Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Beefy wrapped boosted #230

Merged
merged 12 commits into from
Jan 24, 2025
Merged

Beefy wrapped boosted #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6b09fbc
wip rate provider
franzns Jan 23, 2025
1763a7f
add beefy 4626
franzns Jan 24, 2025
7f273ce
fix asset
franzns Jan 24, 2025
f2613bc
adding audits
franzns Jan 24, 2025
3f2b4be
adding donation vector
franzns Jan 24, 2025
b6bf73a
remove checked by
franzns Jan 24, 2025
8e4be28
remove daniel
franzns Jan 24, 2025
5859e1f
donation vector
franzns Jan 24, 2025
6b02f6f
adapt context for 4626
franzns Jan 24, 2025
c723635
refine
franzns Jan 24, 2025
41c8037
adjust
franzns Jan 24, 2025
e90910e
Add checked by
danielmkm Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions erc4626/BeefyWrapperReview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# ERC4626 Vault: `BeefyWrapper`

## Details
- Reviewed by: @franzns
- Checked by: @danielmkm
- Deployed at:
- [sonic:0x7870ddFd5ACA4E977B2287e9A212bcbe8FC4135a](https://sonicscan.org/address/0x7870ddFd5ACA4E977B2287e9A212bcbe8FC4135a#code)
- Audits:
- [4626 wrapper audit](https://github.com/beefyfinance/beefy-audits/blob/master/2023-08-03-Beefy-Zellic-4626-Wrapper-Audit.pdf)


## Context
A 4626 wrapper that can wrap the various Beefy vaults. Its created using their factory at [sonic:0x234f7f81434e340910a84f45f8e89d07fa86611a](https://sonicscan.org/address/0x234f7f81434e340910a84f45f8e89d07fa86611a).

## Review Checklist: Bare Minimum Compatibility
Each of the items below represents an absolute requirement for the ERC4626. If any of these is unchecked, the the ERC4626 is unfit to use.

- [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/blob/main/test/sonic/ERC4626BeefyUsdcSilo.sol).
- [x] The required Vault implements the required operational ERC4626 Interface

## Review Checklist: Common Findings
Each of the items below represents a common red flag found in ERC4626 contracts.

If none of these is checked, then this might be a pretty great ERC4626! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a ERC4626 can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the ERC4626.

### Administrative Privileges
- [ ] The ERC4626 Vault is upgradeable.


### Common Manipulation Vectors
- [x] The ERC4626 Vault is susceptible to donation attacks.
- comment: The ERC4626 wrapper calls the vaults balance for totalAssets() which is part of the `totalAssets` used in the `converToAssets` calculation.

```solidity
/**
* @notice Fetches the total assets held by the vault
* @dev Returns the total assets held by the vault, not only the wrapper
* @return totalAssets the total balance of assets held by the vault
*/
function totalAssets() public view virtual override returns (uint256) {
return IVault(vault).balance();
}
```
The vault calculates it based on underlying balance inside the vault plus the balance inside the strategy.
```solidity
/**
* @dev It calculates the total underlying value of {token} held by the system.
* It takes into account the vault contract balance, the strategy contract balance
* and the balance deployed in other contracts as part of the strategy.
*/
function balance() public view returns (uint) {
return want().balanceOf(address(this)) + IStrategyV7(strategy).balanceOf();
}
```

The underlying balance can be inflated by donating underlying assets to the vault.

## Additional Findings
To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users.

## Conclusion
**Summary judgment: USABLE**

The outlined ERC4626 Vaults should work well with Balancer pools.
7 changes: 7 additions & 0 deletions erc4626/registry.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,13 @@
"summary": "safe",
"review": "./StaticATokenLMAvalonReview.md",
"warnings": []
},
"0x7870ddFd5ACA4E977B2287e9A212bcbe8FC4135a": {
"asset": "0x29219dd400f2Bf60E5a23d13Be72B486D4038894",
"name": "Beefy USDC Wrapper for SiloV2",
"summary": "safe",
"review": "./BeefyWrapperReview.md",
"warnings": []
}
},
"sepolia": {
Expand Down
70 changes: 70 additions & 0 deletions rate-providers/BeefyUsdcSiloRateprovider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Rate Provider: `ERC4626RateProvider`

## Details
- Reviewed by: @franzns
- Checked by: @danielmkm
- Deployed at:
- [sonic:0x5fded3206608d3f33175a8865576431906cdb43b](https://sonicscan.org/address/0x5fded3206608d3f33175a8865576431906cdb43b#code)
- Audits:
- [4626 wrapper audit](https://github.com/beefyfinance/beefy-audits/blob/master/2023-08-03-Beefy-Zellic-4626-Wrapper-Audit.pdf)


## Context
The ERC4626 Rate Provider fetches the rate of the Beefy vault for USDC deposited into Silo v2. The rate provider was created using the ERC4626 Rateprovider factory which calls convertToAssets on the ERC4626 to expose the rate. The rate of the ERC4626 is calculated by `shares.mulDiv(totalAssets() + 1, totalSupply() + 10 ** _decimalsOffset(), rounding)`.

## Review Checklist: Bare Minimum Compatibility
Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use.

- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface.
- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals.

## Review Checklist: Common Findings
Each of the items below represents a common red flag found in Rate Provider contracts.

If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider.

### Administrative Privileges
- [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address).


### Oracles
- [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes).

- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price).

### Common Manipulation Vectors
- [x] The Rate Provider is susceptible to donation attacks.
- comment: The ERC4626 wrapper calls the vaults balance for totalAssets() which is part of the `totalAssets` used in the `converToAssets` call and therefore in the `getRate` calculation.

```solidity
/**
* @notice Fetches the total assets held by the vault
* @dev Returns the total assets held by the vault, not only the wrapper
* @return totalAssets the total balance of assets held by the vault
*/
function totalAssets() public view virtual override returns (uint256) {
return IVault(vault).balance();
}
```
The vault calculates it based on underlying balance inside the vault plus the balance inside the strategy.
```solidity
/**
* @dev It calculates the total underlying value of {token} held by the system.
* It takes into account the vault contract balance, the strategy contract balance
* and the balance deployed in other contracts as part of the strategy.
*/
function balance() public view returns (uint) {
return want().balanceOf(address(this)) + IStrategyV7(strategy).balanceOf();
}
```

The underlying balance can be inflated by donating underlying assets to the vault.

## Additional Findings
To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users.


## Conclusion
**Summary judgment: SAFE**

Overall this Rate Provider should work well in pool operations with Balancer pools.
9 changes: 9 additions & 0 deletions rate-providers/registry.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2871,6 +2871,15 @@
"entrypoint": "0xD31E89Ffb929b38bA60D1c7dBeB68c7712EAAb0a",
"implementationReviewed": "0xb9fa01cbd690dfd5be3d8d667c54bbdd9e41e57d"
}]
},
"0x5fded3206608d3f33175a8865576431906cdb43b": {
"asset": "0x7870ddFd5ACA4E977B2287e9A212bcbe8FC4135a",
"name": "Beefy USDC SiloV2 Rateprovider",
"summary": "safe",
"review": "./BeefyUsdcSiloRateprovider.md",
"warnings": [""],
"factory": "0x00de97829d01815346e58372be55aefd84ca2457",
"upgradeableComponents": []
}
}
}
Loading