Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Avon>Threat Model>Component: Borrowing (market + limit matching via Orderbook → Pool borrow)
GeneralOverview
Findings
Medium (4)
Low (5)
Informational (3)
DiscussionLiquidity sufficiency check in the function _flashLoanInconsistency between comments and implementationOracle token decimal variance
Threat ModelComponent: Borrowing (market + limit matching via Orderbook → Pool borrow)Component: Lending (pools providing liquidity via Orderbook → Borrowers)
Audit ResultsAssessment Results

Component: Borrowing (market + limit matching via Orderbook → Pool borrow)

Description

  • Turns borrower intent (market or limit) into loans across whitelisted pools.

  • Enforces collateral, liquidity, and pricing checks.

  • Updates borrow shares, pool totals, fees, and orderbook state.

What it does:

  • Market borrow: matchMarketBorrowOrder finds best lender orders, aggregates pools, computes required collateral, pulls once, and may charge a flat fee.

  • Limit borrow: insertLimitBorrowOrder escrows collateral; later a keeper calls matchLimitBorrowOrder at borrower’s chosen terms, refunding any excess.

  • Pool side: BorrowRepay._borrow mints borrow shares, updates totals, checks safety and liquidity, then transfers loan tokens.

How it works:

  • Orders stored in a red-black tree keyed by rate/LTV.

  • Collateral per pool calculated via previewBorrow, then summed and transferred once.

  • Fees: optional flat matching fee goes to feeRecipient.

  • Permissions: pools must be whitelisted; limit matching keeper-only; borrow allowed if sender is borrower, orderbook, or permitted.

  • Safety: entry points are nonReentrant and whenNotPaused; pool accrues interest before updates.

Invariants

  • Liquidity: totalBorrowAssets ≤ totalSupplyAssets always holds.

  • Position safety: borrower’s debt must stay ≤ collateral value * LLTV.

  • Accounting: borrow shares and assets stay in sync; accrual only increases totals; fee shares mint against supply.

  • Access control: only whitelisted pools can list; only keepers match limit orders; only owner adjusts fees/recipients.

Attack surface

  • Borrower params:

  • Market: amount > 0, collateralBuffer ≥ 1%, enforce minAmountExpected.

    • Limit: upfront collateral, within MAX_LIMIT_ORDERS, keeper-only matching, refund logic, LTV/buffer bounds.

  • Matching window: pool state may change, but final minAmountExpected guard and live previewBorrow mitigate.

  • Collateral/oracle: depends on oracle pricing; weak or stale oracles risk under-collateralization, needs system-level hardening.

  • Pool selection: can’t inject arbitrary pools; whitelist + factory validation required.

  • Fees: flatMatchingFee may be set high, but limited by InsufficientAmountReceived check.

  • Reentrancy: guarded with nonReentrant and safe ERC20; state updated before pool calls.

  • Allowances: orderbook manages approvals; user doesn’t expose pools directly.

  • DoS: paused pools skipped; match loops capped in length and gas.

  • Escrow correctness: limit orders require totalCollateral + fee ≤ escrowed; order canceled before pool calls, excess refunded.

Zellic © 2025Back to top ↑