Platform: Code4rena
Start Date: 19/01/2024
End Date: 22/01/2024
Period: 3 days
Status: Completed
Pot Size: $36,500 USDC
Participants: 113
Reporter: PaperParachute
Judge: 0xsomeone
Id: 322
League: ETH
windhustler | 1/113 | $3,078.89 | 3 | 1 | 0 | 2 | 0 | 0 | 0 | 0 |
EV_om | 2/113 | $2,615.63 | 4 | 4 | 0 | 0 | 0 | 0 | 0 | 0 |
NPCsCorp | 3/113 | $2,570.95 | 5 | 3 | 0 | 2 | 0 | 0 | 0 | 0 |
iamandreiski | 4/113 | $2,265.60 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
haxatron | 5/113 | $1,726.63 | 6 | 3 | 0 | 3 | 0 | 0 | 0 | 0 |
nuthan2x | 6/113 | $1,234.58 | 3 | 2 | 0 | 1 | 0 | 0 | 0 | 0 |
Soliditors | 7/113 | $1,134.47 | 5 | 2 | 0 | 3 | 0 | 0 | 0 | 0 |
deth | 8/113 | $955.55 | 4 | 3 | 0 | 1 | 0 | 0 | 0 | 0 |
MrPotatoMagic | 9/113 | $954.05 | 5 | 3 | 0 | 2 | 0 | 0 | 0 | 0 |
Aamir | 10/113 | $885.14 | 4 | 3 | 0 | 0 | 0 | - | 0 | 0 |
Auditor per page
The 4naly3er report can be found here.
Automated findings output for the audit can be found here within 24 hours of audit opening.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Decent allows for single click transactions on any chain, paid for from any source chain / token. i.e. suppose I want to mint an NFT on optimism, but only have funds on Base, I can send that transaction, paying with DAI on Base, to receive my funds on Optimism.
The two libraries Decent uses to do so are UTB, which handles the routing of cross chain transactions and passes them through a selected bridge, and decent-bridge, which is decent's custom bridge built on top of layerzero's OFT standard.
UTB calls one of two functions, swapAndExecute, or bridgeAndExecute. As their names suggest, swapAndExecute performs same-chain txs for a user (from potentially diff payment tokens), and bridgeAndExecute performs cross-chain txs for a user.
In efforts of being generalizable, different swappers and bridgeAdapters can be added to UTB.
All swappers must implement ISwapper, as can be seen in UniSwapper.sol. Similarly, all bridgeAdapters must implement IBridgeAdapter, and examples can be seen with DecentBridgeAdapter and StargateBridgeAdapter.
UTBExecutor executes any additional logic for UTB (i.e. minting an nft)
The DecentBridge is built on top of layer zero's OFT contract, and additional implementation information can be found in the decent-bridge README.
This checklist in Notion provides some best practices for Code4rena audits.
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| src/UTB.sol | 232 | Calls swapAndExeucte and bridgeAndExecute | |
| src/UTBExecutor.sol | 52 | Calls the executor for esxternal contract calls | |
| src/UTBFeeCollector.sol | 50 | Collects fees on UTB contract calls | |
| src/bridge_adapters/BaseAdapter.sol | 16 | Standard functionality for each bridge adapter | |
| src/bridge_adapters/DecentBridgeAdapter.sol | 137 | adapter impl for decent bridge | |
| src/bridge_adapters/StargateBridgeAdapter.sol | 190 | adapter impl for stargate bridge | |
| src/swappers/SwapParams.sol | 13 | params for swapper files | |
| src/swappers/UniSwapper.sol | 145 | implementation of ISwapper for UniV3 | |
| lib/decent-bridge/src/DcntEth.sol | 27 | OFTV2 implementation for DcntEth | OFTV2 |
| lib/decent-bridge/src/DecentEthRouter.sol | 290 | Core bridge logic | |
| lib/decent-bridge/src/DecentBridgeExecutor.sol | 57 | makes external contract calls |
decent-bridge are out of scopeswapAndExecute or bridgeAndExecuteswapAndExecute or bridgeAndExecuteDecentEth.sol: Should comply with the ERC-20 standard- If you have a public code repo, please share it here: github.com/decentxyz/UTB, github.com/decentxyz/decent-bridge note that the UTB branch is `develop` - How many contracts are in scope?: 11 - Total SLoC for these contracts?: 1193 - How many separate interfaces and struct definitions are there for the contracts within scope?: 11 interfaces - What is the overall line coverage percentage provided by your tests?: 75 - Check all that apply: ERC20, Multi-Chain, Uses L2 - Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: knowledge of lz would be helpful - Is this either a fork of or an alternate implementation of another project?: no - Does it use a side-chain?: can be deployed to polygon
To setup the repo, first run forge install + pnpm i
To run the tests, simply add the relevant files to your .env, referencing .env.example, then run forge test.
Note: Many wardens run Slither as a first pass for testing. Please document any known errors with no workaround.
Employees of Decent.xyz and employees' family members are ineligible to participate in this audit.