Lendle Aave Fork Deployment on Mantle Security Review Report

We have reviewed all of the tokens that are integrated with Lendle for different types of risks. The currently integrated tokens are:

• cmETH

• mETH

• MNT

• FBTC

• USDT

• sUSDe

• USDE

• WETH We check each of these tokens for centralisation risks (such as blacklisting, owner minting), dependency risks (such as bridges) and economic/integration risks (such as rebaseable tokens). These were the results:

• cmETH:

  • Address: 0xE6829d9a7eE3040e1276Fa75293Bde931859e8fA
  • Blacklist: Yes
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: Yes
  • Dependencies: LayerZero bridge

• mETH:

  • Address: 0xcDA86A272531e8640cD7F1a92c01839911B90bb0
  • Blacklist: No
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: Yes
  • Dependencies: Mantle bridge

• MNT:

  • Address: 0xDeadDeAddeAddEAddeadDEaDDEAdDeaDDeAD0000
  • Blacklist: No
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: None

• FBTC:

  • Address: 0xC96dE26018A54D51c097160568752c4E3BD6C364
  • Blacklist: Yes
  • Owner can mint: Yes
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: Fire bridge

• USDT:

  • Address: 0x201EBa5CC46D216Ce6DC03F6a759e8E766e956aE
  • Blacklist: No
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: Mantle bridge

• sUSDe:

  • Address: 0x211Cc4DD073734dA055fbF44a2b4667d5E5fE5d2
  • Blacklist: Yes
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: LayerZero bridge

• USDE:

  • Address: 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
  • Blacklist: No
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: LayerZero bridge

• WETH:

  • Address: 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
  • Blacklist: No
  • Owner can mint: No
  • Rebaseable: No
  • Upgradeable: No
  • Dependencies: Mantle bridge Overall we conclude that none of the integrated tokens poses a significant risk. Some are more decentralised than others, but these are minor issues that are not likely to affect the operations of Lendle.

The PoolConfigurator implementation contracts have never been initialized and still hold their default state. While this does not affect protocol storage (which lives in the proxies), leaving the logic contracts open to first-time initialization is not ideal practice.

contract PoolConfiguratorInstance is PoolConfigurator {
  uint256 public constant CONFIGURATOR_REVISION = 5;
 
  /// @inheritdoc VersionedInitializable
  function getRevision() internal pure virtual override returns (uint256) {
    return CONFIGURATOR_REVISION;
  }
 
  function initialize(IPoolAddressesProvider provider) public virtual override initializer {
    _addressesProvider = provider;
    _pool = IPool(_addressesProvider.getPool());
  }
}

Initialize each implementation once (e.g., with a benign dummy call) to lock the initializer and prevent any future first-time initialization.

Every contract that has been deployed and that implements Ownable has been checked for ownership.

The following addresses are owners of contracts in the protocol:

• 0x94D292064aa143c9104806EAdaCE34B021B73C58
• 0x186930A448ec50F6aCEfa205d5cBf4cbB8a97259 Both of these contracts are Gnosis Safe multi-sig contracts, which is positive for the security of the protocol.

The Gnosis Safe at 0x94D292064aa143c9104806EAdaCE34B021B73C58 has 3 owners registered and a threshold of 2 out of 3.

However, the Gnosis Safe at 0x186930A448ec50F6aCEfa205d5cBf4cbB8a97259 has only 2 owners and a threshold of 1 out of 2. This is insufficient and we recommend to add the 3rd to this Safe if possible.

During the review we have checked the configured price oracle of each reserve asset to ensure price correctness in the protocol.

In total, there are 13 PoolAddressesProviders registered in the global registry. Each provider points to its own Chainlink PriceOracle contract. Each pool has exactly two reserves and returns a price > 0, so the minimal correctness is passed. We also found no mismatches between the provider and oracle, and no stale zero-prices were detected.

