A new DeFi primitive that allows any token to become productive and provide FEI liquidity at no cost to the markets that need it most.
Platform: Code4rena
Start Date: 09/09/2022
End Date: 12/09/2022
Period: 3 days
Status: Completed
Pot Size: $42,000 USDC
Participants: 101
Reporter: liveactionllama
Judge: hickuphh3
Id: 161
League: ETH
rvierdiiev | 1/101 | $18,947.65 | 2 | 0 | 0 | 1 | 1 | - | 0 | 0 |
cccz | 2/101 | $18,933.67 | 2 | 0 | 0 | 1 | 1 | - | 0 | 0 |
GalloDaSballo | 3/101 | $328.66 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
pauliax | 4/101 | $197.19 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
CertoraInc | 5/101 | $134.09 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
0x1f8b | 6/101 | $81.81 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
hansfriese | 7/101 | $81.81 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
R2 | 8/101 | $81.81 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
rbserver | 9/101 | $57.64 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
Lambda | 10/101 | $47.65 | 1 | 0 | 0 | 0 | 0 | - | 0 | 0 |
Auditor per page
Setup TLDR:
# Install dependencies: npm install && npm run setup:forge # Allocate additional ram for Hardhat/Node*: export NODE_OPTIONS=--max-old-space-size=6144 # Build and compile contracts (both via hardhat *and* forge) and generate types: npm run build # Run forge tests: npm run test # Run hardhat tests (takes >10min and may need a prior `export NODE_OPTIONS=--max-old-space-size=8192` to avoid an out of memory error): npm run test:hardhat * do not allocate more RAM in megabytes than your computer has, or this will fail
To Run Slither:
slither --solc-remaps '@openzeppelin/=node_modules/@openzeppelin/ @chainlink/=node_modules/@chainlink/ @uniswap/=node_modules/@uniswap/ @rari-capital/=node_modules/@rari-capital/ @orcaprotocol/=node_modules/@orcaprotocol/ @ensdomains/=node_modules/@ensdomains/ @gnosis.pm/=node_modules/@gnosis.pm/ ds-test/=contracts/test/libs/forge-std/lib/ds-test/src/ forge-std/=contracts/test/libs/forge-std/src/' contracts/pcv/PCVGuardian.sol ./contracts/contract/you-want-to-test.sol
| File | nLines | |------------------------------------------------------------------------|--------| | contracts/peg/SimpleFeiDaiPSM.sol | 103 | | contracts/shutdown/fuse/RariMerkleRedeemer.sol | 218 | | contracts/shutdown/fuse/MerkleRedeemerDripper.sol | 29 | | contracts/shutdown/redeem/TribeRedeemer.sol | 73 | | Totals | 423 | All other contracts are **not in scope**.
Note 1: For the RariMerkleRedeemer & MerkleRedeemerDripper contracts, please see the readme here for additional information.
Note 2: For each contract, thare are unit and integration tests linked below. There also exist some tests in the "verification" step of the dao vote which that contract corresponds to; these tests are executed when the DAO vote is simulated as part of the integration test setup.
This contract performs a "merkle swap" between Fuse cTokens and FEI at a pre-determined exchange rate per cToken up to a configured cap per address in the merkle root. There is one merkle root and one exchange rate per cToken. The merkle nodes contain the user address and amount of cTokens which can swap for FEI.
Only EOA addresses will be listed in the merkle nodes, as addresses also need to perform an ECDSA signature on a message to claim the swap.
It should be impossible to claim any assets from the Merkle Redeemer unless included in the merkle tree. It should be impossible to redeem without signing the message. Users with outstanding borrows on Fuse should not be able to claim in full until paying off their debt (cTokens prevent transfers when actively used as collateral for a borrow). All EOA users in the merkle tree should be able to claim in full assuming they have the cTokens, no borrows against them, and the contract is funded.
Tooling for creating merkle trees can be found in scripts/shutdown/, and documentation for this tooling can be found in this readme.
Test info:
This contract is intended to drip FEI into the immutable RariMerkleRedeemer contract as a security/rate limiting mechanism. In the event of an unlikely issue, the dripper can be paused making the maximum attack surface the funds in the RariMerkleRedeemer.
Test info:
This contract is intended to be an immutable FEI-DAI wrapper (like WETH:ETH) which allows 1:1 minting and redemption. This contract should stay synced between the FEI and DAI supplies after each call to burnFeiHeld(), assuming it is seeded with enough DAI to match the circulating supply.
Note 1: The contract uses the same abi as other PSMs in fei protocol, with some null and no-op functionality for completeness.
Note 2: Some FEI in existence is "protocol owned" and would be sent directly to this contract to be burned, and not backed by DAI. Hence the burnFeiHeld()
Test info:
Intended to redeem TRIBE from the effective circulating supply in exchange for a pro rata portion of a list of ERC-20 tokens.
Test info: