Sign in
profile image

Curvance - curvance

Curvance Competition

Competition at a glance

  • Monday, February 26th 20:00 UTC to Thursday, April 15th 20:00 UTC
  • Total Prize Pool: $375,000

What is Curvance

Curvance at a glance

Curvance is a cross-chain money market for yield bearing assets. Maximize yield while leveraging the full value of your assets. Curvance simplifies DeFi, with a modular system capable of creating complex strategies for users in a single click.

Curvance operates as a hybrid model between a yield optimizer and a cross-margin money market. This model has various characteristics atypical for incumbent money markets such as:

  • Collateral deposits and debt deposits receive two different types of tokens, collateral tokens (cTokens) and debt tokens (dTokens).
  • Rehypothecation has been removed. This allows for the support of long-tail assets which, if borrowable, could introduce systemic risk to DeFi.
  • "Collateral Posting", by introducing a hybrid model, users can yield farm an unlimited amount of assets, but, to leverage the corresponding money market, the collateral must be "posted", like a perpetual exchange. Collateral posting has restrictions on the total amount of exogenous risk allowed to be introduced into the system.
  • Dynamic Interest Rates with interest rate decay, vertex slope can be adjusted upward or downward based on utilization similar to kashi, however, a new continuous negative decay rate is applied every cycle when interest rates slope is elevated.
  • Dynamic liquidation engine allows for more nuanced position management inside the system. Introduces a sliding scale of liquidation between light soft liquidations and aggressive hard liquidations.
  • Bad debt socialization, when a user's debt is greater than their collateral assets, the entire user's account can be liquidated with lenders paying any collateral shortfall.
  • Crosschain gauge system, introducing of gauge system allowing reward streaming to collateral depositors and lenders. With the ability to configure by token and no limit on the number of different token rewards streamed.
  • Delegated actions, ability to delegate user actions to any address, allowing for support for things like limit orders, DCA, take profit, crosschain borrowing, crosschain lending. Some of these are built already in this repo, others are not.

Prize distribution and scoring

  • Scoring described in the competition scoring page.
  • Findings Severities described in detail on our docs page.
  • Only High and Medium findings would be accepted.

Documentation

Scope

The "contracts" folder contains all the smart contracts you will be auditing, excluding:

  • mocks
  • libraries/external
  • interfaces/external

Two solady contracts developed by Vectorized have been included in the audit as we are huge advocates for highly optimized versions of common contract formats and would like to see these fully audited. This means the partial FixedPointMathLib contract, and ERC4626 contracts inside the library folder are intentionally included, and are considered in scope.

