyth oracle network to provide this data. Pyth oracle smart contract can be found at https://github.com/pyth-network/pyth-crosschain/blob/main/target_chains/fuel/contracts/pyth-contract/src/main.sw
Where might whitehats confuse out-of-scope code to be in-scope?
There are additional smart contracts in the GitHub repository used for internal testing, but they are not within the scope. The only assets within scope are listed in the table above. External dependencies, such as the actual core implementation of the Pyth oracle, are also not in scope for this IOP.
Are there any unusual points about your protocol that may confuse whitehats?
Swaylend is a monolithic lending protocol, meaning all functionalities are encompassed in a single smart contract. The lending positions of users are directly recorded in the smart contract, with no derivative tokens minted, as seen in some other lending protocols.
Liquidations of undercollateralized positions occur through two steps: first, absorbing the collateral assets into the protocol, and then, in the next step, purchasing the collateral assets from the protocol in exchange for the market's base asset.
What is the test suite setup information?
The test suite for the smart contracts is included in the GitHub repo (https://github.com/Swaylend/swaylend-contracts/tree/main/contracts/market/tests ). Tests are written in Rust, and they should cover all functionalities of the lending protocol.
Public Disclosure of Known Issues
There are no known open issues at the moment
Previous Audits
Swaylend’s completed audit reports can be found at https://www.halborn.com/audits/swaylend .USD. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Asset Accuracy Assurance
Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.
Known Issue Assurance
Swaylend commits to providing Known Issue Assurance to bug submissions through their program. This means that Swaylend will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.
In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.
Primacy of Impact vs Primacy of Rules
Swaylend adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.