Whetstone / doppler-contracts

Whetstone / doppler-contracts


Doppler is a customizable liquidity-bootstrapping Protocol designed for the Uniswap Ecosystem. The entire Protocol is designed for use onchain and eliminates value leakage of value.

Prize distribution and scoring

Documentation

Scope

  • Repository: https://github.com/whetstoneresearch/doppler
  • Commit: 338d39d6890a6bb98fba92d117c8e69465f9caa5
  • Total LOC: approx. 2300 (incl whitespace/imports/comments)
  • Files:
    • Airlock.sol
      • TokenFactory.sol
      • DERC20.sol
      • UniswapV2Migrator.sol
      • Doppler.sol
      • UniswapV3Initializer.sol
      • Governance.sol
      • UniswapV4Initializer.sol
      • GovernanceFactory.sol
      • interfaces

Build Instructions

  • Project uses foundry, must compile with via-ir
  • Default profile settings include the foundry configuration required to build the contracts
  • Additional utility in TestScenarios.sh bash script for varying doppler v4 pool configuration
  • For v3 integration tests it is recommended to include `MAINNET_RPC_URL` in .env, can use public rpc such as https://eth.llamarpc.com
  • Optional v4 initializer integration test uses unichain sepolia deployments, can use public rpc https://sepolia.unichain.org exported as `UNICHAIN_SEPOLIA_RPC_URL`

Basic POC test

Out of scope

  • Previous security reports
  • Expected behaviors such as trusted/untrusted roles and/or any accepted risks:
    • Doppler Owner can set trusted modules and take out fees. Additionally, we accept that there is an edge-case where all assets are sold back, and funds could be locked. We believe this is unsolvable and economically impossible.
    • UniswapV3Initializer - price can be manipulated prior to initialization https://hackmd.io/@eQvUMjVEQhKY3brAjTH98A/BJyoA2WPye
    • The create function in the Airlock contract expects a salt that will be passed to the different modules to deploy several contracts using CREATE2. However, a malicious actor could "steal" the salt and frontrun the token deployment, allowing them to manipulate the parameters they want stealthy, without changing the final token address. A potential exploit here would be to include themselves as a recipient of some extra vested tokens, for example.
    • simply lockPool() is not invoked by the airlock contract
    • Few more Known Issues to be added

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.

Summary

Status

Completed

Total reward:

$65,000

Findings submitted:

101

Start date:

15 Jan 2025 10:00pm (local time)

End date:

22 Jan 2025 8:00pm (local time)