Venus Prime - Krace's results

Low Risk

Non-Critical

Low Risk

[L-01] The accrueTokens can be abused to reduce the cumulative number of tokens

accrueTokens is used to accumulate the amount of tokens across the block, and it is a public function that could be invoked by anyone. However, if the balance of this is less than the accumulated value of the token during the period, the token can only obtain the difference between this balance and the previously accumulated value. Therefore, a malicious attacker can call this function before the contract has sufficient balance, preventing the token from obtaining the expected accumulated value.

    uint256 balanceDiff = balance - tokenAmountAccrued[token_];
    if (distributionSpeed > 0 && balanceDiff > 0) {
        uint256 accruedSinceUpdate = deltaBlocks * distributionSpeed;
        uint256 tokenAccrued = (balanceDiff <= accruedSinceUpdate ? balanceDiff : accruedSinceUpdate);

[L-02] Dos in accrueTokens if owner wrongly sweepToken

Function sweepToken allows the owner to sweep any tokens from this contract, including the initialzed tokens.

    function sweepToken(IERC20Upgradeable token_, address to_, uint256 amount_) external onlyOwner {
        uint256 balance = token_.balanceOf(address(this));
        if (amount_ > balance) {
            revert InsufficientBalance(amount_, balance);
        }

        emit SweepToken(address(token_), to_, amount_);

        token_.safeTransfer(to_, amount_);
    }

If the owner accidentally sweeps some of the accumulated tokens, the accrueToken function might encounter an underflow when calculating the accumulated tokens because the balance at that moment may not be sufficient to cover the originally accumulated tokens. This could lead to temporary denial of service.

    uint256 distributionSpeed = tokenDistributionSpeeds[token_];
    uint256 balance = IERC20Upgradeable(token_).balanceOf(address(this));
//@audit If balance of this is less than the tokenAmountAccrued due to `sweepToken`, underflow occurs
    uint256 balanceDiff = balance - tokenAmountAccrued[token_];

[L-03] Underflow in _calculateScore

If the decimal of vToken is larger than 18, then _calculateScore will always underflow.

    function _calculateScore(address market, address user) internal returns (uint256) {
        uint256 xvsBalanceForScore = _xvsBalanceForScore(_xvsBalanceOfUser(user));

        IVToken vToken = IVToken(market);
        uint256 borrow = vToken.borrowBalanceStored(user);
        uint256 exchangeRate = vToken.exchangeRateStored();
        uint256 balanceOfAccount = vToken.balanceOf(user);
        uint256 supply = (exchangeRate * balanceOfAccount) / EXP_SCALE;

        address xvsToken = IXVSVault(xvsVault).xvsAddress();
        oracle.updateAssetPrice(xvsToken);
        oracle.updatePrice(market);

        (uint256 capital, , ) = _capitalForScore(xvsBalanceForScore, borrow, supply, market);
        //@audit if vTOken.decimals() is less than 18, underflow occurs
        capital = capital * (10 ** (18 - vToken.decimals()));

        return Scores.calculateScore(xvsBalanceForScore, capital, alphaNumerator, alphaDenominator);
    }

Non-critical

[NC-01] Functions should be a modifier

• PrimeLiquidityProvider.sol ( #L332 , #L344 ):

These two functions should be changed to a modifier.

    function _ensureTokenInitialized(address token_) internal view {
        uint256 lastBlockAccrued = lastAccruedBlock[token_];

        if (lastBlockAccrued == 0) {
            revert TokenNotInitialized(token_);
        }
    }

    function _ensureZeroAddress(address address_) internal pure {
        if (address_ == address(0)) {
            revert InvalidArguments();
        }
    }