Complete report:

Total providers found: 13
 
 --------------------------------
 
 Provider index: 1
 
 Provider address: 0xF54e2D778072205Ab09953d82572195CaA9D1A1f
 
 Oracle address: 0x299c966546f0F33Dd117Aff7280964fBa42F5951
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0x09Bc4E0D864854c6aFB6eB9A9cdF58aC190D0dF9
 
 Price:
 
 99988487
 
 Reserve index: 1
 
 Asset address:
 
 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
 
 Price:
 
 245921820000
 
 --------------------------------
 
 Provider index: 2
 
 Provider address: 0x1244F36E812776390b3401E2391bDEb330db97fC
 
 Oracle address: 0x50a2f17F172Db8CC0D347840750d459aCa9A08dd
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0x211Cc4DD073734dA055fbF44a2b4667d5E5fE5d2
 
 Price:
 
 117781003
 
 Reserve index: 1
 
 Asset address:
 
 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
 
 Price:
 
 99999687
 
 --------------------------------
 
 Provider index: 3
 
 Provider address: 0x2E36c74E8c04e30B4a7344e8BA4496a102003aFd
 
 Oracle address: 0x2Ef4d670a04B9F8b30c7a6FC41250D630ff14DAc
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0x211Cc4DD073734dA055fbF44a2b4667d5E5fE5d2
 
 Price:
 
 117781003
 
 Reserve index: 1
 
 Asset address:
 
 0x201EBa5CC46D216Ce6DC03F6a759e8E766e956aE
 
 Price:
 
 100011000
 
 --------------------------------
 
 Provider index: 4
 
 Provider address: 0x85def7bcff3a0b73f88429A70B73b412Bf204Cf7
 
 Oracle address: 0xceeCf9b1Cb38fe9B408C19471E7B331c1D9DE119
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xcDA86A272531e8640cD7F1a92c01839911B90bb0
 
 Price:
 
 2626507937440010898000
 
 Reserve index: 1
 
 Asset address:
 
 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
 
 Price:
 
 245921820000
 
 --------------------------------
 
 Provider index: 5
 
 Provider address: 0x15E983EF3940Ef77EB2C645Cd51559f8FF233011
 
 Oracle address: 0xAD3EbC7E3FE3bA59ba7aa9007DBDc3dfFe00Ac4b
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xcDA86A272531e8640cD7F1a92c01839911B90bb0
 
 Price:
 
 2626507937440010898000
 
 Reserve index: 1
 
 Asset address:
 
 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
 
 Price:
 
 99999687
 
 --------------------------------
 
 Provider index: 6
 
 Provider address: 0xFAC0e48917C5EC32E6FA85B91edF3825e9825150
 
 Oracle address: 0xCe8aba854d0Dc9e620c318102c80528Bc7E3ef19
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xE6829d9a7eE3040e1276Fa75293Bde931859e8fA
 
 Price:
 
 2626507937440010898000
 
 Reserve index: 1
 
 Asset address:
 
 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
 
 Price:
 
 245921820000
 
 --------------------------------
 
 Provider index: 7
 
 Provider address: 0x553265Ff16eFb2e7590941d138273F1649132265
 
 Oracle address: 0xAC9602a0fAb55BDf13B502Eacabc476401D28Fed
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xE6829d9a7eE3040e1276Fa75293Bde931859e8fA
 
 Price:
 
 2626507937440010898000
 
 Reserve index: 1
 
 Asset address:
 
 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
 
 Price:
 
 99999687
 
 --------------------------------
 
 Provider index: 8
 
 Provider address: 0x4AEBAF2907e93726DDd058f2086a07cd92f6D46e
 
 Oracle address: 0x9e8E535362b48A48F0635EB43aF0E4b0eEEdbC8E
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xE6829d9a7eE3040e1276Fa75293Bde931859e8fA
 
 Price:
 
 2626507937440010898000
 
 Reserve index: 1
 
 Asset address:
 
