Platform: Code4rena
Start Date: 12/08/2021
End Date: 14/08/2021
Period: 3 days
Status: Completed
Reporters: moneylegobatman, ninek
Pot Size: $30,000 USDC
Participants: 8
Reporters: moneylegobatman, ninek
Judge: ghoulsol
Id: 25
League: ETH
cmichel | 1/8 | $14,292.10 | 7 | 3 | 3 | 2 | 1 | - | - | 0 |
shw | 2/8 | $5,340.34 | 4 | 1 | 1 | 1 | 1 | - | - | 0 |
moose-code | 3/8 | $4,435.42 | 2 | 1 | 1 | 1 | 0 | 0 | 0 | 0 |
0xRajeev | 4/8 | $2,366.82 | 2 | 0 | 0 | 0 | 0 | - | - | 0 |
hickuphh3 | 5/8 | $1,785.79 | 4 | 0 | 0 | 2 | 0 | - | - | 0 |
gpersoon | 6/8 | $819.45 | 2 | 0 | 0 | 0 | 0 | - | - | 0 |
JMukesh | 7/8 | $707.33 | 2 | 0 | 0 | 1 | 0 | - | 0 | 0 |
PierrickGT | 8/8 | $252.81 | 2 | 0 | 0 | 0 | 0 | - | - | 0 |
Auditor per page
Yield v2 is a collateralized debt engine paired with a custom automated market maker.
The product offered by Yield v2 is fixed rate borrowing and lending.
There are 7 new contracts to Yield v2 as part of this micro-contest, they are all in scope.
A simple permissioned factory for the deployment of FYToken contracts.
A minor variation on existing oracles to return the exchange rate of a cToken, so that it could be used as collateral.
A variation on existing oracles that allows to combine data from several IOracle contracts on predetermined paths.
A reimplementation of the Timelock pattern, inheriting from AccessControl.sol and implementing batchable transactions.
A variation of the Timelock pattern, in which transactions that revoke permissions are stored so that compromised contracts can be isolated in emergencies.
A reimplementation of Unipool.sol, embedded in an ERC20 contract so that mint automatically stakes, and burn automatically unstakes.
A contract that allows YieldSpace liquidity providers to pool their LP tokens. The strategy swaps all funds to another pool on maturity in a semi-permissionless manner.
The contracts that were part of the previous contest had fixes applied, and sometimes significant refactorings.
The Cast*.sol libraries convert safely between different types. This contract didn't suffer any changes
Fixed point division. This contract didn't suffer any changes
Fixed point division, rounding up. This contract didn't suffer any changes
Fixed point multiplication. This contract didn't suffer any changes
Custom implementation of the ERC20 specifications. Differs from ERC20 standard on when allowances are required and decreased, same as DS-Token.sol. This contract didn't suffer any significant changes, only natspec was added
Extension of ERC20 to accept ERC2612 off-chain approvals. This contract had minor fixes for issues found in the previous contest
Produces token descriptors from inconsistent or absent ERC20 symbol implementations that can return string or bytes32 This contract had minor fixes for issues found in the previous contest
Adapted from Uniswap & BoringSolidity. Safe transferring of ERC20 tokens and Ether, regardless of reverts or return values. This contract didn't suffer any changes
Adapted from Uniswap & BoringSolidity. Safe transferring of ERC20 tokens, regardless of reverts or return values. This contract didn't suffer any changes
String utilities. This contract had significant fixes for issues found in the previous contest
Extractor or revert messages from return data. This contract didn't suffer any changes
Access control contract adapted from OpenZeppelin's AccessControl.sol. A role exists for each function in a contract, and if the auth modifier is present in a function, access must have been granted by the root account. The privileged account can grant and revoke roles, as well as root privileges.
Root can lock functions, disabling any further changes in their access control, except for existing users renouncing to granted roles.
This contract didn't suffer any changes
Contract to create a single privileged role that can be held by a single address This contract didn't suffer any changes
Calls Chainlink aggregators to return the value of an asset amount. Two contracts deployed, one for 18 and one for 8 decimals. This contract had minor improvements applied
Calls Uniswap V3 pools to return the value of an asset amount. One contract deployed. This contract was removed from the scope
Calls Compound cTokens to return the borrowing and lending rate. One contract deployed. This contract had minor improvements applied
Asset holding. Only privileged accounts or contracts can move assets out of the Join, or ask the Join to take assets. Can serve ERC3156 flash loans. One contract per asset deployed. This contract had minor improvements applied
Deployment of Joins. One contract. This contract was heavily refactored to remove the use of CREATE2
ERC20 zero coupon bond, redeemable at maturity for underlying. Calls Join.sol to obtain funds to serve redemptions, and an Oracle to determine the savings rate, which will be applied to redemptions as well. Can be flash minted with no fees following the ERC3156 standard. Numerous contracts deployed. This contract had minor fixes for issues found in the previous contest
Accounting system for Yield v2. The only external dependencies are towards rate oracles and spot oracles. All transactional functions require privileged access. The main function besides accounting is to reveal whether a vault is collateralized using the ink * price * ratio >= art * accrual * rate formula.
One contract deployed.
This contract had fixes for issues found in the previous contest, was refactored to remove the possibility of parallel liquidators, and got two helper external view functions added.
Routing and asset management for Yield v2. It has considerable privileges:
Storage variables for Ladle, so that Modules can inherit them and align their storage with the Ladle. This contract had minor removals
Governance router. The Wand bundles governance calls into governance actions such as adding an asset or a series. This contract was refactored to allow reorchestrating after deployment, and the use of FYToken and Join factories
Liquidations engine, same implementation from Yield v1, refactored. Calls the Ladle to move assets, and the Cauldron to obtain and release control of undercollateralized vaults. This contract was heavily refactored to remove the dependency with Ladle, behave correctly after maturity, and allow different parameters for different collaterals.
ABDK's Math64x64, upgraded to 0.8. Very complex math library, for which only a series of changes were made to use the 0.8 compiler. This file was replaced by the vendor's official version, and is now out of scope.
YieldSpace AMM curve implementation. Same curve implementation from Yield v1. It was refactored to make the math clearer. Uses Math64x64.sol. This file had minor fixes applied.
YieldSpace AMM implementation. Refactored from Yield v1, to add a TWAR oracle, single-asset mint and burn, and remove all transferFrom in favour of keeping track of balances.
This file had minor fixes applied.
Deployment of YieldSpace Pools using CREATE2. This file had minor fixes applied.
Batching of calls to Pools, along with wrapping/unwrapping of Ether, management of off-chain approvals, and transfers of tokens from users to pools to kickstart transactions. This contract was removed from the scope
Ladle and Witch suffered significant refactors, and are an area of concern. Among the new contracts, ERC20Rewards and Strategy have a moderate complexity and are liable to hold a large portion of the liquidity in Yield v2