-
Total Prize Pool: $25,200 in USDC
- HM awards: $18,700 in USDC
- Analysis awards: $1,000 in USDC
- QA awards: $500 in USDC
- Gas awards: $500 in USDC
- Judge awards: $4,000 in USDC
- Scout awards: $500 in USDC
-
Join C4 Discord to register
-
Submit findings using the C4 form
-
Starts February 16, 2024 20:00 UTC
-
Ends February 23, 2024 20:00 UTC
This audit repo and its Discord channel are accessible to certified wardens only. Participation in private audits is bound by:
- Code4rena's Certified Contributor Terms and Conditions
- C4's Certified Contributor Code of Professional Conduct
All discussions regarding private audits should be considered private and confidential, unless otherwise indicated.
Please review the following confidentiality requirements carefully, and if anything is unclear, ask questions in the private audit channel in the C4 Discord.
- The 4naly3er report for
thruster-clmmcan be found here. - The 4naly3er report for
thruster-treasurecan be found here. thruster-cfmmuses Solidity version 0.5.16 and isn't compatible with 4naly3er- The slither.txt output for
thruster-clmm - The slither.txt output for
thruster-cfmm - The slither.txt output for
thruster-treasure
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Thruster is a Uniswap V2 and V3 fork codebase with modifications to the code to match Blast specific features, and also provide implementation for support of a V3 gauge system to be implemented in the future. The V3 gauge system is out of scope for this audit, but is included in the ThrusterPool codebase marked as gauge.
A changelog of the modifications can be found in the ThrusterAudits_Changelog.pdf file. Additionally, there are two open pull requests, one to show the diffs between the new code and the original V2 core + periphery code, and the other one to show the diffs between the new code and the original V3 core + periphery code.
Additionally, we include a single ThrusterTreasure.sol file that is used to perform a lottery draw like feature. This relies on using the Pyth Entropy product, which relies on off-chain components. The contract itself also relies on an admin to update the Merkle proof for how many tickets a user is entitled to claim, as the number of tickets is also computed off chain. Off-chain components are out of scope for this audit, and problems that are caused by admin error are out of scope for the audit.
- Documentation: https://docs.thruster.finance
- Website: https://www.thruster.finance
- Twitter: https://www.x.com/thrusterfi
- Discord: https://www.discord.gg/invite/thrusterfi
See scope.txt
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| thruster-clmm/contracts/ThrusterPool.sol | 601 | The core concentrated liquidity pool, a fork of UniswapV3Pool | OpenZeppelin |
| thruster-clmm/contracts/ThrusterPoolFactory.sol | 75 | The core factory of the pool, a fork of UniswapV3Factory | OpenZeppelin |
| thruster-clmm/contracts/ThrusterPoolDeployer.sol | 36 | The core pool deployer responsible for CREATE2 of ThrusterPools | OpenZeppelin |
| thruster-clmm/contracts/NonfungiblePositionManager.sol | 87 | The periphery position manager for managing liquidity of ThrusterPools | OpenZeppelin |
| thruster-clmm/contracts/libraries/PoolAddress.sol | 25 | Used for deterministic computation of deployed ThrusterPool contracts via Deployer | OpenZeppelin |
| thruster-clmm/contracts/base/PoolInitializer.sol | 25 | Used for creating a pool through multicall in the NonfungiblePositionManager | OpenZeppelin |
| thruster-cfmm/contracts/ThrusterFactory.sol | 86 | The core factory for creating constant function liquidity pools, a fork of UniswapV2Factory | OpenZeppelin |
| thruster-cfmm/contracts/ThrusterPair.sol | 249 | The core liquidity pool itself, also functions as a fungible token, combines both UniswapV2Pair and UniswapV2ERC20 | OpenZeppelin |
| thruster-cfmm/contracts/ThrusterYield.sol | 47 | A contract to opt the contract into Blast specific yield claiming and gas claiming | Blast |
| thruster-cfmm/contracts/ThrusterGas.sol | 27 | A contract to opt the contract only into gas claiming for Blast | Blast |
| thruster-cfmm/contracts/libraries/ThrusterLibrary.sol | 89 | A library contract that includes a function for deterministic computation of pair addresses | None |
| thruster-treasure/contracts/ThrusterTreasure.sol | 207 | A lottery drawing contract using Pyth entropy and Merkle Roots | Pyth, OpenZeppelin |
- All contracts under
thruster-cfmm/contracts/libraries/*except for ThrusterLibrary.sol thruster-cfmm/contracts/ThrusterGasRouter.solthis is justThrusterGas.solwith a different version for the router- Router contracts are outside of scope, those had no changes made to them
- Any concentrated liquidity gauge code implementation that will be used by the ThrusterPool
- All contracts under
thruster-clmm/contracts/libraries/*andthruster-clmm/contracts/lens/*andthruster-clmm/contracts/base/*, these contracts had no changes aside from name changes - Any deployment errors are out of scope, e.g. incorrect constructor arguments. For example, we know that we need to use the
ThrusterPoolDeployer.solcontract address instead of theThrusterPoolFactory.solcontract address when initializing theSwapRouter.sol,QuoterV2.solandNonfungiblePositionManager.sol. - MEV attacks are out of scope for this audit.
