Difference between revisions of "88mph (MPH)"

From CryptoWiki

 
Line 35: Line 35:


===Bugs/Exploits===
===Bugs/Exploits===
*From a [https://twitter.com/danielvf/status/1573440054793744385 thread] in which a white hacker found a bug around [[Timelock|timelocks]] and many projects being susceptible to it (24-9-2022):
 
* 88MPH Theft Of Unclaimed MPH Rewards Bugfix [https://medium.com/immunefi/88mph-theft-of-unclaimed-mph-rewards-bugfix-review-1dec98b9956b Review] by [[ImmuneFi|Immunefi]] (12-2022).
* From a [https://twitter.com/danielvf/status/1573440054793744385 thread] in which a white hacker found a bug around [[Timelock|timelocks]] and many projects being susceptible to it (24-9-2022):
 
''"88mph was vulnerable to a total governance takeover from a compromised admin key, as far as I could see. All funds, and all user approved funds, from all upgradable [[Smart Contract (SC)|contracts]]. The report for 88mph was closed by Immunefi as out of scope. I had a custom impact, "Total governance takeover".  Appeal with reasons why user funds could be stolen, was also denied. Made a new issue, copied the old over, and checked more impact boxes. Got the bug sent through.''
''"88mph was vulnerable to a total governance takeover from a compromised admin key, as far as I could see. All funds, and all user approved funds, from all upgradable [[Smart Contract (SC)|contracts]]. The report for 88mph was closed by Immunefi as out of scope. I had a custom impact, "Total governance takeover".  Appeal with reasons why user funds could be stolen, was also denied. Made a new issue, copied the old over, and checked more impact boxes. Got the bug sent through.''



Latest revision as of 10:05, 8 December 2022

Basics

"It’s an Ethereum protocol allowing you to lend your crypto assets at a fixed interest rate or buy some floating-rate bonds."

History

"The first mainnet version was launched in April 2020, offering upfront fixed-rate interest, with a peer-to-contract approach. Though as you can imagine, upfront interests was a bad idea in terms of performances. So we discontinued the feature and just kept the brand when we launched the current version in late November 2020. Betoken was our first DeFi project, started in late 2017. Since then, we work in duo under the baconlabs.dev umbrella, a company created in early 2020. Since mid-January 2021, 88mph has had its own legal entity."

Audits

"Three audits have been released for V3: Trail of Bits, Code423n4, and PeckShield. Two other audits have been made for previous versions, and all audits were completed before the code was implemented."

With the comment: "Impressive security, documentation and team transparency. Some room for improvement on testing and access controls."

  • Previously it scored a 79% (8-3-2021):

"​88MPH has been audited by 4 different groups. It is concerning that 3 of the reports indicate only superficial concerns but the Quantstamp report lists a number of concerning issues on minting access/admin controls. PeckShield V2, PeckShield V3, QuantStamp, Certik ZC Bond Audit."

With the comment: "Pretty solid except weak testing and only the Quantstamp audit really seemed to check the details. Makes the Certik and Peckshield audits seem a little hollow. It is interesting to read all three as they review the same code."

"We work with PeckShield, Quantstamp, and Certik to help secure our code base."

Bugs/Exploits

  • 88MPH Theft Of Unclaimed MPH Rewards Bugfix Review by Immunefi (12-2022).
  • From a thread in which a white hacker found a bug around timelocks and many projects being susceptible to it (24-9-2022):

"88mph was vulnerable to a total governance takeover from a compromised admin key, as far as I could see. All funds, and all user approved funds, from all upgradable contracts. The report for 88mph was closed by Immunefi as out of scope. I had a custom impact, "Total governance takeover". Appeal with reasons why user funds could be stolen, was also denied. Made a new issue, copied the old over, and checked more impact boxes. Got the bug sent through.

@88mphapp fixed the bug within a few hours of the report, then stayed in communication until payment. They bumped the severity down to medium and paid $5,000 in their own token. Other than the severity downgrade that I disagree with, near perfect response."

Governance

Admin Keys

"Governance has controls to the access controls, which is clearly labelled under the governance section. There is no information on access controls beyond a mention in a medium article, which has since been changed. There is a mention of change capabilities under governance in the documents. There is no mention of a pause control function in the documents. There is one documented use in a medium article, in which the pause control was used to prevent user fund theft on the 7th of June, 2021."

DAO

Treasury

"Whenever MPH is minted by new deposits in the fixed-rate bond pools, an additional 10% of the minted amount is minted and sent to the developer fund. The governance treasury also receives some MPH tokens, paid back by depositors when they withdraw their deposits. These MPH will be used by whatever the MPH holders decide on, ranging from protocol parameters to smart ways of using the capital assets stored in the treasury for creating new incentives, capitalization, and at the end growth."

Token

Launch

Token Allocation

  • From their docs (10-3-2021):

"An initial supply of 88,000 MPH was minted and will be distributed via liquidity mining. It begins at 12:00 pm PT 11/20/2020 and lasts 14 days.

The MPH total supply depends on TVL's growth. Currently, 88mph incentivizes the lenders to deposit their funds in the fixed-rate APY pools by rewarding them with new MPH distributed according to an issuance rate. The upcoming governance will be in charge to monitor the protocol's parameters and decide from where the MPH rewards come from (new issuance and/or governance treasury).

Therefore, you can conclude that there isn't a maximum supply but the total supply is in the hand of the MPH holders."

Utility

  • By using the protocol you earn upfront $MPH token and system rewards (25-2-2021);

"The vision and mission of 88mph was always to offer a working product on mainnet on day 1, with a native token allowing us to socialize the revenues generated and the governance power. We tried our best to remove all the usual nonsense around the tokenomics.

Since day 1, 88mph distributes 100% of its revenues with the community. They come from the:

  1. 88mph protocol fee: 10% is deducted from the interest when a depositor withdraws.
  2. Yield-farming rewards: yield-farmed tokens earned from the protocols 88mph is connected to (COMP, FARM, etc.)."

Other Details

Stablecoin

Coin Distribution

Technology

Implementations

"We are dependent on the success of other protocols like Aave, Compound, Harvest, Yearn, Curve, The Graph."

How it works

Fees

Upgrades

Staking

Liquidity Mining

Scaling

Interoperability

Other Details

Oracle Method

Privacy Method

Compliance

"We are currently working with our law firm to get a ruling from the FINMA regarding the MPH token. It doesn’t mean much but it’s already a first step in the long journey toward compliance."

Their Other Projects

Roadmap

  • Can be found [Insert link here].

"Some proposals currently evaluated:

  1. An insurance fund financed by the gov treasury or something similar to a safety module, that grow according to protocol activity to be the buyer of last resort alongside insurance products like Cover or other insurance products covering specific financial risks.
  2. Credit default swap build in partnership with another protocol.

Lastly, In a few days, we’ll release our ERC20 zero-coupon bonds that represent the first step towards structured products on top of 88mph."

Usage

Projects that use or built on it

"The most interesting part is that 88mph is currently used as a base layer by other protocols to build cool stuff (Debasonomics, Mushrooms Finance, Dollar protocol, etc)."

Competition

Pros and Cons

Pros

Cons

Team, Funding, Partnerships, etc.

Team

"We are 2 members in the core team. Zefram and myself. We bootstrapped everything on our own and financed our first audits by selling a white labelled version of betoken.fund."

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.