CertiK Client Feedback from Deerfi

--- title: CertiK Client Feedback from Deerfi tags : audit-feedback --- CertiK Client Feedback from Deerfi ===  ###### tags: `Feedback` `Audit` :::info  - **Client:** Deerfi - **Date:** Nov 11, 2020 - **Participator:** buyun.xu@certik.com, guilong.li@certik.com - **Reference:** - [Last week meeting minute](/s/template-meeting-note) ::: --- :mag: Discussion Findings ---  | Index |Type| Issue Description| Client's Feedbacks | Auditor's Comments | Solved? | Solution | | ------------- | ------- | ------------ | ------------- | -------- | -------- | -------- | | 1 | Concerns from our client | Client requested to analyze a relative [news](https://peckshield.medium.com/cheese-bank-incident-root-cause-analysis-d076bf87a1e7) | Client worried about whether their project was vulnerable with flash loan attacks |Deerfi should not have this issue, detailed analysis see below | Y | | :closed_book: Comments -- News https://peckshield.medium.com/cheese-bank-incident-root-cause-analysis-d076bf87a1e7 Cheesebank.io is attacked by flash loan attack, and lost 3,3 million dollars. Client worried about whether their project was vulnerable with flash loan attacks regarding on above news. Answer: Deerfi is a fork of Compound plus the chainlink price oracle. Compound was audited by Zeppelin. Chainklink is a mainstream price oracle now. Both projects do not encounter this issue. The issue is with the project Cheesebank.io itself. The crucial step in this incident is the Cheese Bank uses the amount of WETH in a liquidity pool to estimate the price of the corresponding LP token.