Omniscia Bonq Audit
token-to-price-feed Manual Review Findings
token-to-price-feed Manual Review Findings
TOK-01M: Potentially Incorrect Interface Import
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | token-to-price-feed.sol:L6 |
Description:
The interface that is imported by the codebase contains function definitions that should not be present in a production-ready price feed implementation such as setPrice.
Example:
6import "./interfaces/IExternalPriceFeed.sol";Recommendation:
We advise the interface used to be revised and the actual external protocol the project interfaces with to be explicitly listed in the codebase.
Alleviation:
The Bonq Protocol team has not made any changes in the source code to resolve this issue, however, such oracles will not be utilized by the system in the production version of Bonq and as such we consider this exhibit nullified.
TOK-02M: Inexistent Protection of MCR
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | token-to-price-feed.sol:L38 |
Description:
The Minimum-Collateral-Ratio (MCR) value should always represent a percentage that is above 100% as otherwise the tokenomic guarantees of the borrowing model will fail.
Impact:
An MCR value less than 100% will cause the underlying issued token to de-peg and have wider implications for the Bonq ecosystem.
Example:
24/// @dev to set or change priceFeed contract for token25/// @param _token address of the token26/// @param _priceFeed address of the PriceFeed contract for token27/// @param _mcr minimal collateral ratio of the token28function setTokenPriceFeed(29 address _token,30 address _priceFeed,31 uint256 _mcr32) public onlyOwner {33 if (tokenPriceFeeds[_token] != _priceFeed) {34 tokenPriceFeeds[_token] = _priceFeed;35 IMintableToken token = IMintableToken(_token);36 emit NewTokenPriceFeed(_token, _priceFeed, token.name(), token.symbol(), (DECIMAL_PRECISION * _mcr) / 100);37 }38 MCR[_token] = (DECIMAL_PRECISION * _mcr) / 100;39}Recommendation:
We advise this to be imposed by a require check enforced at the setTokenPriceFeed level.
Alleviation:
The Bonq Protocol team has added a require statement to validate that the MCR value cannot be below 100.