Scope: New Cover Policy Activation
Authors: Jas Singh, Sujith Sizon, Vithuran K.
Summary:
Web: https://app.mahalend.com/
Twitter: https://twitter.com/TheMahaDAO
Discord: MahaDAO
A successful audit has been completed for Maha Lend. The activation for the Maha Lend policy will commence shortly after passing the proposal. The UnoWatchDog program gives the opportunity for protocols to get a smart contract audit and get protocol wide coverage for all of its active users at no additional charge for either the protocol or the users. This means users will no longer be required to individually purchase, renew, and file claims for insurance. MahaLend is a decentralized non-custodial liquidity protocol (meaning your funds are yours and yours alone) where users can either provide liquidity and receive interest, or borrow ARTH, and pay interest on their loan. MahaLend is a fork of AAVE V3. You can read more about the protocol in the full documentation on their site.
Overview:
Start Date: June 2023
End Date: June 2024
Type of Coverage: Smart Contract Vulnerability
TVL Coverage Amount: $100k USD
Individual Cover Limit: $5000 USD
Individual Deductible: $100
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)
Audit Summary:
Language: Solidity
Blockchain: Arbitrum only
Tokens used: USDC, USDT (Arbitrum only)
Maha Lend contracts have gone through an extensive audit by our security team and partners. We will continue to audit new additions to code for the remainder of the insurance policy term (12 months) free of charge as long as the number of SLOC changes fall within the quota. Should the insurance policy be extended, continued audits will also extend.
A total of 358 lines of code were audited among the contracts listed below:
-
MasterchefAToken.sol - (Latest commit f29ac7c) - contracts-core/MasterchefAToken.sol at feat/aave-fork · mahalend/contracts-core · GitHub
-
ChainlinkLPOracleGMU.sol - (Latest commit c9a146f) - gmu-oracle-contracts/ChainlinkLPOracleGMU.sol at master · MahaDAO/gmu-oracle-contracts · GitHub
-
FeeBase.sol - (Latest commit 54e722d) - contracts-core/FeeBase.sol at feat/aave-fork · mahalend/contracts-core · GitHub
The contracts above were audited from the repo under the following commit hash:
Review commit hash LP oracle - af2b5e441449a942867647c41c9c59e2754399d9
Review commit hash Mahalend - 6e546fe20c78d4b7b93c33238080c9690e9bb4c5
Please see the attached images below on the results of the audit.
Full Audit is available on-chain: https://pin.ski/42FEu7e
Active Monitoring and Real time tracking:
We have set up our suite of active monitoring and real time tracking toolkit to proactively maintain a steady check on the protocol’s health and notify the Spartans / Auditors on UnoRe’s discord server immediately as soon as any malicious on unintended activities happen on chain. We have listed below the key areas of tracking and monitoring that we have setup for the Maha DAO protocol.
-
AccessControl.sol (https://arbiscan.io/address/0xeE56fb1E3c274dE5F2a066C4A7A1fE7d5BEC07Ab#code)
i) RoleRevorked ii) RoleGranted iii) RoleAdminChanged -
BorrowLogic.sol (https://arbiscan.io/address/0x8f8da3b85d854b1b4210e30c3118ca7e7b0ead70#code)
i) FlashLoanLogic.sol a. Flashloan ii) LiquidationLogic.sol a. LiquidationCall iii) SupplyLogic.sol a. supply b. withdraw iv) Pool.sol a. updateBridgeProtocolFee b. proxy monitoring - monitors if the underlying contract changes -
usdc/usdt atoken.sol (https://arbiscan.io/address/0xdf69edd3a4807ff925d304dec185eb6ddf95c107#code)
i) minting (above a certain token) ii) proxy monitoring - monitors if the underlying contract changes -
poolconfigurator.sol (PoolConfigurator | Address 0x363A1080535001993fD7058F334FaaE9Ed83D520| Arbiscan) - monitoring key risk factors on the borrowing lending market in the protocol
i) setBorrowcap ii) setDebtCeiling iii) setReserveFactor iv) setReserveInterestRateStrategyAddress v) setResereStableRateBorrowing vi) setSupplyCap vii) updateAToken -
Arbitrum Sequencer(ArbitrumSequencerUptimeFeed | Address 0xC1303BBBaf172C55848D3Cb91606d8E27FF38428 | Arbiscan)
i) latestRoundData - real time monitoring of uptime sequencer feed to check if the Oracle price feeds are up to date in the arbitrum network
(L2 Sequencer Uptime Feeds | Chainlink Documentation)
Even though Maha Lend has passed a thorough audit review, it can still be prone to attacks that have never been documented before. Monitoring the contracts is an additional step we take to help prevent hacks in edge case scenarios where the hacker is still able to steal assets.
