Loud Mocha Platypus
Medium
Unlike the DBOLend and buyOrder which use the proxy pattern, they forget to use it in DBOFactory and instead directly always deploy the full implementation.
Notably, they initialize an implementationContract that is never used, but was meant to be used. This means they don't take advantage for the user to just deploy the lightweight proxy, costing massive amounts of gas to users over protocol's lifespan.
Because the creation of borrow orders are so fundamental to the protocol, and all users will have to pay much more gas deploying the entire implementation instead of the light-weight proxy, I see that this issue is Medium because of the amount of gas that is griefed to all users during use of the protocol.
See Summary.
See Summary.
See Summary.
See Summary.
~1M gas per borrow order created wasted on deploying the implementation instead of the lightweight proxy which was intended.
None
// Should match with the others and deploy proxy instead of implementation
// https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaBorrowOffer-Factory.sol#L106C9-L106C65
- DBOImplementation borrowOffer = new DBOImplementation();
+ DebitaProxyContract proxy = new DebitaProxyContract(implementationContract);
+ DBOImplementation borrowOffer = DBOImplementation(address(proxy));