 0x78c1b0C915c4FAA5FffA6CAbf0219DA63d7f4cb8
 
 Price:
 
 57569152
 
 --------------------------------
 
 Provider index: 9
 
 Provider address: 0x7D8E5801De97Cc8c1B163168ba2Bd0732263D6d5
 
 Oracle address: 0x463E18209f8fA26b860bEc0862c6aee37fA3dB39
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xC96dE26018A54D51c097160568752c4E3BD6C364
 
 Price:
 
 107064118599319443240000
 
 Reserve index: 1
 
 Asset address:
 
 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
 
 Price:
 
 245921820000
 
 --------------------------------
 
 Provider index: 10
 
 Provider address: 0x6D15D979E3f99E9bD74A6ba47f7c53c118dF217c
 
 Oracle address: 0x504D95722D3cc11d171030f6Ae717A3944f65382
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xC96dE26018A54D51c097160568752c4E3BD6C364
 
 Price:
 
 107064118599319443240000
 
 Reserve index: 1
 
 Asset address:
 
 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
 
 Price:
 
 99999687
 
 --------------------------------
 
 Provider index: 11
 
 Provider address: 0x05320EDbFC7ae94C3292f813aB43f56A5E77CF42
 
 Oracle address: 0x78e33D3Ecc8e65eeA2655e58daEA952B533793b4
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0xC96dE26018A54D51c097160568752c4E3BD6C364
 
 Price:
 
 107064118599319443240000
 
 Reserve index: 1
 
 Asset address:
 
 0x78c1b0C915c4FAA5FffA6CAbf0219DA63d7f4cb8
 
 Price:
 
 57569152
 
 --------------------------------
 
 Provider index: 12
 
 Provider address: 0x2044B8059533A7d45FC3f70c0E8dFa8555Bb10BA
 
 Oracle address: 0x1dE04a6B9a042FefdE2Ace05A3D714cA90994282
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0x78c1b0C915c4FAA5FffA6CAbf0219DA63d7f4cb8
 
 Price:
 
 57569152
 
 Reserve index: 1
 
 Asset address:
 
 0xdEAddEaDdeadDEadDEADDEAddEADDEAddead1111
 
 Price:
 
 245921820000
 
 --------------------------------
 
 Provider index: 13
 
 Provider address: 0xD5a52533E982883fF4186B311218F9eFEA7B04b1
 
 Oracle address: 0x48D9A868BCBDa38b6CF3E52289B6cFbD618d7a2F
 
 BASE_CURRENCY: 0x0000000000000000000000000000000000000000
 
 BASE_CURRENCY_UNIT: 100000000
 
 Number of reserves: 2
 
 Reserve index: 0
 
 Asset address:
 
 0x78c1b0C915c4FAA5FffA6CAbf0219DA63d7f4cb8
 
 Price:
 
 57569152
 
 Reserve index: 1
 
 Asset address:
 
 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34
 
 Price:
 
 99999687

We have reviewed the configuration for each reserve in each pool:

• Activation:
  • Active: true - OK
  • Frozen: false - OK
  • Paused: false - OK
• Risk parameters:
  • LTV - Set at a sensible rate that correctly corresponds to the volatility of the asset - OK
  • LiquidationThreshold - Set at a rate such that enough margin is left to allow for timely liquidation and prevent bad debt - OK
  • LiquidationBonus - Set at a rate such there is incentive but not too high such that self-liquidation is not profitable and it does not result in bad debt - OK
• Caps:
  • SupplyCap - OK
  • BorrowCap - OK
  • DebtCeiling - OK
• Fees:
  • ReserveFactor - OK
  • LiquidationProtocolFee - OK
• Tokens:
  • aToken: set - OK
  • vDebtToken: set - OK
  • sDebtToken: not set, should be disabled as stable debt borrowing is not safe - OK
  • InterestRateStrategy: set - OK