Service Fees for UnoRe DAO services are as follows:
Date: 2023-04-12
Description:
-
Audit cost split among auditors: 11,550 USDC
-
Bounty Fee and Active Monitoring fees: 4950 USDC
-
Insurance premiums: 5,000 USD in MAHA tokens*
*MAHA tokens at the rate on 21st of March 2023
A special thank you to our Independent Auditors chrisdior4, ddimitrov22 and pashovkrum.
Insurance Policy:
Type of Coverage: Smart Contract Vulnerability
TVL Coverage Amount: $100k USD
Individual Cover Limit: $5000 USD
Individual Deductible: $100 USD
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)
In the rare event an UnoWatchDog client is hacked and funds are non-recoverable, UnoRe will cover losses for each user up to the total coverage amount and up to the set individual claim limit, less the individual deductible shown above. The insurance policy follows the same exclusions and conditions in our original smart contract cover wording found in our Gitbook here. However, this policy includes some additional criteria not mentioned in the Gitbook:
-
Further exclusions include:
- Centralization related risks,
- contracts not within scope of the audit
- oracle and economic related attacks
- markets outside of USDC and USDT will not be covered
-
UnoWatchDog clients will continually have new code audited, however if an exploit is due to any of the following reasons, the policy will be invalidated:
- a contract upgrade that Uno Re did not approve
- Maha DAO did not notify Uno Re prior to deploying changes
- Maha DAO did not allow for enough time for the code to be approved by both Uno Re and the Spartan community
A two week window will be given for additional code to be reviewed by the Spartan community and Uno Re prior to being deployed. The policy will resume as intended after both the Spartan community and Uno Re have approved any changes. Unlike the insurance policies listed in our cover portal, users will not be required to take any further action to be covered. Users will automatically be covered if a loss were to occurred, and will not be required to file a claim to be processed.
0day Reporting
Uno Re protocol in collaboration with MAHA DAO protocol will be running an active Zero day reporting and bug bounty program where security researchers and whitehats who find Critical and High issues with the protocol Zero Day is a monitoring program initiated once the audit phase is over. The researchers
submit zero-day and other exploits, ensuring a continuous vulnerability assessment process.
Scope and rewards
The program’s scope remains the same as the audit. We would then categorize the vulnerability into critical, high, and medium. These reports would be based on exploits that could lead to
-
Direct Fund loss
-
Permanent freezing of user’s stakes
-
Theft of unclaimed rewards
-
Preventing users from claiming due rewards
-
MEV
and more
Disclaimer: Uno Re and the MAHA DAO protocol team would decide the payout for these vulnerabilities. The amount for the payout would be proportional to the severity and nature of the exploit.
Conclusion and next steps:
The internal audit of Maha Lend was successful, and our active monitoring systems are live. The insurance policy will also go live by the end of the week, and will not expire until the end of May 2024. The renewal of the policy at the end of its term is subject to approval by the UnoRe DAO at a future date. After this proposal passes, Maha Lend will be added to our list of UnoWatchDog clients.
Disclaimer: The Watch Dog program does not have any influence on any projects token price. A Watch Dog client does not mean we endorse the projects token or coin. UnoRe does not give out financial advice and can neither confirm or deny whether the token in question is a good investment.