NOTE: An earlier version of this review pointed out some issues which have since been addressed. Please consult the git history for reference.
- Reviewed by: @mkflow27
- Checked by: @rabmarut
- Deployed at:
ankrETH is a liquid staking token developed by Ankr. The ankrETH tokens are bridged via a custom bridge developed by Ankr (see audit). The bridged version of ankrETH is called InternetBond and is a BeaconProxy.
The overall process of getting the rate to multiple networks is:
- Custom bridge
ankrETHto network of choice - Daily update of
ratio(tvl / tvl + rewards) on the network of choice in a contract calledratioFeed. This contract is an aggregation of rates and can be queried for the rate. - Rate provider returns inverse of
ratioasgetRate()
Any addresses provided throughout this review apply to the deployment on Avalanche. The other deployments are assumed to be identical, as suggested by a cursory review of each. In limited cases where they are not identical, a specific note is provided.
Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use.
- Implements the
IRateProviderinterface. -
getRatereturns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals.
Each of the items below represents a common red flag found in Rate Provider contracts.
If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider.
-
The Rate Provider is upgradeable (e.g., via a proxy architecture or an
onlyOwnerfunction that updates the price source address). -
Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price).
- upgradeable component:
ankrETH(avalanche:0x12D8CE035c5DE3Ce39B1fDD4C1d5a745EAbA3b8C)- admin address: avalanche:0xF508AE11De875b2136C580229d1B8291F1EC2B7E
- admin type: multisig
- multisig threshold/signers: 3/5
- multisig timelock? NO
- trustworthy signers? NO (can't identify any)
- upgradeable component:
InternetBondRatioFeed_R3(avalanche:0xEf3C162450E1d08804493aA27BE60CDAa054050F)- admin address: same as above
- upgradeable component:
-
Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes).
- source:
InternetBondRatioFeed_R3accepts updates from the 3/5 multisig mentioned above (here calledowner), or anoperatordesignated by theowner - source address: avalanche:0xEf3C162450E1d08804493aA27BE60CDAa054050F
- any protections? YES but only for
operators. The 3/5 multisigownercan always override. Foroperators:- rate monotonically increases
- rate delta is within configurable (by
owner) threshold - 12 hours minimum between updates
- source:
-
Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price).
- The Rate Provider is susceptible to donation attacks.
To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users.
There are no additional findings.
Summary judgment: SAFE
Assuming a reasonable set of 3/5 multisig signers, the behavior of this Rate Provider can be deemed safe. Reasonable protections are placed upon all other actors in the system.