OpportunitiesLeaderboardAbout Cantina
StakeUp / stakeup-bloomv2

StakeUp / stakeup-bloomv2

0xSpraggins0xSpraggins
OverviewLeaderboard

StakeUp is a fully decentralized, on-chain and permissionless USDC autocompounding stable LST, that derives its yield from US Treasury Bills. All fees within the system are rewarded to stakers of the protocol’s utility token, SUP. The protocol is built on-top of Bloom Protocol’s Bloom-v2, which is also within the scope of the audit.

Bloom V2 is a lending market allowing lenders to access short dated treasury yield in a permissionless manner via a commercial loan that’s backed by USDC and Backed Finances Bib01 token.

Prize distribution and scoring

  • Total Prize Pool: $60,000

  • Only High and Medium severity findings will be rewarded for this competition

  • Scoring described in the competition scoring page.

  • Findings Severities described in detail on our docs page.

Documentation

Code Walkthrough

Scope

Smart contractSLOC
BloomPool.sol298
Orderbook.sol194
PoolStorage.sol92
token/Tby.sol47
Smart contractSLOC
token/RebasingOFT.sol108
token/StUsdcLite.sol104
token/StUsdc.sol287
token/WstUsdcLite.sol45
token/WstUsdc.sol45
token/StakeUpTokenLite.sol8
token/StakeUpToken.sol72
staking/SUPVesting.sol65
staking/StakeUpStaking.sol171
rewards/CurveGaugeDistributor.sol91
rewards/lib/StakeUpMintRewardLib.sol18
rewards/lib/StakeUpRewardMathLib.sol43
messaging/controllers/ControllerBase.sol23
messaging/controllers/OAppController.sol21
messaging/controllers/OFTController.sol27
messaging/BridgeOperator.sol63
messaging/LzOrderedMessenger.sol31
messaging/StakeUpKeeper.sol82
messaging/WstUsdcBridge.sol121

Build Instructions

Bloom-v2

  1. Run forge to install all dependencies.

  2. Run forge build to compile all smart contracts.

  3. Run forge test to run the test suite

StakeUp

  1. Run yarn build to compile all contracts and submodules.
  2. Run forge test to run the test suite

Basic POC test

Bloom V2

  • test/BloomTestSetup.t.sol

StakeUp

  • tests/foundry/StUsdcSetup.t.sol (Basic testing setup)
  • tests/foundry/CrossChainSetup.t.sol (Testing setup if you want to test StakeUp’s omni-chain capabilities)

Out of scope

  • Does not support FoT or rebasing tokens
  • BloomPool is not compatible with tokens more than 18 decimals
  • BloomPool lenders and borrowers cannot redeem if market makers do not fully swap out rwa collateral.
  • stUsdc is vulnerable to inflation attacks on deployment
  • Market Makers are trusted not to exclude certain accounts while swapping in for orders
  • Economic impacts of bond markets
  • Possibility of latency in exchange rate updates when messaging cross-chain
  • SUP vesting allocations granted after vesting has started can be claimed without a vesting period
  • Withdrawal Liquidity in stUsdc can be low if no TBYs expire in the near future
  • StakeUpStaking:vest doesn't trigger deposit time lock and does not need to since all vests will take place at the start of the protocol’s life.
  • StakeUpKeeper::quoteSync has the potential to return inaccurate fee amounts if you user improperly encodes the LayerZero messaging options.
  • Caller is responsible for setting the nativeFee in poke , in the event that this is done incorrectly. The call will revert.
  • Share math can get wonky when going back and forth from 0 supply on a given chain.
    • To mitigate this, there will be 50 stUsdc that the team will bridge over to each chain upon deployment.
  • Discount applied to TBY deposits can be slightly inaccurate since yield gained isn't perfectly linear.
    • The goal is to make it as fair as possible not to get the discount exact to the wei
  • DOS on poke if there are too many peers added.
    • Most possible TBYs at a given time will be 90.
    • Will only be around 6-10 peers set

Automated findings by Lightchaser

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.

Summary

Status

Completed

Total reward:

$60,000

Findings submitted:

899

Start date:

7 Oct 2024 8:00pm (local time)

End date:

21 Oct 2024 8:00pm (local time)