Summary

This report contains the results of Arbitrary Execution’s security assessment of Sentiment’s Controller and Oracle smart contracts. Sentiment is a permissionless, undercollateralized on-chain credit system that allows users to post assets as collateral in exchange for loans. The protocol uses smart contract Accounts to hold collateral and loans, Controller contracts to interact with external protocols, and Oracles to receive pricing data for assets.

Note: The core protocol was not in scope for this engagement. It will be reviewed in an separate report.

During the security assessment, 15 vulnerabilities were found in the Sentiment Controller and Oracle smart contracts. These vulnerabilities included a medium severity issue in the Chainlink oracle that could impact Risk Engine calculations for issuing loans. Low severity issues were identified in transferring ownership of Oracle and Controller contracts, as well as in the way the Controller Facade batches external calls. Other low severity findings involved edge cases and security best practices when interfacing with external contracts. informational findings included code hygiene, documentation, and other best practices.

All major issues have been fixed or acknowledged by Sentiment, and L02 vulnerability was addressed with off-chain monitoring. The detailed breakdown of fixes can be found in the Fixes Summary section.