Summary

Sentiment is a permissionless on-chain credit system that allows users to post collateral for loans. The protocol consists of smart contract Accounts, Controller contracts, and Oracles. Borrowers create accounts to hold collateral and loaned assets, with actions performed by the Account Manager. Lenders supply liquidity and receive interest-bearing LTokens.

During the security assessment, three critical findings were identified. The first finding allows a malicious user to take control of another user's account and extract their tokens. The second finding is that the liquidation logic does not allow repaying outstanding borrows on eligible accounts, potentially protecting them from liquidation. The third finding reveals incorrect calculations of ERC-20 token balances, leading to overvaluation or undervaluation. These vulnerabilities can result in unfair liquidation of user positions and abuse of borrowing limits. Additionally three medium-severity, 8 low-severity, and 24 informational findings were found.

The Sentiment team provided fixes for 33 findings, 2 partially fixed finding, and has acknowledged the remaining 3 issues. All critical, medium, and low severity findings were fixed by the Sentiment team with the exception of one low-severity issue, for which they haven an open pull request and are actively addressing.