Audit Report

SOON

External Call/Return Value Check

The transferFrom/DEX swap/Oracle call results are unverified, and the try/catch is not applied.

There is state corruption upon failure.

Settlement/Accounting Logic

There are rounding/sequencing bugs that are causing “money leaks” in share/asset conversion, deposit/withdrawal/liquidation/reward accumulation calculations.

Precision/Rounding/Decimals

Mixed 6/8/18 decimals, multiplication-then-division order, leakage/gains from dust (minimum units)

Overflow/Underflow & Type Casting

Even in Solidity 0.8+, unchecked: int/uint conversion, downcasting, library arithmetic

Front-running/MEV resistance

Issues with slippage/deadline unset, insufficient price impact defense, and sandwich attacks exploiting rewards/minting.

Oracle/Price manipulation (Price Oracle) Single DEX spot price used, short TWAP window, unverified Chainlink staleness, lack of fallback oracle

Upgradability (Proxy) Safety

Initializer/Reinitialization, storage layout conflicts, implementation self-destruct/privileges, beacon/transparent mixing errors Administrator Key/Privileged Operations (Privileged Ops) Define and limit “trust risks” (e.g., minting, parameter changes, fund recovery) via multi-signature, time locks, limits

Emergency Pause·Recovery Scenarios

Over/Under Pause Scope, Permanent Lock Due to Settlement Impossibility During Pause, State Consistency After Unpause

Token Interaction (ERC20) Edge Cases

Fee-on-Transfer, Rebasing, Blacklisting, Non-Standard ERC20 (No Return Value) Handling, Approve Race

Unauthorized Fund Transfers/Asset Isolation (Funds Stuck)

Some potential causes of unauthorized fund transfers and asset isolation include the following: the incorrect recipient, fee recipient address 0x0, the absence or overprivileged rescue function, or native token receipt handling.

DoS (Gas/Loop/Gripping)

Infinite array growth, with loop structure locking user funds and inducing revert via external call.

Event/State Invariants & Monitoring

Event omission/misreporting (audit/forensic difficulty), core invariant maintenance (e.g., total assets = total liabilities) Lack of testing

“Self-Check Before Audit”

It is imperative that the following 15 items be documented as requirements (specifications).

Particular attention should be given to items 4, 5, 8, 9, and 10, as they carry significant weight in actual incidents:

Accounting/Accuracy/Oracle/Upgrade/Administrator Privileges.