Platform: Code4rena
Start Date: 07/03/2024
End Date: 12/03/2024
Period: 5 days
Status: Completed
Pot Size: $63,000 USDC
Participants: 36
Reporter: PaperParachute
Judge: cccz
Id: 349
League: BLAST
Trust | 1/36 | $14,067.26 | 8 | 2 | 1 | 5 | 2 | - | 0 | 0 |
ether_sky | 2/36 | $9,498.41 | 6 | 2 | 1 | 3 | 0 | - | 0 | 0 |
DarkTower | 3/36 | $5,548.59 | 5 | 0 | 0 | 4 | 2 | - | 0 | 0 |
SpicyMeatball | 4/36 | $3,838.38 | 4 | 1 | 0 | 2 | 0 | - | 0 | 0 |
Bauchibred | 5/36 | $2,258.68 | 2 | 0 | 0 | 1 | 1 | - | 0 | 0 |
Limbooo | 6/36 | $2,068.88 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
hassanshakeel13 | 7/36 | $2,068.88 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
Matin | 8/36 | $2,068.88 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
yixxas | 9/36 | $2,068.88 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
Breeje | 10/36 | $2,014.53 | 3 | 1 | 0 | 1 | 0 | - | 0 | 0 |
Auditor per page
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
This repo is a curated version of our main repository https://github.com/Abracadabra-money/abracadabra-money-contracts so it contains the minimal codebase required for this product.
MIMSwap is a fork of Dodo V2 but refactored, so it's more aligned with our needs. The math formula wasn't changed.
We ported it to Solidity 0.8. You can compare it with the original repo here: https://github.com/DODOEX/contractV2/tree/main/contracts/DODOStablePool
We are using a Mix of DSP + private pool
We made our own Factory / Router periphery
MagicLpAggregator would be used to price MagicLP collateral for Cauldrons. Something to note is that the MagicLP Oracle is only meant for closed-together price pool. It's just that the oracle is not meant to be used for any kind of MagicLP, just for closely priced tokens like MIM/USDB.
Some contracts were wrapped so it's usable with Blast L2 yield claiming
BlastOnboarding is currently live and it's an LLE where people deposit MIM/USDB once ready we would upgrade the BlastOnboarding implementation to use BlastOnboardingBoot
BlastOnboarding source code is a bit different from the live version because we improved how we can claim the yields post-deployment. It was changed in case we want to run another LLE in the future.
BlastOnboardingBoot would create a single MagicLP for MIM/USDB
People will be able to claim their LP and stake it locked or not to get extra Blast point boosting
People who deposited unlocked into the LLE can withdraw at any time during and after
Only the one that locked during the LLE can claim a share of the MagicLP and optionally stake (locked or not).
MagicLP staking uses LockingMultiRewards
LockingMultiRewards is a fork of Curve MultiRewards.
LockingMultiRewards allows you to stake, lock, or unlock for 13 weeks. Locks are released by a Gelato task offchain. An epoch is 7 days. Rewards are distributed during the epoch. The rewards claimed during an epoch are only available in the other epoch + the rewards from the previous epoch if any.
Previous audits: Here
Documentation: Here
MIMSwap V2 is based on DODO V2
DODO PMM Algorithm Whitepaper
Note From Abracadabra Money: It's the same algo for V2 but in V2 the Oracle is replaced with an I constant.
Website: Here
Twitter: Here
Discord: Here
The items acknowledged in the previous audit are Out Of Scope.
BlastOnboarding Contract Known issues (acknowledged):
The BlastOnboarding contract is a proxy, but it has several declared storage variables and functions. As a result, the contract is prone to storage and function selector collision.
BlastBox Contract Known issues (acknowledged):
If the owner does not want to enable native yield for a token with the function setTokenEnabled, that token will have the default mode which is AUTOMATIC for WETH and USDB. When a token is in AUTOMATIC mode, the balance of the token in the contract increases as yield is gained. However, the DegenBox contract is unable to support rebasing tokens.
Any reports submitted outside of the scoped contracts are Out Of Scope.
- If you have a public code repo, please share it here: https://github.com/Abracadabra-money/abracadabra-money-contracts - How many contracts are in scope?: 22 - Total SLoC for these contracts?: 1965 - How many external imports are there?: 21 - How many separate interfaces and struct definitions are there for the contracts within scope?: 2 structs - Does most of your code generally use composition or inheritance?: Inheritance - How many external calls?: 10 - What is the overall line coverage percentage provided by your tests?: 60 - Is this an upgrade of an existing system?: True - MIMSwap + MagicLP oracle to be used for Cauldrons. Blast Versions of the MIMSwap/DegenBox/CauldronV4 contracts to allow yields (mostly inherited except BlastMagicLP), MultiReward with Locking, BlastOnboarding (an LLE to bootstrap liquidity for MIMSwap launch) and an Upgrade implementation for the BlastOnboarding: BlastOnboardingBoot to bootstrap the liquidity and allow users to claim their LP share and stake automatically - Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): AMM, Uses L2, Multi-Chain, ERC-20 Token - Is there a need to understand a separate part of the codebase / get context to audit this part of the protocol?: False - Please describe required context: - Does it use an oracle?: Chainlink - Describe any novel or unique curve logic or mathematical models your code uses: MIMSwap is a fork of dodo v2 - Is this either a fork of or an alternate implementation of another project?: True - Does it use a side-chain?: - Describe any specific areas you would like addressed:
LockingMultiRewards testsMagicLpAggregator testsBLAST_RPC_URL, MAINNET_RPC_URL and ARBITRUM_RPC_URL in .env.defaults or ideally a .env file.We are using foundry scripts for any live deployments and the same ones are used when fork testing.
Mocks are used for Blast precompiles as it doesn't seem to be supported natively by Foundry at this time.
They can be found in utils/mocks/BlastMock.sol. It's only used when fork testing and deploying.
Employees of Abracadabra Money and employees' family members are ineligible to participate in this audit.