Collar Protocol / collar-core

Collar Protocol is a lending protocol that enables liquidation-free and high LTV borrowing against crypto assets by combining dex swaps and options-like payoff structures.

Prize distribution and scoring

• Total Prize Pool: $100,000

• Primary Prize Pool: $95,000

• The prize distribution has 3 possible triggers:

  • If only low severity findings are found, the total pot size is $40,000 split among top 10 researchers for high quality findings.
    • 1st: $20k
    • 2nd: $10k
    • 3rd: $5k
    • 4th: $2.5k
    • 5th: $1.25k
    • 6th-10th: $250
  • If one or more valid medium severity findings are found, the total pot size is $40,000
  • If one or more valid high severity findings are found, the total pot size is $100,000
  • $5,000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.
    • 1st: $2.5k
    • 2nd: $1.25k
    • 3rd: $500
    • 4th: $500
    • 5th: $250

• Please note that lows only pot distribution may be subject to change depending on the overall valid low submissions at the end of the competition.

• Scoring described in the competition scoring page.

• Findings Severities described in detail on our docs page.

No mandatory POC rule

Previous validity rules apply.

Documentation

• Competition Briefing
• Solidity files comments contain the most up to date documentation
• Some diagrams for high level overview: diagrams.md
• General protocol / mechanism docs: https://docs.collarprotocol.xyz/

Deployment Destinations

Arbitrum only initially. OP stack rollups (Optimism, Base) in the future.

Scope

• Repository: https://github.com/CollarNetworks/protocol-core
• Commit: 3eadf114e72ff49b3096c221f0d8d31951a38292
• Total LOC: 1524
• Files: all files in src/ excluding src/interfaces

--------------------------------------------------------------------------------
File                              blank        comment           code
--------------------------------------------------------------------------------
src/LoansNFT.sol                    118            414            371
src/EscrowSupplierNFT.sol            78            253            254
src/CollarTakerNFT.sol               57            142            197
src/Rolls.sol                        56            196            194
src/CollarProviderNFT.sol            48            145            190
src/ConfigHub.sol                    25             73             79
src/ChainlinkOracle.sol              13             46             52
src/CombinedOracle.sol               11             37             47
src/SwapperUniV3.sol                  9             51             43
src/base/BaseManaged.sol             17             38             41
src/base/BaseTakerOracle.sol         13             49             33
src/base/BaseNFT.sol                  7             13             23
--------------------------------------------------------------------------------
SUM:                                452           1457           1524

Build Instructions

• Install run tests excluding fork tests: forge install && forge build && forge test --nmc Fork
• POC: modify tests in test/unit for local testing, and test/integration for fork tests (require defining RPC in .env, see .env.example)

Out of scope

Known Issues

• Providers offers do not limit execution price (only strike percentages), nor have deadlines, and are expected to be actively managed.
• No refund of protocol fee for position cancellations / rolls. Fee APR and roll frequency are assumed to be low, and rolls are assumed to be beneficial enough to users to be worth it. Accepted as low risk economic issue.
• During escrow loan foreclosure, any remaining underlying is sent to the borrower instead of being stored to be pulled. So it can be sent to a contract that will not credit it to actual user.
• Because oracle prices undergo multiple conversions (feeds, tokens units), asset and price feed combinations w.r.t to decimals and price ranges are assumed to be checked to allow sufficient precision.
• In case of congestion, calls for openPairedPosition (openLoan that uses it), and rolls executeRoll can be executed at higher price than the user intended (if price is lower, openLoan and executeRoll have slippage protection, and openPairedPosition has better upside for the caller). This is accepted as low likelihood, and low impact: loss is small since short congestion will result in small price change vs. original intent, and long downtime may fail the oracle sequencer uptime check.
• Issues and considerations explained in the Solidity comments and audit report.

Non obvious parameter ranges

• minDuration is at least 1 month.

ERC-20 assumptions / integration checklist:

• No hooks or reentrancy vectors
• Balance changes only due to transfers. E.g., no rebasing / internal shares
• Balance changes always and exactly with transfer arguments. E.g, no FoT, no max(uint) args overrides like cUSDCv3
• Approval of 0 amount works
• Transfers of 0 amount works
• (for checklist use: check changes to https://github.com/d-xo/weird-erc20)

Prior Audits

• Cantina solo review Oct-2024 report

• Automated findings by Lightchaser

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.