Feat/deepbook

[funkiirabu]

Note

Deferred future work

• Marks DeepBook integration and Marketplace v2 (Bid System) as ⏸️ deferred across README.md, LOANS.md, MARKETPLACE.md, PLAN.md, and spec/tide-core-v1.md
• Adds/updates spec/deepbook-integration-v1.md with a simplified 3-phase roadmap (rates + liquidity via BalanceManager, flash liquidations (keep only), DEEP rewards) and removal/deferment of complex features
• Adds spec/marketplace-v2.md as deferred reference; updates links/status labels in related docs

Current v1 stance

• Reaffirms treasury-funded loans, fixed 5% APR, standard liquidations; documents clear criteria to revisit DeepBook (≥50% utilization, 3+ issuers, demand for dynamic rates)

Scope

• Documentation/spec-only changes; no contract code changes

^{Written by Cursor Bugbot for commit 82f65f9. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Duplicate error code values make debugging ambiguous

Medium Severity

EInsufficientLiquidity and EInsufficientProceeds are both assigned the value 3. When an error occurs, it will be impossible to distinguish between these two different failure conditions, making debugging difficult and potentially causing incorrect error handling in callers.

 

[cursor]

DEEP rewards can be claimed multiple times

High Severity

The claim_deep function lacks any mechanism to track whether a pass has already claimed for the current distribution round. A user could call this function repeatedly with the same SupporterPass to drain the entire DEEP pool. The DeepRewardsPool struct has no field tracking claims, and the function doesn't update any state to prevent re-claiming.

Additional Locations (1)

• spec/deepbook-integration-v1.md#L1083-L1096

 

[cursor]

Repay function accounting mismatch causes underflow

Medium Severity

The repay function subtracts the full repayment amount from pool.outstanding, but outstanding only tracks principal (incremented by borrowed amount in borrow). Since loans accrue interest via get_rate(), repayments include principal plus interest. This asymmetry causes pool.outstanding to underflow when total repayments exceed total principal borrowed.

Additional Locations (1)

• spec/deepbook-integration-v1.md#L832-L835

 

[cursor]

No validation that balance_manager matches the pool

High Severity

The TideLendingPool stores balance_manager_id to track its associated BalanceManager, but deposit_liquidity, withdraw_liquidity, borrow, and repay all accept balance_manager as a separate parameter without validating that object::id(balance_manager) == pool.balance_manager_id. A caller could pass a mismatched balance manager, causing funds to flow to/from the wrong account while the pool's accounting is updated incorrectly.

Additional Locations (2)

• spec/deepbook-integration-v1.md#L920-L933
• spec/deepbook-integration-v1.md#L938-L951

 

[cursor]

Division by zero when total shares is zero

Medium Severity

The start_distribution function sets snapshot_total_shares from capital_vault.total_shares() without checking if it's zero. If called when there are no backers, claim_deep will crash with a division by zero when computing share_bps = (pass.shares * 10000) / pool.snapshot_total_shares.

Additional Locations (1)

• spec/deepbook-integration-v1.md#L1138-L1139