Union is a p2p credit network protocol for permissionless underwriting and borrowing that adds support for arbitrary decimal tokens.
Scope
Contest Results
On what chains are the smart contracts going to be deployed?
Any EVM compatible network
If you are integrating tokens, are you allowing only whitelisted tokens to work with the codebase or any complying with the standard? Are they assumed to have certain properties, e.g. be non-reentrant? Are there any types of weird tokens you want to integrate?
USDC, USDT, DAI
Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?
No
Are there any limitations on values set by admins (or other roles) in protocols you integrate with, including restrictions on array lengths?
No
For permissioned functions, please list all checks and requirements that will be made before calling the function.
n/a
Is the codebase expected to comply with any EIPs? Can there be/are there any deviations from the specification?
no
Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, arbitrage bots, etc.)?
There are keeper bots that do two things. Firstly, they mark any borrows that overdue. Secondly, they write-off debts that pass the overdue grace period.
The script can be found here: https://github.com/unioncredit/union-gov-actions/blob/main/src/updateOverdue.js.
It basically loops through all the borrowers and marks those overdue by calling userManager.batchUpdateFrozenInfo(stakers)
Are there any hardcoded values that you intend to change before (some) deployments?
no
If the codebase is to be deployed on an L2, what should be the behavior of the protocol in case of sequencer issues (if applicable)? Should Sherlock assume that the Sequencer won't misbehave, including going offline?
If the sequencer goes offline, union will continue to accrue interest except no one will be able to repay. Union assumes the sequencer wont misbehave.
Should potential issues, like broken assumptions about function behavior, be reported if they could pose risks in future integrations, even if they might not be an issue in the context of the scope? If yes, can you elaborate on properties/invariants that should hold?
no
Please discuss any design choices you made.
If someone doesn't repay the person that underwrote them will not be able to get money back. This is not a bug this is credit.
Please list any known issues and explicitly state the acceptable risks for each known issue.
n/a
We will report issues where the core protocol functionality is inaccessible for at least 7 days. Would you like to override this value?
no
Please provide links to previous audits (if any).
Please list any relevant protocol resources.
docs.union.finance
Additional audit information.
Focus on the PR updating Union to accomodate arbitrary decimal tokens (https://github.com/unioncredit/union-v2-contracts/pull/172) but any issues in the contracts are fair game.
Total Rewards
Contest Pool
Lead Senior Watson
Judging Pool
Lead Judge
12,500 USDC
9,000 USDC
700 USDC
800 USDC
Status
Scope
Start Time
End Time
Judging Rules