• $45k + 69 MPH main award pot
• Join C4 Discord to register
• Submit findings using the C4 form
• Read our guidelines for more details
• Ends 2021 May 19 23:59 UTC

This repo will be made public before the start of the contest.

88mph is a DeFi protocol for providing fixed-term fixed-rate interest. It does so by pooling deposits with differing maturations and fixed-rates together and putting the funds in a yield-generating protocol, such as Compound, Aave, and yEarn, to earn floating-rate interest. The debt incurred by the promised fixed-rate interest of a deposit is offered as floating-rate bonds (or fundings as referred to in the contracts), which someone can purchase in exchange for the floating-rate interest generated by the corresponding deposit. Buyers of floating-rate bonds thus speculate on the floating-rate yield generated by the underlying protocol, while decreasing the debt of the pool and the risk of insolvency.

The main contract is DInterest, which users interact with to deposit funds to earn fixed-rate interest, withdraw their funds, or purchase floating-rate bonds.

When a user makes a deposit, their funds are transferred to the IMoneyMarket contract owned by the DInterest contract, which are then put to work in the underlying yield protocol. The user receives an ERC-721 NFT that represents the ownership of the deposit, which can be transferred.

Each deposit has a maturation date, after which the deposit NFT can be used to withdraw the deposited principal plus the promised fixed-rate interest. Before the maturation date, the user can also withdraw a deposit, though the fixed-rate interest would be forfeit, and an additional withdrawal fee would be applied. The user can choose to only withdraw a portion of a deposit.

The user may topup a deposit before its maturation, adding more principal to the deposit and earning more fixed-rate interest (albeit likely at a different fixed-rate). After a deposit is mature, the user can roll it over to create a new deposit using the principal + interest of the old deposit.

The NFT corresponding to a deposit is not burnt at any point, to preserve the potential artistic value of the metadata attached.

When a user buys some floating-rate bonds of a particular deposit, the funds are transferred to IMoneyMarket and deposited into the underlying yield protocol. The user will earn the future floating-rate interest generated by the portion of the deposit's principal whose debt is funded by the bond plus the funds used for purchasing the bond. For instance, if a 100 DAI deposit has 10 DAI of debt, then buying a FRB using 5 DAI will allow you to earn interest on (5 / 10) * 100 + 5 = 55 DAI.

The interest payout is triggered whenever a portion of the deposit is withdrawn, or when someone manually triggers a payout using DInterest.payInterestToFunders().

Money market is an abstract interface 88mphs uses to support different underlying yield protocols. Each protocol has its corresponding money market, for instance a DInterest pool using Aave to generate interest will use AaveMarket as its money market contract.

Money markets store all funds deposited into a DInterest pool.

The MPHMinter contract is in charge of the minting of MPH tokens. 88mph mints MPH tokens to reward users who make deposits or purchase floating-rate bonds. The governance treasury and the developer funds also receive MPH rewards any time new MPH is minted.

Whenever a user makes a deposit or purchases floating-rate bonds, DInterest makes a call to MPHMinter to mint MPH rewards. The reward could be vested using Vesting or Vesting02, or be distributed using FundingMultitoken.distributeDividends(). MPHMinter determines how much rewards to mint by consulting MPHIssuanceModel02.

• DInterest.sol: Most of the business logic is contained in this contract, so definitely the thing to focus on.
• models/interest/LinearDecayInterestModel.sol: Determines how much fixed-rate interest to offer to each deposit, so an exploit here could lead to draining funds.
• rewards/MPHMinter.sol: This contract handles all minting of the MPH token, so it's vital to the token economics of 88mph.
• models/issuance/MPHIssuanceModel02.sol: Determines how much MPH rewards to mint, so a bug here is dangerous.

• tokens/FundingMultitoken.sol: Represents floating-rate bonds. Particularly complex, with multiple inheritances, so might be error-prone.
• Many contracts inherit from AccessControl, often with multiple roles, and there might be exploits allowing the attacker to gain roles with more power, or make it such that no account holds a particular role which may be problematic.
• rewards/Vesting02.sol: Handles MPH reward vesting.
• rewards/xMPH.sol: Staked MPH similar to xSUSHI.

After cloning the repo, in the project root directory, run the following to set up the environment:

npm install
npm run prepare

npm test

Disable mainnet forking in hardhat.config.js to speed up the tests.

npx hardhat docgen

The documentation is output to /docgen.

Use prettier to format all files.

npm run prettier

Read DEPLOY_README.md