Uno WatchDog Cohort 1, Activation 2: MahaLend

Scope: New Cover Policy Activation

Authors: Jas Singh, Sujith Sizon, Vithuran K.

Summary:

Web: https://app.mahalend.com/

Twitter: x.com

Discord: MAHA

A successful audit has been completed for Maha Lend. The activation for the Maha Lend policy will commence shortly after passing the proposal. The UnoWatchDog program gives the opportunity for protocols to get a smart contract audit and get protocol wide coverage for all of its active users at no additional charge for either the protocol or the users. This means users will no longer be required to individually purchase, renew, and file claims for insurance. MahaLend is a decentralized non-custodial liquidity protocol (meaning your funds are yours and yours alone) where users can either provide liquidity and receive interest, or borrow ARTH, and pay interest on their loan. MahaLend is a fork of AAVE V3. You can read more about the protocol in the full documentation on their site.

Overview:

Start Date: June 2023
End Date: June 2024
Type of Coverage: Smart Contract Vulnerability
TVL Coverage Amount: $100k USD
Individual Cover Limit: $5000 USD
Individual Deductible: $100
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)

Audit Summary:

Language: Solidity

Blockchain: Arbitrum only

Tokens used: USDC, USDT (Arbitrum only)

Maha Lend contracts have gone through an extensive audit by our security team and partners. We will continue to audit new additions to code for the remainder of the insurance policy term (12 months) free of charge as long as the number of SLOC changes fall within the quota. Should the insurance policy be extended, continued audits will also extend.

A total of 358 lines of code were audited among the contracts listed below:

  1. MasterchefAToken.sol - (Latest commit f29ac7c) - contracts-core/contracts/protocol/tokenization/MasterchefAToken.sol at feat/aave-fork · mahalend/contracts-core · GitHub

  2. ChainlinkLPOracleGMU.sol - (Latest commit c9a146f) - gmu-oracle-contracts/contracts/chainlink/ChainlinkLPOracleGMU.sol at master · MahaDAO/gmu-oracle-contracts · GitHub

  3. FeeBase.sol - (Latest commit 54e722d) - contracts-core/contracts/misc/FeeBase.sol at feat/aave-fork · mahalend/contracts-core · GitHub

The contracts above were audited from the repo under the following commit hash:

Review commit hash LP oracle - af2b5e441449a942867647c41c9c59e2754399d9

Review commit hash Mahalend - 6e546fe20c78d4b7b93c33238080c9690e9bb4c5

Please see the attached images below on the results of the audit.

Full Audit is available on-chain: Warning! | There might be a problem with the requested link

Active Monitoring and Real time tracking:

We have set up our suite of active monitoring and real time tracking toolkit to proactively maintain a steady check on the protocol’s health and notify the Spartans / Auditors on UnoRe’s discord server immediately as soon as any malicious on unintended activities happen on chain. We have listed below the key areas of tracking and monitoring that we have setup for the Maha DAO protocol.

  1. AccessControl.sol (https://arbiscan.io/address/0xeE56fb1E3c274dE5F2a066C4A7A1fE7d5BEC07Ab#code)

    i) RoleRevorked
    ii) RoleGranted
    iii) RoleAdminChanged
    
  2. BorrowLogic.sol (https://arbiscan.io/address/0x8f8da3b85d854b1b4210e30c3118ca7e7b0ead70#code)

    i) FlashLoanLogic.sol
    a. Flashloan
    
    ii) LiquidationLogic.sol
    a. LiquidationCall
    
    iii) SupplyLogic.sol
    a. supply
    b. withdraw
    
    iv) Pool.sol
    a. updateBridgeProtocolFee
    b. proxy monitoring - monitors if the underlying contract changes
    
  3. usdc/usdt atoken.sol (https://arbiscan.io/address/0xdf69edd3a4807ff925d304dec185eb6ddf95c107#code)

    i) minting (above a certain token)
    ii) proxy monitoring - monitors if the underlying contract changes 
    
  4. poolconfigurator.sol (PoolConfigurator | Address 0x363A1080535001993fD7058F334FaaE9Ed83D520| Arbiscan) - monitoring key risk factors on the borrowing lending market in the protocol

    i) setBorrowcap
    ii) setDebtCeiling
    iii) setReserveFactor
    iv) setReserveInterestRateStrategyAddress
    v) setResereStableRateBorrowing
    vi) setSupplyCap
    vii) updateAToken
    
  5. Arbitrum Sequencer(ArbitrumSequencerUptimeFeed | Address 0xC1303BBBaf172C55848D3Cb91606d8E27FF38428 | Arbiscan)

    i) latestRoundData - real time monitoring of uptime sequencer feed to check if the Oracle price feeds are up to date in the arbitrum network
    

(L2 Sequencer Uptime Feeds | Chainlink Documentation)

Even though Maha Lend has passed a thorough audit review, it can still be prone to attacks that have never been documented before. Monitoring the contracts is an additional step we take to help prevent hacks in edge case scenarios where the hacker is still able to steal assets.

