Llama Audit Details
- Total Prize Pool: $60,500 USDC
- HM awards: $41,250 USDC
- Bot Race awards: $3,750 USDC
- ✨ Analysis awards: $2,500 USDC
- QA awards: $1,250 USDC
- Gas awards: $1,250 USDC
- Judge awards: $6,000 USDC
- Lookout awards: $4,000 USDC
- Scout awards: $500 USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts June 6, 2023 20:00 UTC
- Ends June 14, 2023 20:00 UTC
✨ All participating wardens are encouraged to submit an Analysis prior to the closing date. Guidelines and FAQ can be found here.
Automated Findings / Publicly Known Issues
Automated findings output for the audit can be found here.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
The results of the slither report and acknowledged findings from our Spearbit audit are out of scope for this audit contest.
Overview
Llama is a governance system for onchain organizations. It uses non-transferable NFTs to encode access control, features programmatic control of funds, and includes a modular framework to define action execution rules.
Documentation
The video explainer provides a high-level overview of the Llama system and the docs describe the core components.
Scope
Files in scope
| File | SLOC | Description and Coverage | Libraries |
|---|---|---|---|
| Contracts (11) | |||
| src/LlamaExecutor.sol 👥 | 15 | The exit point of a Llama instance. It calls the target contract during action execution., 100.00% | |
| src/LlamaPolicyMetadataParamRegistry.sol | 38 | Parameter Registry contract for onchain SVG colors and logos, 100.00% | |
| src/strategies/LlamaAbsoluteQuorum.sol | 38 | A Llama strategy that has an absolute threshold for approvals/disapprovals and the action creator can approve or disapprove their own actions., 90.91% | @openzeppelin/* solmate/* |
| src/strategies/LlamaAbsolutePeerReview.sol Σ | 42 | A Llama strategy that has an absolute threshold for approvals/disapprovals and the action creator cannot approve or disapprove their own actions., 100.00% | @openzeppelin/* solmate/* |
| src/LlamaPolicyMetadata.sol | 75 | Utility contract to compute llama policy metadata., 100.00% | @openzeppelin/* solady/* |
| src/strategies/LlamaRelativeQuorum.sol | 151 | A Llama strategy in which approval/disapproval thresholds are specified as percentages of total supply and action creators are allowed to cast approvals or disapprovals on their own actions., 100.00% | @openzeppelin/* solmate/* |
| src/LlamaFactory.sol 🧮 🌀 | 157 | Factory for deploying new Llama instances., 100.00% | @openzeppelin/* |
| src/llama-scripts/LlamaGovernanceScript.sol | 161 | A script that allows users to aggregate common calls on the core and policy contracts., 53.45% | |
| src/accounts/LlamaAccount.sol 🖥 💰 👥 | 187 | This contract can be used to hold assets for a Llama instance., 100.00% | @openzeppelin/* |
| src/LlamaPolicy.sol Σ | 260 | An ERC721 contract where each token is non-transferable and has roles assigned to create, approve and disapprove actions., 100.00% | solady/* |
| src/LlamaCore.sol 💰 🧮 🔖 🌀 | 448 | Manages the action process from creation to execution., 100.00% | @openzeppelin/* |
| Abstracts (4) | |||
| src/llama-scripts/LlamaBaseScript.sol | 12 | A template for creating new llama scripts., - | |
| src/llama-scripts/LlamaSingleUseScript.sol | 15 | A template script for scripts that should only be run once., - | |
| src/lib/ERC721NonTransferableMinimalProxy.sol Σ | 96 | A modified version of Solmate's ERC721 contract., 72.22% | @openzeppelin/* |
| src/strategies/LlamaAbsoluteStrategyBase.sol | 141 | A base contract for Llama strategies to inherit from with absolute approval/disapproval properties., 86.00% | @openzeppelin/* solmate/* |
| Libraries (2) | |||
| src/lib/LlamaUtils.sol Σ | 17 | A library of helper functions used throughout the Llama codebase., 0.00% | |
| src/lib/Checkpoints.sol 🖥 | 159 | A modified version of OpenZeppelin's Checkpoints.sol., 51.43% | |
| Interfaces (3) | |||
| src/interfaces/ILlamaAccount.sol | 5 | An interface for Llama accounts., - | |
| src/interfaces/ILlamaActionGuard.sol | 7 | An interface for Llama strategies., - | |
| src/interfaces/ILlamaStrategy.sol | 23 | An interface for Llama strategies., - | |
| Structs (1) | |||
| src/lib/Structs.sol | 37 | A file containing the structs that are used in more than one src contract throughout the Llama codebase., - | |
| Other (2) | |||
| src/lib/UDVTs.sol | 2 | A file containing the UDVTs used throughout the Llama codebase., - | |
| src/lib/Enums.sol | 10 | A file containing the enumerables used throughout the Llama codebase., - | |
| Total (over 23 files): | 2096 | 87.63% |
All other source contracts (not in scope)
| File | SLOC | Description and Coverage | Libraries |
|---|---|---|---|
| Contracts (1) | |||
| src/LlamaLens.sol 🧮 | 85 | Utility contract to compute Llama contract addresses and permission IDs., 80.00% | @openzeppelin/* |
| Total (over 1 file): | 85 | 80.00% |
External imports
- @openzeppelin/proxy/Clones.sol
- @openzeppelin/proxy/utils/Initializable.sol
- @openzeppelin/token/ERC1155/IERC1155.sol
- @openzeppelin/token/ERC1155/utils/ERC1155Holder.sol
- @openzeppelin/token/ERC20/IERC20.sol
- @openzeppelin/token/ERC20/utils/SafeERC20.sol
- @openzeppelin/token/ERC721/IERC721.sol
- @openzeppelin/token/ERC721/utils/ERC721Holder.sol
- @openzeppelin/utils/Address.sol
- @openzeppelin/utils/Base64.sol
- @solady/utils/LibString.sol
- @solmate/utils/FixedPointMathLib.sol
We encourage participants to look for bugs in the following areas:
- Unauthorized action state transitions.
