Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

sherlock-audit/2023-11-convergence

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
sherlock-cvg
sherlock-cvg
 
 
README.md
README.md
 
 

Repository files navigation

Convergence contest details

Q&A

Q: On what chains are the smart contracts going to be deployed?

The Convergence protocol will be deployed on the Ethereum Mainnet.

Q: Which ERC20 tokens do you expect will interact with the smart contracts?

LockingPositionService

Lock the CVG in the LockingPositionService

  • CVG

CvgSdtBuffer

Receives and acculate the following rewards :

SdtBlackhole

  • sdAssetGauge received through Staking
  • Bribe tokens accumulated and sent to SdtRewardReceiver

SdtBuffer

  • Accumulates and receives any ERC20 coming from the StakeDao Gauge ( SDT, CRV, 3CRV, BAL, USDC, FXS, FXN, PENDLE, ANGLE sdCRV, sdBAL ... )

SdtFeeCollector

  • Receives Fees in SDT from all buffer ( except CvgSDT )
  • Dispatch fees between different receivers

YsDistributor

Receives rewards from the treasury. The list of ERC20 can vary.

  • Curve (CRV)
  • Convex (CVX)
  • StakeDao (SDT)
  • Frax-Share (FXS)
  • Prisma (PRISMA) (...)
  • USDC
  • USDT
  • DAI

SdtRewardReceiver

  • Mints CVG to claimer
  • Receives all ERC20 coming from Gauge ( SDT, CRV, 3CRV, FXS .. ) + Bribe assets ( sdCRV, sdPENDLE, sdFXS, sdPENDLE, sdANGLE ... )
  • Transfer rewards to Stakers on claim

SdtStakingPositionService

  • transferFrom caller to SdtBlackHole gaugeAsset from StakeDao
  • transferFrom caller to SdtStakingPositionService CvgSDT

CvgSDT

  • transferFrom SDT from caller to veSDTMultisig on mint on 1:1 ratio.

SdtUtilities

Convert & Stake assets in Staking contracts

  • sdGaugeAsset ( sdGaugeCRV, sdGaugeFXS, sdGaugeFXN ... )
  • sdAsset ( sdCRV, sdFXS, sdFXN ... )
  • asset ( CRV, FXS, FXN ... )
  • SDT & CvgSDT

Q: Which ERC721 tokens do you expect will interact with the smart contracts?

Only NFT that we made :

  • LockingPositionManager

  • SdtStakingPositionManager

  • BondPositionManager

Q: Do you plan to support ERC1155?

None

Q: Which ERC777 tokens do you expect will interact with the smart contracts?

None

Q: Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts?

We have some interaction with USDC and potentially USDT. We understand that USDT and USDC may introduce fees in the future, but those tokens should be assumed not to do that.

Q: Are there any REBASING tokens interacting with the smart contracts?

None

Q: Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?

TRUSTED

Q: Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED?

TRUSTED

Q: Are there any additional protocol roles? If yes, please explain in detail:

Treasury DAO

Multisig executing the action voted by the DAO.

VeSdtMultisig

Multisig receiving SDT from CvgSDT staking. Lock this SDT in veSDT.

Bond

A bond contract can mint CVG.

Staking

A staking contract can mint CVG Only a Staking contract can be a gauge

isSdtStaking

A SDT staking contract that can withdraw a gauge token from the SdtBlackHole

Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?

None

Q: Please list any known issues/acceptable risks that should not result in a valid finding.

None

Q: Please provide links to previous audits (if any).

Halborn ( on the old Tokemak integration ) : https://ipfs.io/ipfs/QmPyZZoeNJqt44GiFRoc8E9JctCyp5DYxkW254hhfkeUui

Hats ( on the Bond mechanism & Oracle price fetching ) : https://app.hats.finance/audit-competitions/convergence-finance-ibo-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/leaderboard

Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?

None

Q: In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.

We are interacting with StakeDao on the integration of their Gauge contract through our Staking architecture.

We are for instance :

  • Claiming rewards from their Gauges, if the claim is broken on their Gauges, it'll break on our side also. ( It's not impacting funds of the user, only the potential earned rewards on 1 week ) .
  • Converting asset to sdAsset to sdGaugeAsset in SdtUtilities, using the StakeDao converters

We are aware of this kind of issues, we so separated the Convergence rewards from the rewards coming from StakeDao, in order not to break the full protocol.

Q: Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?

USDC & USDT

Q: Add links to relevant protocol resources

Technical documentation is to find through natspec in contracts & under technical documentation folder: https://github.com/sherlock-audit/2023-11-convergence/tree/main/sherlock-cvg/technical-docs

Audit scope

sherlock-cvg @ d0b36ce5ebb141895e4bf23b241a184fa0606b1b

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages