doppler-contracts

Doppler is a customizable liquidity-bootstrapping Protocol designed for the Uniswap Ecosystem. The entire Protocol is designed for use onchain and eliminates value leakage of value.

Prize distribution and scoring

• Total Prize Pool: $65,000

• Scoring described in the competition scoring page.

• Findings Severities described in detail on our docs page.

Documentation

• Technical Documentation

• Doppler v4/v3 refer to the corresponding uniswap version, where v4 is the uniswap v4 hook implementation and v3 is a simplified version of the protocol built on uniswap v3

• V4 readme: https://github.com/whetstoneresearch/doppler/blob/main/README.md

• For v3 refer to natspec/video (video tbd)

Scope

• Repository: https://github.com/whetstoneresearch/doppler
• Commit: 338d39d6890a6bb98fba92d117c8e69465f9caa5
• Total LOC: approx. 2300 (incl whitespace/imports/comments)
• Files:
  • Airlock.sol
    • TokenFactory.sol
    • DERC20.sol
    • UniswapV2Migrator.sol
    • Doppler.sol
    • UniswapV3Initializer.sol
    • Governance.sol
    • UniswapV4Initializer.sol
    • GovernanceFactory.sol
    • interfaces

Build Instructions

• Project uses foundry, must compile with via-ir
• Default profile settings include the foundry configuration required to build the contracts
• Additional utility in TestScenarios.sh bash script for varying doppler v4 pool configuration
• For v3 integration tests it is recommended to include `MAINNET_RPC_URL` in .env, can use public rpc such as https://eth.llamarpc.com
• Optional v4 initializer integration test uses unichain sepolia deployments, can use public rpc https://sepolia.unichain.org exported as `UNICHAIN_SEPOLIA_RPC_URL`

Basic POC test

• Mandatory POC rule applies for this competition
• V3PocTest.sol
• V4PocTest.sol

Out of scope

• Previous security reports
• Expected behaviors such as trusted/untrusted roles and/or any accepted risks:
  • Doppler Owner can set trusted modules and take out fees. Additionally, we accept that there is an edge-case where all assets are sold back, and funds could be locked. We believe this is unsolvable and economically impossible.
  • UniswapV3Initializer - price can be manipulated prior to initialization https://hackmd.io/@eQvUMjVEQhKY3brAjTH98A/BJyoA2WPye
  • The create function in the Airlock contract expects a salt that will be passed to the different modules to deploy several contracts using CREATE2. However, a malicious actor could "steal" the salt and frontrun the token deployment, allowing them to manipulate the parameters they want stealthy, without changing the final token address. A potential exploit here would be to include themselves as a recipient of some extra vested tokens, for example.
  • simply lockPool() is not invoked by the airlock contract
  • Few more Known Issues to be added

• Automated findings by Lightchaser https://gist.github.com/ChaseTheLight01/5049f6aebe28ae798bf442f29ece8768

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.