Fileblankcommentcode
Architecture
./architecture/CentralRegistry.sol226444607
./architecture/FeeAccumulator.sol122202536
./architecture/ProtocolMessagingHub.sol73142353
./architecture/blastNative/BlastNativeYieldManager.sol82132292
./architecture/utils/SimpleRewardZapper.sol86157240
./architecture/FeeTokenBridgingHub.sol3641166
./architecture/CVELocker.sol87225360
./architecture/OneBalanceFeeManager.sol3436103
./architecture/CurvanceDAOTimelock.sol141452
./architecture/blastNative/BlastCentralRegistry.sol284483
./architecture/blastNative/BlastFeeAccumulator.sol5212
./architecture/utils/blastNative/BlastSimpleRewardZapper.sol5212
./architecture/blastNative/BlastProtocolMessagingHub.sol5210
./architecture/blastNative/BlastCVELocker.sol529
Gauge
./gauge/GaugePool.sol102197425
./gauge/GaugeController.sol3249116
./gauge/GaugeErrors.sol1112
./gauge/blastNative/BlastGaugePool.sol5210
Interfaces
./interfaces/market/IMarketManager.sol2511690
./interfaces/ICentralRegistry.sol486378
./interfaces/market/IMToken.sol2510253
./interfaces/IVeCVE.sol113936
./interfaces/ICVELocker.sol146531
./interfaces/market/IInterestRateModel.sol13230
./interfaces/IProtocolMessagingHub.sol73426
./interfaces/IERC20.sol143225
./interfaces/IGaugePool.sol52725
./interfaces/IOracleRouter.sol74525
./interfaces/blast/IBlastNativeYieldManager.sol12722
./interfaces/market/IPositionFolding.sol22215
./interfaces/IOracleAdaptor.sol31714
./interfaces/IRewardStaking.sol11114
./interfaces/IFeeAccumulator.sol2412
./interfaces/ICVXLocker.sol3410
./interfaces/IGelatoOneBalance.sol219
./interfaces/ICVE.sol5218
./interfaces/IExternalCallDataChecker.sol278
./interfaces/IERC20Metadata.sol557
./interfaces/IDelegateRegistry.sol316
./interfaces/IWETH.sol215
./interfaces/blast/IBlastCentralRegistry.sol215
./interfaces/IERC165.sol1184
./interfaces/ITimelock.sol134
Libraries
./libraries/ERC4626.sol51260216
./libraries/VelodromeLib.sol3769199
./libraries/CurveLib.sol2235123
./libraries/BalancerLib.sol1530104
./libraries/SwapperLib.sol2749104
./libraries/Delegable.sol235566
./libraries/FixedPointMathLib.sol238393
./libraries/Bytes32Helper.sol131931
./libraries/ReentrancyGuard.sol72127
./libraries/BlastYieldDelegable.sol71223
./libraries/CommonLib.sol5815
./libraries/Constants.sol777
Market
./market/MarketManager.sol207587926
./market/collateral/DToken.sol192507731
./market/utils/ComplexZapper.sol73289478
./market/collateral/CTokenBase.sol103389459
./market/LiquidityManager.sol60268445
./market/DynamicInterestRateModel.sol85408444
./market/collateral/CTokenCompounding.sol96274398
./market/utils/PositionFolding.sol85203361
./market/collateral/AuraCToken.sol6180217
./market/collateral/GMCToken.sol6567205
./market/utils/SimpleZapper.sol5098202
./market/collateral/Convex2PoolCToken.sol6272189
./market/collateral/Convex3PoolCToken.sol6272189
./market/collateral/CTokenPrimitive.sol48130186
./market/collateral/PendleLPCToken.sol4862182
./market/checker/CallDataCheckerFor1Inch.sol2710164
./market/collateral/AerodromeStableCToken.sol4464156
./market/collateral/VelodromeStableCToken.sol4463156
./market/collateral/AerodromeVolatileCToken.sol4263153
./market/collateral/VelodromeVolatileCToken.sol4454153
./market/collateral/StakedGMXCToken.sol3738100
./market/checker/CallDataCheckerBase.sol203475
./market/collateral/CTokenCompoundingWithExitFee.sol235747
./market/collateral/blastNative/BlastCTokenCompounding.sol131541
./market/utils/BorrowZapper.sol151749
./market/collateral/blastNative/BlastDToken.sol5216
./market/utils/blastNative/BlastComplexZapper.sol5214
./market/utils/blastNative/BlastSimpleZapper.sol5214
./market/blastNative/BlastMarketManager.sol5212
./market/utils/blastNative/BlastPositionFolding.sol5212
./market/utils/blastNative/BlastBorrowZapper.sol5210
Misc
./misc/CVEInitialDistribution.sol4968196
./misc/CurvanceDAOLBP.sol5666189
Oracles
./oracles/OracleRouter.sol133374497
./oracles/adaptors/curve/Curve2PoolLPAdaptor.sol59124234
./oracles/adaptors/gmx/GMAdaptor.sol5673173
./oracles/adaptors/chainlink/ChainlinkAdaptor.sol50100165
./oracles/adaptors/uniswap/UniswapV3Adaptor.sol4870155
./oracles/adaptors/api3/Api3Adaptor.sol4787142
./oracles/adaptors/redstone/BaseRedstoneCoreAdaptor.sol4495132
./oracles/adaptors/uniV2Base/BaseStableLPAdaptor.sol3379127
./oracles/adaptors/balancer/BalancerStablePoolAdaptor.sol4260123
./oracles/adaptors/pendle/PendlePrincipalTokenAdaptor.sol4262119
./oracles/adaptors/pendle/PendleLPTokenAdaptor.sol4163118
./oracles/adaptors/uniV2Base/BaseVolatileLPAdaptor.sol327199
./oracles/adaptors/wrappedAggregators/BaseWrappedAggregator.sol223288
./oracles/adaptors/curve/CurveBaseAdaptor.sol242966
./oracles/adaptors/redstone/ArbitrumRedstoneCoreAdaptor.sol121120
./oracles/adaptors/redstone/EthereumRedstoneCoreAdaptor.sol121120
./oracles/adaptors/wrappedAggregators/SavingsDaiAggregator.sol6725
./oracles/adaptors/wrappedAggregators/StakedFraxAggregator.sol7724
./oracles/adaptors/wrappedAggregators/WstETHAggregator.sol7624
./oracles/adaptors/velodrome/VelodromeVolatileLPAdaptor.sol151540
./oracles/adaptors/camelot/CamelotStableLPAdaptor.sol151536
./oracles/adaptors/camelot/CamelotVolatileLPAdaptor.sol151536
./oracles/adaptors/velodrome/VelodromeStableLPAdaptor.sol151536
./oracles/adaptors/balancer/BalancerBaseAdaptor.sol154629
./oracles/adaptors/BaseOracleAdaptor.sol193040
Token
./token/VeCVE.sol191471784
./token/OCVE.sol5557184
./token/CVE.sol5381156
./token/ChildCVE.sol273986
./token/blastNative/BlastCVE.sol528
./token/blastNative/BlastVeCVE.sol528
SUM:4333936316120

Out of scope

Out of scope automated findings generated by LightChaserV3

Build Instructions

The project readme details the build instructions.

Basic Proof Of Concept test

From the CANTINA_README:

### Tests
Attached in this repo you will find just over 1,000 tests in categories such as unit tests/integration tests/stateless fuzzing tests. Additionally, you will also find a substantial stateful fuzzing testing harness with just over 200 invariants tests. This was built in collaboration with Trail of Bits and covers VeCVE and most of the Curvance Money Markets. You can also find an attached readme in the fuzzing suite folder covering running the harness locally or in the cloud. Other tests can be ran simply via forge tests. Additional information on running the test suite can be found in the repo readme.

### Proof of Concepts
As part of the test suite inside Curvance, you will find many testing base contracts that set up Curvance and test various functionality. These are perfect to utilize when you want to work on a proof on concept for a bug. Feel free to mess around with test suite and to modify the testing deployments for whichever scenarios you would like to explore.

Contact Us

For any issues or concerns regarding this competition, please reach out to core-team on discord.

Summary

Status

Judging

Total reward:

$375,000 USDC

Start date:

27 Feb 2024 1:45am (local time)

End date:

15 Apr 2024 8:00pm (local time)

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.

Services

CompetitionsReviewsBountiesGuilds

© 2024 Cantina. All rights reserved.