octant-v2-core

octant-v2-core

@octant
Live
Instructions

Total reward

$60,000

Status

Live

Findings submitted

80

Start date

8 Sep 2025

End date

29 Sep 2025

KYC

Required to join

Octant is open public infrastructure for sustainable growth. It provides innovative DeFi primitives that create regenerative funding streams and allocation mechanisms, building a self-sustaining network to support communities and their ecosystems. Through its core components—Funding Vaults, Community Staking contracts, Allocation Mechanisms, and Routing & Splitting contracts—Octant serves as a perpetual funding engine that directs yield toward impactful initiatives across the Ethereum ecosystem.

Octant Funding Vaults are smart contracts that automatically generate yield through DeFi strategies and direct that yield to fund ecosystem growth. They act as capital-preserving systems while helping you fund initiatives your community values most. Through yield-donating strategies, these vaults keep your capital intact, rebalance yield opportunities, and route capital to funding recipients. Capital providers can easily deploy their treasury assets, as the vaults manage the complexities of yield donation, ensuring sustainable funding streams for their ecosystems.

The Payment Splitter is a core component of Octant that facilitates the proportional distribution of funds generated by yield strategies. It receives ERC-4626 shares and allocates them to multiple predefined recipients. By using a pull payment model, payees must actively claim their allocated share, ensuring transparency and control over fund distribution. This mechanism simplifies the process of routing yield to various funding destinations. Allocation mechanisms are smart contracts designed to manage the distribution of funds received from yield-generating strategies or direct contributions. These contracts enable efficient and transparent allocation by assigning weights to registered recipients, via a voting mechanism, to determine how funds will be distributed.

The RegenStaker contracts are Octant's regenerative staking infrastructure, designed to transform passive yield generation into active ecosystem funding. The system employs a dual-variant architecture -both inheriting from RegenStakerBase that implements sophisticated reward mechanics including dynamic earning power calculations, tip-incentivized external bumping to maintain accurate reward distribution, and a nuanced claimer permission model that enables automated reward management without compromising principal security. Most critically, RegenStaker introduces a trust-minimized bridge between individual stakers and collective funding mechanisms through its whitelist-gated contribution system.

Prize distribution and scoring

  • Total Prize Pool: $ 60,000

  • $5000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

    • 1st: $2,000
    • 2nd: $1,250
    • 3rd: $750
    • 4th: $600
    • 5th: $400

  • Scoring described in the competition scoring page.

  • Findings Severities described in detail on our docs page.

Documentation

  • Smart contract documentation and specification are within the relevant folders.
  • Codebase Walkthrough
  • Password: CantinaxOctantPrivate

Scope

Files:

  • Core Contracts

    • MultistrategyVault - 955 sloc

    • TokenizedStrategy - 537 sloc

    • MultistrategyLockedVault - 156 sloc

    • BaseStrategy - 118 sloc

    • PaymentSplitter - 98 sloc

    • DebtManagementLib.sol - 254 sloc

  • Factories

    • MultistrategyVaultFactory - 128 sloc
    • RegenStakerFactory - 107 sloc
    • LidoStrategyFactory - 50 sloc
    • PaymentSplitterFactory - 77 sloc
    • RocketPoolStrategyFactory - 50 sloc
    • BaseStrategyFactory - 41 sloc
    • SkyCompounderStrategyFactory - 50 sloc

  • Regen

    • RegenStakerBase - 496 sloc
    • RegenStaker - 65 sloc
    • RegenStakerWithoutDelegateSurrogateVotes - 64 sloc
    • RegenEarningPowerCalculator - 45 sloc

  • Strategies - Periphery

    • BaseYieldSkimmingHealthCheck - 98 sloc
    • UniswapV3Swapper - 94 sloc
    • BaseHealthCheck - 82 sloc

  • Strategies - Yield Donating

    • SkyCompounderStrategy - 173 sloc
    • YieldDonatingTokenizedStrategy - 51 sloc

  • Strategies - Yield Skimming

    • YieldSkimmingTokenizedStrategy - 315 sloc
    • BaseYieldSkimmingStrategy - 44 sloc
    • LidoStrategy - 34 sloc
    • RocketPoolStrategy - 34 sloc

  • Zodiac Core

    • LinearAllowanceSingletonForGnosisSafe - 148 sloc
    • LinearAllowanceExecutor - 54 sloc

Mechanism - TokenizedAllocationMechanism - 854 sloc - ProperQF - 162 sloc - BaseAllocationMechanism - 156 sloc - QuadraticVotingMechanism - 151 sloc - AllocationMechanismFactory - 97 sloc

  • Utils
    • Whitelist - 60 sloc
  • ** Additional Files in scope: Added 09/09/2025. 10:30 AM UTC
    • Yielddonating/MorphoCompounderStrategy.sol: 82 lines
    • BaseHealthCheck.sol: 179 lines
    • BaseYieldSkimmingHealthCheck.sol: 198 lines
    • UniswapV3Swapper.sol: 187 lines

Out Of Scope

Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.

  • General Issues

    • Issues described in our documentation: in-code comments, in the README.
    • Issues found in previous security reviews
    • Issues related to deploy scripts or tests
    • Third party integrations not functioning as advertised
    • Issues related to potentially malicious actions taken by trusted entities are considered out of scope
    • Issues related to mistakes made by deployers when configuring vaults
    • Issues related to chain re-orgs and network liveness
    • Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
    • Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
    • ecrecover() allows for malleable signatures

  • Multistrategy

    • MultistrategyVault is a fork of Yearn V3 (https://github.com/yearn/yearn-vaults-v3), ported from Vyper to Solidity. Issues that exist in the original Yearn V3 implementation, including those identified in Yearn's audits or bug bounty program, are out of scope. We maintained a 1:1 design parity with the original implementation, and reports should focus exclusively on issues introduced during the Solidity port
    • Issues related to withdrawal queue manipulation in _deposit and _redeem.
    • Timing issues related to Vault operator error or lack of a protected RPC.
    • MultistrategyVault.processReport() can revert due to underflow when endingSupply ends up negative
    • Whales can DOS strategy and vault deposits by maxing out deposit limits
    • MultistrategyVault accountant earns instant profit on fee shares if profit locking is disabled
    • MultistrategyVault applies changes in protocol fees retroactively
    • MultistrategyVault.setProfitMaxUnlockTime() can be sandwiched to extract profit
    • WithdrawLimitModule can be called with wrong strategies array
    • Issues related to withdraw queue manipulation when the default queue is disabled
    • Unreported strategy losses can be forced on vault depositors to cause loss of principal at the discretion of the vault management

  • Lightchaser report

Build Instructions

  1. Add TEST_RPC to .env . You must use a mainnet node RPC with archive access to run the integration tests for strategies.
  2. Install corepack if not installed
    • > corepack enable
  3. The system uses yarn and soldeer to install dependencies
    • > yarn
    • > forge soldeer install
  4. Build the Project
    • forge build

Basic POC Test

  • Mandatory POC rule applies
  • Please refer to /test/proof-of-concepts/ folder in within the repository

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.