Canto Liquidity Mining Protocol - ZanyBonzy's results

Approach taken in evaluating the codebase

1. We began by thoroughly reviewing all the documentation related to the Canto liquidity mining protocol and the Ambient finance. We studied the docs, gitbook, technical guides, and other available resources. Here, we noted main points, gained a clear understanding of how the protocol should function and its integrations, noted possible risk areas and prepared a checklist of questions on unclear parts.
2. After gaining an understanding of the protocol's structure, we used static analyzers and linters to detect any basic errors, inconsistencies, and typos in the contracts.
3. Once we comprehended how the platforms should operate, we started the process of manual code inspection. We carefully inspected each section of the codebase, specifically focusing on areas that could potentially expose common vulnerabilities in liquidity mining protocols. These vulnerabilities include situations where a user can withdraw more or less than their entitled amount, or withdraw earlier than the required time. We looked for common vulnerabilities smart contract vulnerabilities such as reentrancy, integer overflow/underflow, loss of precision, etc., while also ensuring the code conforms to best programming practices. Here, we documented any concerns identified. We also made comparisons to protocols of the same kind, noted similarities and differences in their implementaions and vulnerabilities found in these protocols.

Architecture recommendations

The contracts seem to be well structured with each part appearing to perform its intended task. Apart from one, function sizes appear to be compact, easy to breakdown and comprehend. The test coverage is currently at 75%, which is satisfactory but could be improved. Error handling is adequate but could be enhanced by using custom errors instead of repetitive strings to save gas. The downcast of timestamp to a much smaller range should also be kept in mind during future use and updates.

Codebase quality analysis

The codebase appears to be well-written. All necessary contracts and libraries have been imported to ensure smooth operation of the contracts. Required tests were performed to analyze the possible error scenarios. There did appear to be a number of non-critical issues such as non-adherence to NatSpec and style guides, not naming imports etc. We recommend the use of linters and static analyzers to help flush these out.

Centralization risks

Centralization risks at this time cannot be fully ascertained. Governance exists and appears to be controlled by an external contract CrocSwapDex.sol which makes delegate calls to the contracts within scope. It is important to note that centralization risks in this contract could pose a threat to the protocol.

Mechanism review

While not directly forked, the contracts were developed as a sidecar contract that plugs into the Ambient.finance DEX using their proxy contract patterns. They serve as the interface for the CrocSwapDex contracts and are used to initialize tick tracking and also to create and remove liquidity. The protocol utilizes a CLMM (Concentrated Liquid Market Maker) similar to Uniswap v3 and a constant product AMM similar to Uniswap v2. The system should analyze the potential risks and vulnerabilities associated with these AMMs, such as impermanent loss, price manipulations, sybil attacks and so on.

Conclusion

The Canto Liquidity Mining Protocol offers a platform for liquidity mining and incentivizing liquidity in Ambient pools deployed on Canto. The team has done an excellent job as we did not find any significant issues during the audit of the codebase, which is commendable. It advise following the provided recommendations and also taking into account any identified issues raised by other auditors.

Time spent:

36 hours