Platform: Code4rena
Start Date: 01/09/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 70
Period: 6 days
Judge: kirk-baird
Id: 281
League: ETH
Rank: 41/70
Findings: 1
Award: $18.85
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: catellatech
Also found by: 0xAsen, 0xE1D, 0xStalin, 0xmystery, Breeje, Bube, DedOhWale, JayShreeRAM, K42, Krace, castle_chain, hals, hunter_w3b, kaveyjoe, m4ttm, mahdikarimi, nirlin, peanuts, sandy
18.8458 USDC - $18.85
| Step | Task | Details |
| 1 | Run Tests | Tests run successfully |
| 2 | Coverage | ~80% test coverage for contracts in audit scope |
| 3 | Slither | Reviewed Slither results, no vulnerabilities discovered based on output |
| 4 | Surya | Generate graphs to understand the overall project structure. Provided an initial insight to the contract inheritance and function call flow |
| 5 | Solidity Metrics | Generate metrics reports to obtain initial insight on the codebase, noting areas of potential concern |
| 6 | Code Review | Line by line code review |
| 7 | Test Review | Review of each test and it's purpose |
USDY is a stablecoin previously introduced by Ondo Finance and can be wrapped into rUSDY, a new rebasing variant. This uses a newly developed oracle, RWADynamicOracle to determine the USDY price. A bridge is also introduced to make the token compatible across multiple chains, using the SourceBridge and DestinationBridge contracts.
USDY is a centrally managed, upgradable contract. The admin is able to change the code, preventing the contract from working as intended and in the worst case could steal user's funds.
The code is well structured and organised into separate contracts, each with a clear purpose. NatSpec comments are well used throughout the codebase. The automated findings show that some conventions which would result in saving gas are are ignored and should be taken into consideration, such as using custom errors instead of reverting with a string and using private for constants.
The code is well commented with NatSpec comments, which are clear and informative. This could be improved by adding supplementary external documentation with diagrams outlining the workings of the core functionality.
Tests are clearly structured and cover most of the core functionality but coverage could be better than 80%. Testing could be further improved with the use of fuzz testing, or formal verification to give users the extra assurance that their funds are safe.
rUSDYFactory is used to deploy rUSDY and setup the proxy. This could be done off chain with a deployment script which keeps unnecessary code off chain, saving gas.
20 hours
#0 - c4-pre-sort
2023-09-08T14:47:30Z
raymondfam marked the issue as sufficient quality report
#1 - c4-judge
2023-09-24T07:05:36Z
kirk-baird marked the issue as grade-b