Oracle-manipulation-proof borrow cap

JustLend DAO's assessment for RD-F-073 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No borrow cap logic found in JustLend Comptroller source. Compound v2 original architecture did not include borrow caps; JustLend's source confirms this is unchanged. Without per-asset borrow caps, borrowing is limited only by collateral factor and account health. In an oracle manipulation scenario on a lower-liquidity TRON asset (e.g., JST, SUN, WBTT), an attacker could post inflated collateral and borrow uncapped amounts. This is a structural Compound v2 limitation and a material gap for oracle-manipulation-proof capital protection.

Sources #

GitHub
JustLend Protocol — Comptroller.solComptroller.sol: no _setBorrowCap or borrowCap[] variables found; no borrow cap enforcement present in the contract sourceretrieved 2026-05-17
URL
TastyCrypto — Aave vs JustLend vs Compound architecture comparisonCompound v2 architecture reference: original Compound v2 did not include borrow caps (added only in Compound v3); JustLend is a Compound v2 forkretrieved 2026-05-17

Methodology #

Determine whether the per-asset borrow cap is ≤ (oracle pool depth × manipulation-resistance multiplier).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol justlend factor RD-F-073 score red collected_at 2026-05-17 10:25:32