Service Fees for UnoRe DAO services are as follows:

Date: 2023-04-12

Description:

  1. Audit cost split among auditors: 11,550 USDC

  2. Bounty Fee and Active Monitoring fees: 4950 USDC

  3. Insurance premiums: 5,000 USD in MAHA tokens*

*MAHA tokens at the rate on 21st of March 2023

A special thank you to our Independent Auditors chrisdior4, ddimitrov22 and pashovkrum.

Insurance Policy:

Type of Coverage: Smart Contract Vulnerability
TVL Coverage Amount: $100k USD
Individual Cover Limit: $5000 USD
Individual Deductible: $100 USD
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)

In the rare event an UnoWatchDog client is hacked and funds are non-recoverable, UnoRe will cover losses for each user up to the total coverage amount and up to the set individual claim limit, less the individual deductible shown above. The insurance policy follows the same exclusions and conditions in our original smart contract cover wording found in our Gitbook here. However, this policy includes some additional criteria not mentioned in the Gitbook:

  • Further exclusions include:

    • Centralization related risks,
    • contracts not within scope of the audit
    • oracle and economic related attacks
    • markets outside of USDC and USDT will not be covered
  • UnoWatchDog clients will continually have new code audited, however if an exploit is due to any of the following reasons, the policy will be invalidated:

    • a contract upgrade that Uno Re did not approve
    • Maha DAO did not notify Uno Re prior to deploying changes
    • Maha DAO did not allow for enough time for the code to be approved by both Uno Re and the Spartan community

A two week window will be given for additional code to be reviewed by the Spartan community and Uno Re prior to being deployed. The policy will resume as intended after both the Spartan community and Uno Re have approved any changes. Unlike the insurance policies listed in our cover portal, users will not be required to take any further action to be covered. Users will automatically be covered if a loss were to occurred, and will not be required to file a claim to be processed.

0day Reporting

Uno Re protocol in collaboration with MAHA DAO protocol will be running an active Zero day reporting and bug bounty program where security researchers and whitehats who find Critical and High issues with the protocol Zero Day is a monitoring program initiated once the audit phase is over. The researchers
submit zero-day and other exploits, ensuring a continuous vulnerability assessment process.

Scope and rewards

The program’s scope remains the same as the audit. We would then categorize the vulnerability into critical, high, and medium. These reports would be based on exploits that could lead to

  1. Direct Fund loss

  2. Permanent freezing of user’s stakes

  3. Theft of unclaimed rewards

  4. Preventing users from claiming due rewards

  5. MEV

and more

Disclaimer: Uno Re and the MAHA DAO protocol team would decide the payout for these vulnerabilities. The amount for the payout would be proportional to the severity and nature of the exploit.

Conclusion and next steps:

The internal audit of Maha Lend was successful, and our active monitoring systems are live. The insurance policy will also go live by the end of the week, and will not expire until the end of May 2024. The renewal of the policy at the end of its term is subject to approval by the UnoRe DAO at a future date. After this proposal passes, Maha Lend will be added to our list of UnoWatchDog clients.

Disclaimer: The Watch Dog program does not have any influence on any projects token price. A Watch Dog client does not mean we endorse the projects token or coin. UnoRe does not give out financial advice and can neither confirm or deny whether the token in question is a good investment.

8 Likes

Governance Bribes Distribution Update

Governance bribes are distributed to the participants. Here is the list of qualified contributors. Enjoy your rewards!

0xd56904075f943C121ceB8bD3FD0b006bED878E7f

0xb18840E1ddadB2D8635C8dC9E23F7b09b3887854

0xd7BB739060a742dD147168abA4f1B7C304759617

0xc3bCfcfb99c881a2Eb7CeB47982C5eD6B350B1D5

0x372f1bA5FF303068a996851CcAf171286Bc4a5d4

0x982522C73e4562A8F9572B6580eb8bead4c66D18

0x3Ece63Fb6caEf370b6544AA6ca619e8cBE5007C7

0xc9931A6112dDB6a7ED4d6F7C15361e4B1d36E302

0xD0797211902638dad874432Ac221CFeCD9446F7F

0xBb221BF0e4d29179ad7c3c6Dc973D21b5C258fbd

0x04cf75cB18A38ab77396A2572538bEa77e279a83

0xc7e318811aAc4e3975BF49d6A7C6FBC82D2305a7

0x60ca7446Aa8d6aC01545772D8643494439512A6D

0x14b2Dfe183B530Bf8f36220Dd075b37B421796c7

0xbABBE459A3DF532aDc193fd6cb2B3F327dB9FC99

0x2cAFe9CBA9da5a49E3FF28eB63958c2583CD552A

0x805ec14309d962E00cFB754F40b146573C394fA3

0xD96Fcc51a852767AF7A599A5BDF2dAF0F162627b

0x7AE85B25b2Db88B3fC2000fA5326efD7abc4E1C0

0xEb54b04b7329a8F1f32e6bA1E2419732bcB14647

0x8B13a37092Fed2dE7423610db9e12D0479F6121D

Transaction Links: $MAHA (Ethereum Network) | $ETH (Arbitrum Network)

https://etherscan.io/tx/0x1b0dbd12bb921612bb199f21899ff3fa64cf2354598c48c7ca747de7edaf7045

https://arbiscan.io/tx/0x0fff42b8f8914b13651bbbb1e1d12c5c16f94df10ebc49acf62c673dff0d3545

1 Like