Moonwell - K42's results

Advanced Analysis Report for Moonwell by K42

Overview

• Moonwell is a decentralized finance protocol that has recently undergone significant changes in its V2 update. The changes include updates to the Comptroller contract, the introduction of a Multi-Reward Distributor, and various other updates to the Compound v2 codebase.

Understanding the Ecosystem:

• Moonwell operates within the DeFi ecosystem, interacting with various other protocols and assets. The protocol allows users to earn interest on their assets and borrow against them. The recent updates have introduced the ability to earn multiple rewards, enhancing the earning potential for users.

Codebase Quality Analysis:

• The Moonwell codebase appears to be well-structured and organized. The contracts are clearly named and their functions are well-documented. The codebase has been updated to Solidity 0.8.17, which brings several improvements and security enhancements. I also noticed, even though out of scope, the use of a new contract, ExponentialNoError, to handle potential underflow and overflow errors, which is a good practice.

Architecture Recommendations:

• The architecture of Moonwell is well-designed, with clear separation of concerns among the contracts. The introduction of the Multi-Reward Distributor is a significant improvement, as it allows the protocol to distribute multiple rewards efficiently. However, it would be beneficial to have more detailed comments in the code explaining the logic behind the calculations, especially in complex functions like updateMarketSupplyIndex.

Centralization Risks:

• The protocol has a Pause Guardian, which can pause the distribution of rewards. This introduces a degree of centralization, as the Pause Guardian has significant control over the protocol. It's important to ensure that the Pause Guardian cannot be easily manipulated or exploited.

Mechanism Review:

• The Multi-Reward Distributor is a significant upgrade, allowing users to earn rewards from multiple sources. This mechanism enhances the protocol's value proposition and could attract more users to the platform.
• The changes to the Comptroller, including the addition of new APIs and the implementation of a 'time lock' mechanism, improve the system's functionality and user experience.

Systemic Risks:

• The protocol interacts with various other protocols and assets in the DeFi ecosystem, which introduces systemic risk. If there's a vulnerability in one of these protocols or assets, it could potentially impact Moonwell. It's crucial to regularly monitor and assess the protocols and assets that Moonwell interacts with.

Areas of Concern

• The Pause Guardian introduces a degree of centralization.
• The complexity of some functions could make them difficult to understand and maintain.
• The systemic risk introduced by interactions with other protocols and assets.

Codebase Analysis

• The codebase is well-structured and organized, with clear separation of concerns among the contracts. The contracts are clearly named and their functions are well-documented. The codebase has been updated to Solidity 0.8.17, which brings several improvements and security enhancements.

Recommendations

• Add more detailed comments in the code explaining the logic behind the calculations.
• Regularly monitor and assess the protocols and assets that Moonwell interacts with to mitigate systemic risk.
• Consider implementing a decentralized governance system to reduce the centralization risk associated with the Pause Guardian.

Contract Details

• The main contracts in the Moonwell protocol are the Comptroller and the Multi-Reward Distributor. The Comptroller contract handles the core logic of the protocol, including accruing interest and updating supply and borrow indices. The Multi-Reward Distributor contract handles the distribution of multiple rewards.

My understanding of V2 Contract Changes

Comptroller Changes:

• The Comptroller has been updated to version 0.8.17 of Solidity, which brings several improvements and changes.
• The Comptroller now has a Multi-Reward Distributor, which is a new contract that handles the distribution of multiple rewards.
• The Comptroller now has a Pause Guardian, which can pause the distribution of rewards.

Other Changes to the Compound v2 codebase:

• The codebase now has a new contract, Unitroller, which is a version of the Comptroller contract that doesn't have any storage.

Multi-Reward Distributor:

• The Multi-Reward Distributor is a new contract that handles the distribution of multiple rewards.
• The Multi-Reward Distributor has a Pause Guardian, which can pause the distribution of rewards.
• The Multi-Reward Distributor has a new function, updateMarketSupplyIndex, which updates the supply index for a market.
• The Multi-Reward Distributor has a new function, disperseSupplierRewards, which disperses supply rewards to a supplier.
• The Multi-Reward Distributor has a new function, updateMarketBorrowIndex, which updates the borrow index for a market.
• The Multi-Reward Distributor has a new function, disperseBorrowerRewards, which disperses borrow rewards to a borrower.
• The Multi-Reward Distributor has a new function, sendReward, which sends a reward to a user.

Conclusion

• Moonwell's V2 update brings significant improvements to the protocol, including the ability to earn multiple rewards and more efficient interest accrual. However, there are areas of concern, including the centralization risk associated with the Pause Guardian and the complexity of some functions. With careful management and ongoing improvements, Moonwell has the potential to be a leading protocol in the DeFi space.

Time spent:

16 hours