OpportunitiesLeaderboardAbout Cantina
Mystic Finance / mystic-monorepo

Mystic Finance / mystic-monorepo

Overview

The Mystic Finance making a environment dedicated to RWA-backed lending which takes RWA's different characteristics into account and not only supports them, but leverages them to their full potential.

Prize distribution and scoring

  • Public Prize Pool: $ 13,000

  • Additional pay for dedicated Cantina researcher: $2,000

  • Scoring described in the competition scoring page.

  • Findings Severities described in detail on our docs page.

Documentation

1. Mystic Leverage:

Overview

  • The Mystic Leverage System extends Morpho’s Bundler3 multicall framework to enable atomic leveraged positions using flash loans and DEX swaps. All operations (open, close, adjust) occur in a single bundled transaction, enforcing safety checks (max leverage, price deviation, health factor) before finalizing.
    GitHub

Core Contracts & Code Highlights:

  • MysticLeverageBundler.sol:

    • Entrypoint: createOpenLeverageBundle orchestrates flash loan borrows, token swaps via Maverick DEX, and collateral adjustments. Tracks per-user positions and total exposure.

  • MorphoLeverageBundler.sol:

    • Entrypoint: createOpenLeverageBundle orchestrates flash loan borrows, token swaps via Maverick DEX, and collateral adjustments. Tracks per-user positions and total exposure for morpho markets.

  • MysticAdapter.sol

    • Abstracts Aave V3 fork lending operations: supply(), withdraw(), borrow(), repay(), and flash loan callbacks. Provides price and liquidity oracles, plus account health queries.

  • MaverickAdapter.sol

    • Wraps Maverick DEX swaps, offering swapExactIn()/swapExactOut() with slippage guards. Auto-selects best liquidity pool.

    All calls routed through Bundler3’s transient initiator context for authorization

2. Aave V3 Deployment:

Overview:

  • This Hardhat project does the deployment of Aave V3 core and periphery contracts using hardhat-deploy.

Core Scripts & Configurations:

  • Deployment Scripts (deploy/00-core → 03-periphery_post)
    • 00-core: Deploys PoolAddressesProvider, lending pools, and auxiliary contracts.
    • 01-periphery_pre & 03-periphery_post: Deploy periphery modules like UiPoolDataProvider, Oracle, and stable/variable rate helpers.
    • 02-market: Configures new market parameters (e.g., collateral factors, assets) via markets/plume/index.ts

3. Staked Plume (Liquid Staking):

Overview:

  • A fork of Frax’s frxETH public repo, this module implements stPlume an wrapped stPlume, on top of a native staking minter. It includes validator management via an OperatorRegistry and an ERC4626-based vault (sfrxETH.sol). It is built to integrate with the Plume staking contracts

Core Contracts & Code Highlights:

  • stPlumeMinter.sol: Extends frxETHMinter to support unstaking and reward claiming workflows specific to Plume’s staking network.
  • OperatorRegistry.sol: On-chain registry of validator id.
  • sfrxETH.sol: ERC4626 vault wrapping stPlume; automatically compounds staking yield by increasing pricePerShare. Permit2 support for seamless integrations

Code walkthroughs:

Scope

  • Repository: bundler3

    • Total LOC: 846 LOC
    • Files:
      • src/calls/MysticLeverageBundler.sol
      • src/adapters/MysticAdapter.sol
      • src/calls/MorphoLeverageBundler.sol
      • src/adapters/MaverickAdapter.sol

  • Repository: Liquid-Staking

    • Total LOC: 677 LOC
    • Files:
      • stPlume/src/frxETHMinter.sol
      • stPlume/src/stPlumeMinter.sol
      • stPlume/src/OperatorRegistry.sol

  • Repository: aave-v3-deploy

    • Total LOC: 683 LOC
    • Files:
      • markets/plume/index.ts
      • tasks/misc/delist-new-tokens.ts
      • tasks/misc/list-new-tokens.ts

Build Instructions

For the solidity projects:
- forge build
- forge test --fork-url https://rpc.plume.com

For Hardhat project:
- npm run compile
- npm run test

POC Rule

  • Mandatory POC rule applies for this competition
    • aave-leverage-bundler/test/poc/poc.t.sol

Out of scope

  • Issues listed here: Liquid-Staking?tab=readme-ov-file#known-issues
  • Issues listed here: aave-fork-checklist
  • We treat leveraged asset pairs (e.g steth/eth) as if they maintain near-perfect price parity, so any risk arising from price divergence is considered out of scope
  • We’re operating under the premise that every role is fully trusted

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.

Summary

Status

Live

Total reward:

$13,000

Findings submitted:

51

Start date:

13 May 2025 12:00am (local time)

End date:

18 May 2025 8:00pm (local time)