- All contracts that use gas should comply with the Blast gas claim logic.
- All contracts that are intended to hold any of the following assets (WETH, USDB, ETH) should comply with the Blast claimable yield logic. The automatic yield is an exception only for ThrusterTreasure.sol, as we will keep a small amount of ETH in the contract to pay for Pyth oracle entropy calls.
- The code follows the same core mechanisms as Uniswap V2 and V3, so constant function market maker and concentrated liquidity market maker.
- Code will be deployed on the Blast L2, which is an Optimism Stack L2
- Privileged role is in charge enabling the fee on the protocol.
- Deployment of pools for both CFMM and CLMM is permissionless
- Claiming of Blast yield and gas is a permissioned role always
- Treasure lottery is structured as users have the option to enter all their existing tickets for the current round or accumulate tickets. There is no option to partially enter tickets or choose specific numbers. It will also be possible for there to be no winners of the lottery, as it is possible to submit ghost tickets via the Merkle by the team.
- ThrusterPool contract for price manipulation
- NonfungiblePositionManager for improper access to liquidity positions
- ThrusterPair contract for price manipulation on trades
- For ThrusterPair.sol the x * y = k invariant
- If you have a public code repo, please share it here:
- How many contracts are in scope?: 11
- Total SLoC for these contracts?: 1465
- How many external imports are there?: 10+ (didn't really count)
- How many separate interfaces and struct definitions are there for the contracts within scope?: 10+ (didn't really count)
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 1 - Pyth Entropy
- What is the overall line coverage percentage provided by your tests?: 0
- Is this an upgrade of an existing system?: True - Fork of Uniswap V2 and V3
- Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): AMM
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: False
- Please describe required context:
- Does it use an oracle?: No
- Describe any novel or unique curve logic or mathematical models your code uses: Uniswap V2 and V3 math
- Is this either a fork of or an alternate implementation of another project?: Fork of Uniswap V2 and V3
- Does it use a side-chain?:
- Describe any specific areas you would like addressed:
All repos are compatible with both Forge Foundry and Eth-Brownie compilation. However, thruster-cfmm is not compatible with forge test due to Solidity compiler version being too low.
cd thruster-cfmm && forge build
cd ..
cd thruster-clmm && forge build
cd ..
cd thruster-treasure && npm i && forge buildor
cd thruster-cfmm && brownie compile
cd ..
cd thruster-clmm && brownie compile
cd ..
cd thruster-treasure && npm i && brownie pm install OpenZeppelin/openzeppelin-contracts@5.0.0 && brownie compileTwo pull requests are opened titled Diff to show the changes with the V2 contracts and Diff to show the changes with the V3 contracts. These two PRs show the differences
between the Uniswap V2 Core + Periphery code, as well as the Uniswap V3 Core + Periphery code in accordance to the titles.
See the ThrusterAudits_Changelog.pdf file for a written report on changes made to the forked codebase.
The main files we want to get audited are:
From Thruster CLMM (Uniswap V3 Fork):
- ThrusterPool.sol
- ThrusterPoolFactory.sol
- ThrusterPoolDeployer.sol
- NonfungiblePositionManger.sol
From Thruster CFMM (Uniswap V2 Fork):
- ThrusterPair.sol
- ThrusterFactory.sol
From Thruster Treasure:
- ThrusterTreasure.sol
Blast specific:
- ThrusterGas.sol
- ThrusterYield.sol
It is hard to run tests, as there is Blast specific code. The way we have been testing is by running scripts on the Blast Sepolia Testnet directly.
Employees of Thruster and employees' family members are ineligible to participate in this audit.