Intro
Sentiment is a DeFi protocol that provides users with permissionless, undercollateralized, on-chain credit. The Sentiment protocol supports three primary user types: borrowers, lenders, and maintainers. Borrowers use the protocol to take out undercollateralized loans, the assets received from which can be used in other protocols. Lenders provide liquidity to the protocol in exchange for interest-bearing tokens. Maintainers monitor the protocol for accounts that are at risk of not being able to pay back their debts and liquidate them.
Challenge
The problem that Sentiment attempts to solve with their protocol is providing a secure implementation of undercollateralized lending. To solve this problem, Sentiment had to design a protocol with the goals of protecting and incentivizing users to play the roles of borrowers or lenders.
However, multiple challenges exist to prevent the Sentiment team from accomplishing these goals. Since Sentiment allows cross-margining of assets, borrowers need to be confident that the value of their collateralized and borrowed assets will be kept up to date and not vulnerable to issues in external price oracles. Borrowers also need to be able to achieve a high enough increase in capital efficiency to make using Sentiment worth their while.
However, this increase in capital efficiency tends to be at odds with the goal of protecting lenders. This represents the inherent risk in undercollateralized lending from the perspective of the lender: if the value of the collateral is less than the value of the loan, how do I recoup my losses if the borrower cannot repay the loan? Lenders need to be confident that the protection mechanisms put into the protocol to prevent the loss of their deposits are bug free and cannot be bypassed.
Solution
Many of the challenges that the Sentiment protocol faces stem from whether its implementation is secure. Undergoing a third-party audit offered an opportunity to have security experts evaluate the protocol and make recommendations on how to make it more secure. Arbitrary Execution (AE) was one of the organizations that was selected to complete this task.
AE performed a security audit of all the major, on-chain components of the protocol: the oracles, the controller, and the core code of the protocol. The audit focused on finding exploitable vulnerabilities in the protocol. A team of auditors was assigned to review each smart contract line by line. Additionally, the audit team ran all the code through custom static analysis tooling.
The audit team put additional scrutiny on the code responsible for ensuring that assets belonging to both borrowers and lenders were secure, since the security of that code addressed some of the biggest challenges to the success of the protocol.
Results
The audit of the Sentiment protocol code resulted in a total of 53 findings, ranging in severity from informational to critical. Three of these findings were marked as critical, which means they described vulnerabilities whose exploitation could result in catastrophic damage to the protocol and its reputation. Identifying these vulnerabilities and guiding their remediation made the Sentiment protocol objectively more secure. Additionally, having had an audit performed on the protocol helps build user confidence that the protocol is secure. Today, Sentiment successfully manages over $2.3 million worth of assets in its liquidity pools.