- Unauthorized approval and disapproval manipulation.
- Vulnerabilities in the roles and permissions system in
LlamaPolicy.sol. - Additional safety checks to help prevent Llama instances entering a state where new actions cannot be executed.
- Risks that stem from
LlamaExecutor.soldelegatecalling scripts. - Vulnerabilities in
LlamaAccount.solthat could lead to unauthorized access to funds and assets held in it (Especially risks that stem from theLlamaAccount.solbeing able to delegatecall arbitrary contracts).
Scoping Details
- If you have a public code repo, please share it here: N/A
- How many contracts are in scope?: 11
- Total SLoC for these contracts?: 2096
- How many external imports are there?: 12
- How many separate interfaces and struct definitions are there for the contracts within scope?: 4 files
- Does most of your code generally use composition or inheritance?: Composition
- How many external calls?: 2
- What is the overall line coverage percentage provided by your tests?: 87.63%
- Is this an upgrade of an existing system? No
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: No
- Please describe required context: N/A
- Does it use an oracle?: No
- Does the token conform to the ERC20 standard?: No
- Are there any novel or unique curve logic or mathematical models?: No
- Does it use a timelock function?: Yes
- Is it an NFT?:
LlamaPolicy.solis an NFT - Does it have an AMM?: No
- Is it a fork of a popular project?: No
- Does it use rollups?: It should be able to be deployed on rollup chains
- Is it multi-chain?: It should be able to be deployed an any popular EVM chain
- Does it use a side-chain?: No
Out of scope
The root lib/ directory (not the src/lib/ directory) and acknowledged findings from our Spearbit audit are out of scope for this audit contest.
Assumptions
- The root Llama instance deployed in the
LlamaFactory.solconstructor will govern Llama instance deployments. - Llama instances are self-governed and standalone—they are governed exclusively by policyholders of that Llama instance, and are not governed by any special accounts that are not policyholders of that Llama instance.
Build & Tests
Quickstart Command
foundryup && export MAINNET_RPC_URL='<YOUR_MAINNET_RPC_URL>' && git clone https://github.com/code-423n4/2023-06-llama && cd 2023-06-llama && forge test
Prerequisites
Foundry must be installed. You can find installation instructions in the Foundry docs.
We use just to save and run a few larger, more complex commands. You can find installation instructions in the just docs. All commands can be listed by running just -l from the repo root, or by viewing the justfile.
VS Code
You can get Solidity support for Visual Studio Code by installing the Hardhat Solidity extension.
Installation
$ git clone https://github.com/code-423n4/2023-06-llama $ cd 2023-06-llama $ forge install
Setup
Copy .env.example and rename it to .env. The comments in that file explain what each variable is for and when they're needed:
- The
MAINNET_RPC_URLvariable is the only one that is required for running tests. - You may also want a mainnet
ETHERSCAN_API_KEYfor better traces when running fork tests. - The rest are only needed for deployment verification with forge scripts. An anvil default private key is provided in the
.env.examplefile to facilitate testing.
Commands
forge build- build the projectforge test- run tests
Deploy and Verify
just deploy- deploy and verify payload on mainnet- Run
just -lor see thejustfilefor other commands such as dry runs.
Reference
Run the following command to generate smart contract reference documentation from this project's NatSpec comments and serve those static files locally:
$ forge doc -o reference/ -b -s
Slither
Use our bash script to prevent slither from analyzing the test and script directories. Running slither . directly will result in an AssertionError.
$ chmod +x slither.sh $ ./slither.sh