Whetstone / doppler-contracts

Whetstone / doppler-contracts

@Whetstone
Completed

Summary

Status

Completed

Total reward:

$65,000

Findings submitted:

101

Start date:

15 Jan 2025 10:00pm (local time)

End date:

22 Jan 2025 8:00pm (local time)

Doppler is a customizable liquidity-bootstrapping Protocol designed for the Uniswap Ecosystem. The entire Protocol is designed for use onchain and eliminates value leakage of value.

Prize distribution and scoring

Documentation

Scope

  • Repository: https://github.com/whetstoneresearch/doppler
  • Commit: 338d39d6890a6bb98fba92d117c8e69465f9caa5
  • Total LOC: approx. 2300 (incl whitespace/imports/comments)
  • Files:
    • Airlock.sol
      • TokenFactory.sol
      • DERC20.sol
      • UniswapV2Migrator.sol
      • Doppler.sol
      • UniswapV3Initializer.sol
      • Governance.sol
      • UniswapV4Initializer.sol
      • GovernanceFactory.sol
      • interfaces

Build Instructions

  • Project uses foundry, must compile with via-ir
  • Default profile settings include the foundry configuration required to build the contracts
  • Additional utility in TestScenarios.sh bash script for varying doppler v4 pool configuration
  • For v3 integration tests it is recommended to include `MAINNET_RPC_URL` in .env, can use public rpc such as https://eth.llamarpc.com
  • Optional v4 initializer integration test uses unichain sepolia deployments, can use public rpc https://sepolia.unichain.org exported as `UNICHAIN_SEPOLIA_RPC_URL`

Basic POC test

Out of scope

  • Previous security reports
  • Expected behaviors such as trusted/untrusted roles and/or any accepted risks:
    • Doppler Owner can set trusted modules and take out fees. Additionally, we accept that there is an edge-case where all assets are sold back, and funds could be locked. We believe this is unsolvable and economically impossible.
    • UniswapV3Initializer - price can be manipulated prior to initialization https://hackmd.io/@eQvUMjVEQhKY3brAjTH98A/BJyoA2WPye
    • The create function in the Airlock contract expects a salt that will be passed to the different modules to deploy several contracts using CREATE2. However, a malicious actor could "steal" the salt and frontrun the token deployment, allowing them to manipulate the parameters they want stealthy, without changing the final token address. A potential exploit here would be to include themselves as a recipient of some extra vested tokens, for example.
    • simply lockPool() is not invoked by the airlock contract
    • Few more Known Issues to be added

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.