Platform: Code4rena
Start Date: 12/12/2022
End Date: 19/12/2022
Period: 7 days
Status: Completed
Pot Size: $36,500 USDC
Participants: 103
Reporter: liveactionllama
Judge: berndartmueller
Id: 193
League: ETH
cozzetti | 1/103 | $3,609.31 | 5 | 2 | 0 | 2 | 0 | Grade B | 0 | 0 |
Bobface | 2/103 | $3,442.16 | 2 | 1 | 0 | 1 | 0 | 0 | 0 | 0 |
unforgiven | 3/103 | $2,184.49 | 5 | 2 | 0 | 2 | 0 | Grade B | 0 | 0 |
ElKu | 4/103 | $1,577.10 | 2 | 1 | 0 | 1 | 0 | 0 | 0 | 0 |
imare | 5/103 | $1,570.11 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
0xSmartContract | 6/103 | $1,222.80 | 2 | 0 | 0 | 0 | 0 | Grade A | Grade A | 0 |
carlitox477 | 7/103 | $1,031.36 | 3 | 2 | 0 | 0 | 0 | 0 | Grade B | 0 |
koxuan | 8/103 | $1,028.50 | 5 | 3 | 0 | 2 | 0 | 0 | 0 | 0 |
minhquanym | 9/103 | $850.48 | 4 | 3 | 0 | 0 | 0 | Grade B | 0 | 0 |
shung | 10/103 | $843.01 | 2 | 1 | 0 | 0 | 0 | Grade A | 0 | 0 |
Auditor per page
The C4audit output for the contest can be found here within an hour of contest opening.
Note for C4 wardens: Anything included in the C4udit output is considered a publicly known issue and is ineligible for awards.
Caviar is a fully on-chain NFT AMM that allows you to trade every NFT in a collection (from floors to superrares). You can also trade fractional amounts of each NFT too. It's designed with a heavy emphasis on composability, flexibility and usability. View demo app here.
rm -Rf 2022-12-caviar || true && git clone https://github.com/code-423n4/2022-12-caviar.git --recurse-submodules -j8 && cd 2022-12-caviar && yarn && foundryup && forge install && forge test --gas-report
yarn foundryup forge install forge test --gas-report
| File | SLOC | Description and coverage | Libraries |
|---|---|---|---|
| Contracts (3) | |||
| Caviar.sol | 26 | Factory contract that creates pairs and maintains a registry (100%) | solmate |
| Pair.sol | 212 | Pair contract that contains ERC20 AMM, NFT wrapping and NFT AMM logic (100%) | solmate openzeppelin |
| LpToken.sol | 15 | ERC20 token which represents liquidity ownership in pair contracts (100%) | solmate |
| Libraries (1) | |||
| SafeERC20Namer.sol | 65 | Helper contract that fetches the name and symbol of an ERC20/ERC721 (0%) | openzeppelin |
| Total | 318 |
Goerli: (demo app)
| Contract | Address |
|---|---|
| Caviar | 0x4442fD4a38c6FBe364AdC6FF2CFA9332F0E7D378 |
| FBAYC | 0xC1A308D95344716054d4C078831376FC78c4fd72 |
| Pair (Rare FBAYC:ETH) | 0x7033A7A1980e019BA6A2016a14b3CD783e35300a |
| LP Token (FBAYC:ETH) | 0x96E6B35Cc73070FCDB42Abe5a39BfD7f16c37cFc |
Rebase and fee-on-transfer tokens are not supported by the AMM. Using these tokens will break the swap curve and liquidity maths.
There exists no recovery mechanism for tokens that are accidentally transferred to the AMM. If tokens or NFTs are accidentally sent to the contract, then they cannot be withdrawn.
It's assumed that all NFTs and base token contracts used to create new pairs are honest. The user must use their own discretion when deciding whether or not to interact with a particular pair contract and check that the NFT and base token contracts are honest.
There exists functionality which allows an admin to withdraw NFTs from pairs. It's assumed that the admin is trusted and legitimate. However, as an additional precaution, there is a one week grace period in which the admin must signal their intent to withdraw before actually withdrawing. This allows LPs and traders to withdraw their NFTs from the contract prior to the admin.
- If you have a public code repo, please share it here: https://github.com/outdoteth/Caviar - How many contracts are in scope?: 4 - Total SLoC for these contracts?: 250 - How many external imports are there?: 7 - How many separate interfaces and struct definitions are there for the contracts within scope?: 3 - Does most of your code generally use composition or inheritance?: Yes - How many external calls?: 5 - What is the overall line coverage percentage provided by your tests?: 100 - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: false - Please describe required context: - Does it use an oracle?: false - Does the token conform to the ERC20 standard?: Yes - Are there any novel or unique curve logic or mathematical models?: Nothing novel - using uni v2 style curves - Does it use a timelock function?: Yes - Is it an NFT?: No - Does it have an AMM?: Yes - Is it a fork of a popular project?: false - Does it use rollups?: false - Is it multi-chain?: false - Does it use a side-chain?: false