Revert Lend


b0g0	1/105	$6,184.78	3	2	1	1	0	0	0
0xjuan	2/105	$3,697.85	5	2	0	3	2	0	0
ktg	3/105	$3,684.14	5	0	0	4	2	-	0
Aymen0909	4/105	$2,883.87	7	1	0	5	0	-	0
thank_you	5/105	$2,564.06	4	1	0	2	1	-	0
cryptphi	6/105	$1,620.06	2	0	0	1	1	-	0
Giorgio	7/105	$1,456.82	4	1	0	3	0	0	0
lanrebayode77	8/105	$1,398.31	6	0	0	5	0	-	0
Bauchibred	9/105	$1,317.98	4	1	0	1	0	-	-
grearlake	10/105	$1,303.31	5	1	0	3	0	-	0


b0g0	1/105	$6,184.78	3	2	1	1	0	0	0
0xjuan	2/105	$3,697.85	5	2	0	3	2	0	0
ktg	3/105	$3,684.14	5	0	0	4	2	-	0
Aymen0909	4/105	$2,883.87	7	1	0	5	0	-	0
thank_you	5/105	$2,564.06	4	1	0	2	1	-	0
cryptphi	6/105	$1,620.06	2	0	0	1	1	-	0
Giorgio	7/105	$1,456.82	4	1	0	3	0	0	0
lanrebayode77	8/105	$1,398.31	6	0	0	5	0	-	0
Bauchibred	9/105	$1,317.98	4	1	0	1	0	-	-
grearlake	10/105	$1,303.31	5	1	0	3	0	-	0

Revert Lend audit details

Total Prize Pool: $88,500 in USDC
- HM awards: $42,900 in USDC
- Analysis awards: $2,600 in USDC
- QA awards: $1,300 in USDC
- Bot Race awards: $3,900 in USDC
- Gas awards: $1,300 in USDC
- Judge awards: $10,650 in USDC
- Lookout awards: $4,200 USDC
- Scout awards: $500 in USDC
- Mitigation Review: $21,150 in USDC (Opportunity goes to top 3 certified wardens based on placement in this audit.)
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts March 4, 2024 20:00 UTC
Ends March 15, 2024 20:00 UTC

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.

Automated findings output for the audit can be found here within 24 hours of audit opening.

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

Note from Revert:

Liquidations of undercollateralized positions may be temporarily disabled when the pool price of a position is moved away too much from the oracle price. This issue is automatically resolved by arbitrage in most cases, but if there is not enough incentive to do so, the liquidator has enough incentive to do the arbitrage as part of the liquidation process - because of the liquidation premium. For more details see Finding 4 in the audit by Hydn (see below).

Overview

This repository contains the smart contracts for Revert Lend protocol.

It uses Foundry as development toolchain.

To get an understanding of the basic concepts, and advanced topics like transformers please read the whitepaper.

Scope

See scope.txt

Contract	SLOC	Purpose	Libraries used
src/V3Vault.sol	887	Vault contract which keeps V3 Positions, lent assets and handles loans.	`@openzeppelin` `@v3-core` `@v3-periphery` `@permit2`
src/V3Oracle.sol	371	Oracle which handles Chainlink Feeds, Uniswap V3 TWAPs to get values of V3 Positions	`@openzeppelin` `@v3-core` `@v3-periphery` `@chainlink`
src/InterestRateModel.sol	65	Calculates interest rates for V3Vault	`@openzeppelin`
src/automators/AutoExit.sol	185	Lets Revert controlled bot auto-exit positions	`@openzeppelin` `@v3-core` `@v3-periphery`
src/automators/Automator.sol	181	Base class which adds handling of operator, fees and permissions for automator contracts.	`@openzeppelin` `@v3-core` `@v3-periphery`
src/transformers/AutoCompound.sol	200	Lets Revert controlled bot auto-compound positions (also when they are used as collateral)	`@openzeppelin` `@v3-core` `@v3-periphery`
src/transformers/AutoRange.sol	235	Lets Revert controlled bot auto-range positions (also when they are used as collateral)	`@openzeppelin` `@v3-core` `@v3-periphery`
src/transformers/LeverageTransformer.sol	133	Lets positions being leveraged by borrowing, swapping and reading to collateralized position atomically. Also supports deleveraging.	`@openzeppelin` `@v3-core` `@v3-periphery`
src/transformers/V3Utils.sol	750	V3Utils contract (atomic swap and manage liquidity functions) which works with V3Vault and supports Permit2.	`@openzeppelin` `@v3-core` `@v3-periphery` `@permit2`
src/utils/FlashloanLiquidator.sol	89	Util contract to do atomic liquidations using a Uniswap V3 Flashloan	`@openzeppelin` `@v3-core` `@v3-periphery`
src/utils/Swapper.sol	118	Base class which adds logic for doing swaps with UniversalRouter, 0x Router and pool swaps.	`@openzeppelin` `@v3-core` `@v3-periphery`

Out of scope

Everything NOT in /src and NOT in scope.txt

Additional Context

Roles in the protocol: Owner (which will be set to a Multisig and Timelock), EmergencyAdmin (which will be set to a Multisig), Operators (which are EOA used by bots to call actions in Automator contracts)
Special ERC20 tokens like fee-on-transfer or rebasing tokens are not supported. Usage of them will revert.
The only allowed ERC721 are UniswapV3 positions.
The protocol should be able to be deployed on any EVM compatible chain - by using chain specific config values
V3Vault: Should comply with ERC/EIP4626

Attack ideas (Where to look for bugs)

Reentrancy
Share calculation
Price manipulation
Crafted ERC-20 Tokens
Crafted external swap calldata

Main invariants

Debt can never be bigger than lent assets (after all loans are payed back or liquidated).

Scoping Details

- If you have a public code repo, please share it here: https://github.com/revert-finance/vault (private for now)   
- How many contracts are in scope?: 11   
- Total SLoC for these contracts?: 3000  
- How many external imports are there?: 10  
- How many separate interfaces and struct definitions are there for the contracts within scope?: 4  
- Does most of your code generally use composition or inheritance?: both   
- How many external calls?: 10   
- What is the overall line coverage percentage provided by your tests?: 80
- Is this an upgrade of an existing system?: No
- Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): NFT, AMM, ERC-20 Token  
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: UniswapV3, Permit2  
- Does it use an oracle?: Chainlink, Uniswap V3 TWAP
- Describe any novel or unique curve logic or mathematical models your code uses: No 
- Is this either a fork of or an alternate implementation of another project?: False  
- Does it use a side-chain?: No

Tests

First time run

forge install

to get dependencies. Then:

Because the v3-periphery library (Solidity v0.8 branch) in lib/v3-periphery/contracts/libraries/PoolAddress.sol has a different POOL_INIT_CODE_HASH than the one deployed on Mainnet this needs to be changed for the integration tests to work properly and for deployment!

bytes32 internal constant POOL_INIT_CODE_HASH = 0xa598dd2fba360510c5a8f02f44423a4468e902df5857dbce3ca162a43a3a31ff;

needs to be changed to

bytes32 internal constant POOL_INIT_CODE_HASH = 0xe34f199b19b2b4f47f68442619d555527d244f78a3297ea89325f843f87b8b54;

Most tests use a forked state of Ethereum Mainnet. You can run all tests with:

forge test

If the https://rpc.ankr.com/eth fork url isn't working, please replace it with your own rpc url (from the likes of Alchemy or Infura).

Slither

See slither.txt or run with slither .

Miscellaneous

Employees of Revert and employees' family members are ineligible to participate in this audit.