A permissionless platform to launch and govern asset-backed stable currencies.
Platform: Code4rena
Start Date: 25/07/2023
End Date: 04/08/2023
Period: 10 days
Status: Completed
Reporters: liveactionllama, thebrittfactor
Pot Size: $80,100 USDC
Participants: 7
Reporters: liveactionllama, thebrittfactor
Judge: cccz
Id: 268
League: ETH
RaymondFam | 1/7 | $0.00 | 3 | 0 | 0 | 3 | 3 | Grade A | Grade A | 0 |
bin2chen | 2/7 | $0.00 | 4 | 1 | 1 | 3 | 1 | Grade A | 0 | 0 |
sces60107 | 3/7 | $0.00 | 2 | 0 | 0 | 2 | 2 | 0 | 0 | 0 |
ronnyx2017 | 4/7 | $0.00 | 7 | 2 | 1 | 5 | 4 | Grade A | 0 | 0 |
auditor0517 | 5/7 | $0.00 | 2 | 0 | 0 | 2 | 2 | Grade A | 0 | 0 |
0xA5DF | 6/7 | $0.00 | 2 | 1 | 0 | 1 | 1 | Grade B | 0 | 0 |
carlitox477 | 7/7 | $0.00 | 1 | 0 | 0 | 1 | 0 | Grade B | Grade A | 0 |
Auditor per page
Automated findings output for the audit can be found here within 24 hours of audit opening.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
Anything mentioned in the previous audits is considered known issues:
The Reserve Protocol allows anyone to create stablecoins backed by baskets of ERC20 tokens on Ethereum. Stable asset backed currencies launched on the Reserve protocol are called “RTokens”.
Once an RToken configuration has been deployed, RTokens can be minted by depositing the entire basket of collateral backing tokens, and redeemed for the entire basket as well. Thus, an RToken will tend to trade at the market value of the entire basket that backs it, as any lower or higher price could be arbitraged.
RTokens can be overcollateralized, which means that if any of their collateral tokens default, there's a pool of value available to make up for the loss. RToken overcollateralization is provided by Reserve Rights (RSR) holders, who may choose to stake their RSR on any RToken. Staked RSR can be seized in the case of a collateral default, in a process that is entirely mechanistic based on on-chain price-feeds, and does not depend on any governance votes or human choices.
RTokens can generate revenue, and this revenue is the incentive for RSR holders to stake. Revenue can come from yield from lending collateral tokens on-chain or revenue shares with collateral token issuers. Governance can direct any portion of revenue to RSR stakers, to incentivize RSR holders to stake and provide overcollateralization. If an RToken generates no revenue, or if none of it is directed to RSR stakers, it probably won't have any RSR staked on it, and thus won't be protected by overcollateralization.
The protocol folder in this repo is linked to the primary Reserve Protocol public repo on branch 3.0.0 at commit hash 9ee60f142f9f5c1fe8bc50eef915cf33124a534f: https://github.com/reserve-protocol/protocol/tree/3.0.0
See scope.txt
The base directory is assumed to be protocol relative to the root of this repo.
The following directories and implementations are considered in-scope for this audit.
| Contract | Purpose |
|---|---|
| contracts/plugins/assets/** | These are the collateral plugins for the protocol |
Details on collateral plugins can be found here.
Any /test, /mock, /mocks, /vendor folders (including those found under contracts/plugins/assets/**).
Everything Else
Here's a video walkthrough of the code which provides additional context around specific files, structure and logic.
We recommend going through the following documents in order to understand the protocol better.
Some areas of focus for this competition:
Clone the repo with the following command:
git clone --recurse-submodules https://github.com/code-423n4/2023-07-reserve.git
If you've already cloned the repo but without the --recurse-submodules, you can run the following in the repo's directory:
git submodule update --init
Detailed steps to run tests against the protocol are available here in the docs/dev-env.md document:
yarn compileyarn test:plugins:integration- If you have a public code repo, please share it here: https://github.com/reserve-protocol/protocol/tree/3.0.0 - How many contracts are in scope?: 40 - Total SLoC for these contracts?: 3170 - How many external imports are there?: 40 - How many separate interfaces and struct definitions are there for the contracts within scope?: 12 - Does most of your code generally use composition or inheritance?: Inheritance - How many external calls?: 30 - What is the overall line coverage percentage provided by your tests?: 98% - Is this an upgrade of an existing system?: Yes, new collateral plugins - Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): ERC-20 Token - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Yes - Please describe required context: It is helpful to understand the rest of the core protocol and how it interacts with the asset/collateral plugins, especially the asset registry, the backing manager, and the basket handler. - Does it use an oracle?: Chainlink - Describe any novel or unique curve logic or mathematical models your code uses: Details on our collateral unit abstract model can be found here https://github.com/reserve-protocol/protocol/blob/3.0.0/docs/collateral.md - Is this either a fork of or an alternate implementation of another project?: No - Does it use a side-chain?: No - Describe any specific areas you would like addressed: convex wrapper and plugins. compound v3 wrapper and plugin. frax-eth plugin. lido plugin. rocket-eth plugin. ankr plugin. RewardableERC20Wrapper & CTokenWrapper. sDAI plugin. cbETH plugin. morpho plugin. crv plugins. stargate plugin.