- Total Prize Pool: $47,000 USDC
- HM awards: $25,500 USDC
- QA report awards: $3,000 USDC
- Gas report awards: $1,500 USDC
- Judge awards: $6,000 USDC
- Lookout awards: $2400 USDC
- Scout awards: $500 USDC
- Mitigation review contest: $8,100 USDC (Opportunity goes to top 5 certified wardens based on placement in this contest.)
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts April 07, 2023 20:00 UTC
- Ends April 13, 2023 20:00 UTC
Automated findings output for the contest can be found here within an hour of contest opening.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
A private pool is a an NFT AMM controlled by a single owner. Each private pool is highly customizable with concentrated liquidity, custom fee rates, stolen NFT filtering, custom NFT weightings, royalty support, and flash loans. Liquidity providers deposit NFTs and ETH into these pools to enable trading. Docs are available here. And a demo is available on beta.goerli.caviar.sh.
rm -Rf 2023-04-caviar || true && git clone https://github.com/code-423n4/2023-04-caviar.git --recurse-submodules -j8 && cd 2023-04-caviar && yarn && foundryup && forge install && forge test --ffi --gas-report
yarn
forge install
forge test --gas-report --ffi
-
The Factory contract allows users to create and initialize new custom pools that are minimal proxies which point to a reference implementation. It is responsible for issuing NFTs that represent ownership of each custom pool. All protocol fees accrue to the factory contract and can be withdrawn by the protocol admin. Initially the protocol fee rate will be set to be 0% however it may be increased in the future, with advanced notice.
-
The PrivatePool contract contains all of the core logic for custom pools. It allows users to set concentrated liquidity, custom fee rates, NFT weightings, change/flashloan fee rates, royalty fee support, and stolen NFT filtering. Traders can buy, sell, and change NFTs for other NFTs within the pool.
-
The EthRouter contract is responsible for taking in a sequence of actions and executing them against the various pools. This is useful if a user wants to buy N amount of NFTs that belong to Y different pools. For example, Bob wants to buy token #1, #2, and #3. Token #1 belongs to pool A. Tokens #2, and #3 belong to pool B. Bob can submit an array of buys to the EthRouter and it will execute a buy from both pool A and pool B in one transaction. The EthRouter also interfaces with caviar public pools, which can be found here.
-
The PrivatePoolMetadata contract is responsible for generating an on-chain svg and metadata representation of the NFT that represents ownership of a custom pool. This is used to display the NFT across various marketplaces and wallets.
| File | SLOC | Description | Libraries |
|---|---|---|---|
| Contracts (4) | |||
| src/Factory.sol 💰 📤 | 82 | Creates new pools and also accrues protocol fees | solady/* solmate/* |
| src/PrivatePoolMetadata.sol | 90 | Generates NFT metadata and svgs for each pool | @openzeppelin/* solmate/* |
| src/EthRouter.sol 💰 | 179 | Routes trades to various pools | solmate/* @openzeppelin/* caviar/* royalty-registry-solidity/* |
| src/PrivatePool.sol 🖥 💰 📤 🧮 ♻️ | 379 | Core AMM logic for each newly deployed private pool | solmate/* solady/* @openzeppelin/* royalty-registry-solidity/* |
| Interfaces (1) | |||
| src/interfaces/IStolenNftOracle.sol | 11 | Interface for validating whether NFTs are stolen or not | |
| Total (over 5 files): | 741 |
- caviar/Pair.sol
- openzeppelin/interfaces/IERC2981.sol
- openzeppelin/interfaces/IERC3156FlashLender.sol
- openzeppelin/utils/Base64.sol
- openzeppelin/utils/Strings.sol
- royalty-registry-solidity/IRoyaltyRegistry.sol
- solady/utils/LibClone.sol
- solady/utils/MerkleProofLib.sol
- solmate/auth/Owned.sol
- solmate/tokens/ERC20.sol
- solmate/tokens/ERC721.sol
- solmate/utils/FixedPointMathLib.sol
- solmate/utils/SafeTransferLib.sol
- If you have a public code repo, please share it here:
- How many contracts are in scope?: 4
- Total SLoC for these contracts?: 725
- How many external imports are there?: 12
- How many separate interfaces and struct definitions are there for the contracts within scope?: 3
- Does most of your code generally use composition or inheritance?: inheritance
- How many external calls?: 10
- What is the overall line coverage percentage provided by your tests?: N/a
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Caviar public pools: https://github.com/outdoteth/caviar
- Please describe required context: The EthRouter contract routes trades to caviar public pools (in addition to private pools)
- Does it use an oracle?: no
- Does the token conform to the ERC20 standard?: N/a
- Are there any novel or unique curve logic or mathematical models?: no
- Does it use a timelock function?: no
- Is it an NFT?: Yes
- Does it have an AMM?: Yes
- Is it a fork of a popular project?: No
- Does it use rollups?: No
- Is it multi-chain?: No
- Does it use a side-chain?: No
-
There is a bug related to slither that prevents it from running correctly. More info can be found here: crytic/slither#1737
-
There is a bug related to generating coverage reports with forge. More info can be found here: foundry-rs/foundry#3357