# Audit completion by Hacken This thorough security audit checked and ensured the following imperative points as 2 main Categories (1) Code review (2) Functional. The audit report contains all found security vulnerabilities and other issues in the reviewed code. As a result of the audit, There are no critical issues in our contracts. Besides, Hacken’s security engineers found 4 high, 4 medium, and 3 low severity issues. Overall, after the auditing process, Hacken evaluated Trava’s contracts as **Well-Secured** (the highest level of security as the assessment). ## **Severity High** There is one issue regarding the implementation function and three issues regarding uninitialized state variables: * Issue 1 (unimplemented function): The logic of function finalizeTranfer has commented-out unimplemented logic. We heeded the advice and resolved these issues. * Issues 2, 3, 4 (uninitialized state variables): Some state variables are not initialized for the contract LendingPoolCollateralManager but they are being called. * Trava’s Response: We consider the contract LendingPoolCollateralManager as a Logic Contract where we execute our code by using delegate call from LendingPool Contract. That explains why we don’t initialize the state for that variable. * Following the verification, Hacken determined that these are not issues. ## **Severity Medium** There are three Issues concerning coding styles and Gas Optimization. They relate to unused imports, Not checked contract address, and No event on lendingPoolConfigurator change. We heeded the advice and resolved these issues. There is one Issue concerning Possible FlashLoan attack in the LendingPool contract. Despite the fact that we do not believe this attack could happen in real life, we took great care in resolving the problem. Description: IF both of TToken and its underlyingAsset are traded on multiple DEXes and have different rates there could be a FlashLoan attack. Attackers could FlashLoan a TToken, and process withdraw, which will give then the exact same amount of the underlyingAsset, and then calling deposit, they will receive the same amount of TToken. Having the 1-to-1 “exchange” on the LendingPool and different rates on DEXes, attackers could “play” with the market many times in one transaction until they receive enough rewards. The same would work to borrow methods. So anyone could borrow without having assets but FlashLoaning them. The same would work to borrow methods. So anyone could borrow without having assets but FlashLoaning them. Hacken’s Recommendation: Consider some restrictions like minting/returning assets in the next block only. Trava’s solution: Token transfer restrictions for transferring in the same block where minting occurred. After the verification, Hacken concluded that the issue had been resolved completely. ## **Severity Low** There are three Issues concerning coding styles and Gas Optimization. They relate to Unused state variable, public/external function, Unused function argument. We heeded the advice and resolved these issues. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.trava.finance/security/audit-completion-by-hacken.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.