A fully on-chain NFT AMM that allows you to trade every NFT in a collection.
Platform: Code4rena
Start Date: 07/04/2023
End Date: 13/04/2023
Period: 6 days
Status: Completed
Reporters: itsmetechjay, liveactionllama
Pot Size: $47,000 USDC
Participants: 120
Reporters: itsmetechjay, liveactionllama
Judge: GalloDaSballo
Id: 230
League: ETH
rbserver | 1/120 | $2,784.31 | 4 | 0 | 0 | 3 | 1 | Grade A | 0 | 0 |
Ruhum | 2/120 | $2,597.39 | 5 | 1 | 0 | 4 | 1 | 0 | 0 | 0 |
rvierdiiev | 3/120 | $2,509.32 | 3 | 0 | 0 | 2 | 1 | - | 0 | 0 |
KrisApostolov | 4/120 | $2,445.61 | 2 | 0 | 0 | 2 | 1 | 0 | 0 | 0 |
Haipls | 5/120 | $1,520.16 | 4 | 1 | 0 | 2 | 0 | - | 0 | 0 |
Voyvoda | 6/120 | $1,355.39 | 7 | 2 | 0 | 5 | 0 | 0 | 0 | 0 |
AkshaySrivastav | 7/120 | $1,283.90 | 5 | 1 | 0 | 3 | 0 | Grade A | 0 | 0 |
ladboy233 | 8/120 | $1,235.91 | 7 | 1 | 0 | 5 | 0 | - | 0 | 0 |
hihen | 9/120 | $1,107.77 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
teddav | 10/120 | $846.91 | 2 | 2 | 0 | 0 | 0 | 0 | 0 | 0 |
Auditor per page
Automated findings output for the contest can be found here within an hour of contest opening.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
A private pool is a an NFT AMM controlled by a single owner. Each private pool is highly customizable with concentrated liquidity, custom fee rates, stolen NFT filtering, custom NFT weightings, royalty support, and flash loans. Liquidity providers deposit NFTs and ETH into these pools to enable trading. Docs are available here. And a demo is available on beta.goerli.caviar.sh.
rm -Rf 2023-04-caviar || true && git clone https://github.com/code-423n4/2023-04-caviar.git --recurse-submodules -j8 && cd 2023-04-caviar && yarn && foundryup && forge install && forge test --ffi --gas-report
yarn forge install forge test --gas-report --ffi
The Factory contract allows users to create and initialize new custom pools that are minimal proxies which point to a reference implementation. It is responsible for issuing NFTs that represent ownership of each custom pool. All protocol fees accrue to the factory contract and can be withdrawn by the protocol admin. Initially the protocol fee rate will be set to be 0% however it may be increased in the future, with advanced notice.
The PrivatePool contract contains all of the core logic for custom pools. It allows users to set concentrated liquidity, custom fee rates, NFT weightings, change/flashloan fee rates, royalty fee support, and stolen NFT filtering. Traders can buy, sell, and change NFTs for other NFTs within the pool.
The EthRouter contract is responsible for taking in a sequence of actions and executing them against the various pools. This is useful if a user wants to buy N amount of NFTs that belong to Y different pools. For example, Bob wants to buy token #1, #2, and #3. Token #1 belongs to pool A. Tokens #2, and #3 belong to pool B. Bob can submit an array of buys to the EthRouter and it will execute a buy from both pool A and pool B in one transaction. The EthRouter also interfaces with caviar public pools, which can be found here.
The PrivatePoolMetadata contract is responsible for generating an on-chain svg and metadata representation of the NFT that represents ownership of a custom pool. This is used to display the NFT across various marketplaces and wallets.
| File | SLOC | Description | Libraries |
|---|---|---|---|
| Contracts (4) | |||
| src/Factory.sol 💰 📤 | 82 | Creates new pools and also accrues protocol fees | solady/* solmate/* |
| src/PrivatePoolMetadata.sol | 90 | Generates NFT metadata and svgs for each pool | @openzeppelin/* solmate/* |
| src/EthRouter.sol 💰 | 179 | Routes trades to various pools | solmate/* @openzeppelin/* caviar/* royalty-registry-solidity/* |
| src/PrivatePool.sol 🖥 💰 📤 🧮 ♻️ | 379 | Core AMM logic for each newly deployed private pool | solmate/* solady/* @openzeppelin/* royalty-registry-solidity/* |
| Interfaces (1) | |||
| src/interfaces/IStolenNftOracle.sol | 11 | Interface for validating whether NFTs are stolen or not | |
| Total (over 5 files): | 741 |
- If you have a public code repo, please share it here: - How many contracts are in scope?: 4 - Total SLoC for these contracts?: 725 - How many external imports are there?: 12 - How many separate interfaces and struct definitions are there for the contracts within scope?: 3 - Does most of your code generally use composition or inheritance?: inheritance - How many external calls?: 10 - What is the overall line coverage percentage provided by your tests?: N/a - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Caviar public pools: https://github.com/outdoteth/caviar - Please describe required context: The EthRouter contract routes trades to caviar public pools (in addition to private pools) - Does it use an oracle?: no - Does the token conform to the ERC20 standard?: N/a - Are there any novel or unique curve logic or mathematical models?: no - Does it use a timelock function?: no - Is it an NFT?: Yes - Does it have an AMM?: Yes - Is it a fork of a popular project?: No - Does it use rollups?: No - Is it multi-chain?: No - Does it use a side-chain?: No
There is a bug related to slither that prevents it from running correctly. More info can be found here: https://github.com/crytic/slither/issues/1737
There is a bug related to generating coverage reports with forge. More info can be found here: https://github.com/foundry-rs/foundry/issues/3357