88mph contest details
- $45k + 69 MPH main award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Ends 2021 May 19 23:59 UTC
This repo will be made public before the start of the contest.
88mph is a DeFi protocol for providing fixed-term fixed-rate interest. It does so by pooling deposits with differing maturations and fixed-rates together and putting the funds in a yield-generating protocol, such as Compound, Aave, and yEarn, to earn floating-rate interest. The debt incurred by the promised fixed-rate interest of a deposit is offered as floating-rate bonds (or fundings as referred to in the contracts), which someone can purchase in exchange for the floating-rate interest generated by the corresponding deposit. Buyers of floating-rate bonds thus speculate on the floating-rate yield generated by the underlying protocol, while decreasing the debt of the pool and the risk of insolvency.
The main contract is
DInterest, which users interact with to deposit funds to earn fixed-rate interest, withdraw their funds, or purchase floating-rate bonds.
Deposit & withdraw
When a user makes a deposit, their funds are transferred to the
IMoneyMarket contract owned by the
DInterest contract, which are then put to work in the underlying yield protocol. The user receives an ERC-721 NFT that represents the ownership of the deposit, which can be transferred.
Each deposit has a maturation date, after which the deposit NFT can be used to withdraw the deposited principal plus the promised fixed-rate interest. Before the maturation date, the user can also withdraw a deposit, though the fixed-rate interest would be forfeit, and an additional withdrawal fee would be applied. The user can choose to only withdraw a portion of a deposit.
The user may topup a deposit before its maturation, adding more principal to the deposit and earning more fixed-rate interest (albeit likely at a different fixed-rate). After a deposit is mature, the user can roll it over to create a new deposit using the principal + interest of the old deposit.
The NFT corresponding to a deposit is not burnt at any point, to preserve the potential artistic value of the metadata attached.
Buy floating-rate bond
When a user buys some floating-rate bonds of a particular deposit, the funds are transferred to
IMoneyMarket and deposited into the underlying yield protocol. The user will earn the future floating-rate interest generated by the portion of the deposit's principal whose debt is funded by the bond plus the funds used for purchasing the bond. For instance, if a 100 DAI deposit has 10 DAI of debt, then buying a FRB using 5 DAI will allow you to earn interest on (5 / 10) * 100 + 5 = 55 DAI.
The interest payout is triggered whenever a portion of the deposit is withdrawn, or when someone manually triggers a payout using
Money market is an abstract interface 88mphs uses to support different underlying yield protocols. Each protocol has its corresponding money market, for instance a
DInterest pool using Aave to generate interest will use
AaveMarket as its money market contract.
Money markets store all funds deposited into a
MPHMinter contract is in charge of the minting of MPH tokens. 88mph mints MPH tokens to reward users who make deposits or purchase floating-rate bonds. The governance treasury and the developer funds also receive MPH rewards any time new MPH is minted.
Whenever a user makes a deposit or purchases floating-rate bonds,
DInterest makes a call to
MPHMinter to mint MPH rewards. The reward could be vested using
Vesting02, or be distributed using
MPHMinter determines how much rewards to mint by consulting
Areas of concern
DInterest.sol: Most of the business logic is contained in this contract, so definitely the thing to focus on.
models/interest/LinearDecayInterestModel.sol: Determines how much fixed-rate interest to offer to each deposit, so an exploit here could lead to draining funds.
rewards/MPHMinter.sol: This contract handles all minting of the MPH token, so it's vital to the token economics of 88mph.
models/issuance/MPHIssuanceModel02.sol: Determines how much MPH rewards to mint, so a bug here is dangerous.
tokens/FundingMultitoken.sol: Represents floating-rate bonds. Particularly complex, with multiple inheritances, so might be error-prone.
- Many contracts inherit from
AccessControl, often with multiple roles, and there might be exploits allowing the attacker to gain roles with more power, or make it such that no account holds a particular role which may be problematic.
rewards/Vesting02.sol: Handles MPH reward vesting.
rewards/xMPH.sol: Staked MPH similar to xSUSHI.
After cloning the repo, in the project root directory, run the following to set up the environment:
npm install npm run prepare
Disable mainnet forking in
hardhat.config.js to speed up the tests.
npx hardhat docgen
The documentation is output to
prettier to format all files.
npm run prettier