Platform: Code4rena
Start Date: 25/01/2024
End Date: 29/01/2024
Period: 4 days
Status: Completed
Pot Size: $16,425 USDC
Participants: 5
Reporter: PaperParachute
Judge: Alex the Entrprenerd
Id: 326
League: ETH
rvierdiiev | 1/5 | $0.00 | 0 | 0 | 0 | 0 | 0 | Grade A | 0 | 0 |
xuwinnie | 2/5 | $0.00 | 3 | 2 | 0 | 1 | 0 | Grade B | 0 | 0 |
bin2chen | 3/5 | $0.00 | 3 | 2 | 0 | 1 | 0 | Grade A | 0 | 0 |
erebus | 4/5 | $0.00 | 1 | 0 | 0 | 1 | 1 | Grade A | 0 | 0 |
Stormy | 5/5 | $0.00 | 0 | 0 | 0 | 0 | 0 | Grade B | 0 | 0 |
Auditor per page
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Risks deemed acceptable:
See scope.txt
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| src/LendingLedger.sol | 106 | Implements the bookkeeping for the rewards and is used for claiming. Moreover, provides data for third-party contracts that want to use this information for secondary rewards | @openzeppelin/* |
All other contracts and interfaces, namely src/GaugeController.sol, src/VotingEscrow.sol, interface/Turnstile.sol, and all tests (src/test/).
Since the previous audit, the LendingLedger logic was completely rewritten. We now use an approach that is very similar to MasterChef / Synthetix. The main motivation for doing that was to enable users to claim accrued rewards whenever they want (instead of only after a week / epoch has passed). Moreover, we also introduced the field secRewardDebt. The idea of this field is to enable any lending platforms that are integrated with Neofinance Coordinator to send their own rewards based on this value (or rather the difference of this value since the last time secondary rewards were sent) and their own emission schedule for the tokens.
The code will only be deployed to CANTO.
The only trusted role is the governance address. Only this address can set the rewards per block.
Miscalculations / significant rounding errors
The total rewards that are sent for one block should never be higher than the rewards that were configured for this block.
- If you have a public code repo, please share it here: - How many contracts are in scope?: 1 - Total SLoC for these contracts?: 107 - How many external imports are there?: 4 - How many separate interfaces and struct definitions are there for the contracts within scope?: 2 - Does most of your code generally use composition or inheritance?: Composition - How many external calls?: 1 - What is the overall line coverage percentage provided by your tests?: 94 - Is this an upgrade of an existing system?: True - LendingLedger of the already audited veRWA (https://code4rena.com/audits/2023-08-verwa) was rewritten. It now supports per-block claiming (vs. per-epoch previously) and we expose data in the contract that enables secondary rewards (i.e. for other systems to incentivize deposits with their own tokens) - Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: True - Please describe required context: The changes since the last audit only affect one contract and are isolated, but it can be helpful for context to look at the overall system, which was described in the previous audit (https://code4rena.com/audits/2023-08-verwa) - Does it use an oracle?: No - Describe any novel or unique curve logic or mathematical models your code uses: The staking logic is adapted from Sushi / Synthetix: https://www.rareskills.io/post/staking-algorithm - Is this either a fork of or an alternate implementation of another project?: True - Does it use a side-chain?: - Describe any specific areas you would like addressed:
# Cloning with recurse git clone --recurse https://github.com/code-423n4/2024-01-canto.git # Going into the contest directory cd 2024-01-canto # Installing npm dependencies npm install # Installing forge dependencies in case --recurse was forgotten when cloning forge install # Compiling forge build # Testing forge test # Generating gas report forge test --gas-report # Running coverage with minimum-IR (Stack too deep otherwise) forge coverage --ir-minimum # Generating lcov report file (keep in mind that the result will be a bit off when displaying the result such as with the Coverage Gutters extension on VSCode due to --ir-minimum). forge coverage --ir-minimum --report lcov # Running slither (alternatively, see the provided "slither.txt" file) slither .
Canto contributors that were involved in the creation of Neofinance Coordinator and their family members are ineligible to participate in this audit.