Secure your crypto assets, such as ETH, WBTC, ARB, LINK, & PAXG tokenized gold, in smart contracts that you control and no one else, then effortlessly borrow stablecoins with 0% interest loans and no time limit to pay back.
Secure your crypto assets, such as ETH, WBTC, ARB, LINK, & PAXG tokenized gold, in smart contracts that you control and no one else, then effortlessly borrow stablecoins with 0% interest loans and no time limit to pay back.
Borrowers: users creating Smart Vaults, depositing their collateral, borrowing EUROs stablecoins against it
Smart Vault Manager: contract managing vault deployments, controls admin data which dictates behaviour of Smart Vaults e.g. fee rates, collateral rates, dependency addresses, managed by The Standard
Stakers: users adding TST and/or EUROs to the Liquidation Pool, in order to gain rewards from borrowing fees and vault liquidations
Liquidation Pool Manager: contract managing liquidations and distribution of borrowing fees in the pool
All contracts at commit 7c9f84772eacb588c00a2add9f46aa93211a7132
The live version of these contracts (deployed to Arbitrum One) have some key external dependencies:
As well as administrative dependencies managed by us:
For this test environment, collateral tokens have been replaced by a test ERC20 token. EUROs and TST have been replaced with mock versions. Chainlink feeds have been replaced by static price feeds. Uniswap swaps have been stubbed by a contract stub.
The administrative dependencies are managed by The Standard and are therefore not within the scope of this audit. They are replicated in the test environment.
Compatibilities:
Blockchains:
- Any EVM chains with live Chainlink data feeds and live Uniswap pools
Tokens:
- ETH
This project uses Hardhat.
To install the dependencies:
npm install
To run the test suite:
npx hardhat test
To start the default test environment, you can start a local Hardhat node:
npx hardhat node
And use the deploy script to build the environment on the running node:
npx hardhat run --network localhost scripts/deploy.js
You should see an output similar to:
SmartVaultManager: 0x...
LiquidationPoolManager: 0x...
LiquidationPool: 0x...
User 0x... has balance 9999.923234... ETH
User 0x... minted with 1000 test TST
User 0x... minted with 1000 test EUROs
User 0x... minted with 1000 test USDs
Use these addresses to interact with your locally deployed contracts.
SmartVaultManagerV5
_safeMint
is a reentrancy risk, however this is mitigated by the fact that the contract will try to mint the same token ID again, and revertingvaults
function array length is unchecked going into for loop. An abuse of NFT minting by a user could prevent them from being able to use this vaults
functionmint
function is dependent on our SmartVaultDeployer and SmartVaultIndex contracts, however we have the administrative control over setting these addressesMINTER_ROLE
, BURNER_ROLE
), giving these contracts strong permissions over the supply of EUROs, however this is a necessary key feature in our project, as users must be able to borrow through their vaults. As such the SmartVaultManager must also have a admin role in EUROs access controlundercollateralised
function reverts, it cannot be liquidatedsetWethAddress
, setSwapRouter2
, setNFTMetadataGenerator
, setSmartVaultDeployer
, setProtocolAddress
, setLiquidatorAddress
. However we have benefited from this. This can allow the blocking of certain Smart Vault features. e.g. we were previously able to block a vulnerability in the Smart Vault feature by setting the Swap Router to a zero addressSmartVaultV3
mint
tokenToEurAvg
, tokenToEur
, eurToToken
functions, but this contract is managed by us, and uses Chainlink data feeds for reliable price datamaxMintable
function will revert if SmartVaultManager collateralRate
is 0, but this value is controlled by us and should never begetAssetBalance
function will revert if the token provided has an incorrect combination of symbol bytes array and token address, however this data is managed by our TokenManager contractprotocol
address to be a payable address. This address will be set to the LiquidationPoolManager, which has a receive
functionprotocol
to be able to access the ERC20s sent. LiquidationPoolManager uses the same TokenManager list to handle assets.liquidateERC20
is dependent on the token addresses provided by our TokenManager being correctmint
function requires SmartVaultManager's HUNDRED_PC
to not be 0, but the value is a constantswap
is dependent on Uniswap V3 Swap Router. The address must be correct for this swap to be safely completed. This swap router address is controlled by our administrative SmartVaultManager contractminimumAmountOut
can be set to 0 if there is no value required to keep collateral above required level. The user is likely to lose some value in the swap, especially when Uniswap fees are factored in, but this is at the user's discretionsetOwner
can change control of the vault, but this can only be completed by the SmartVaultManager contract, and is only called when completing an NFT transferLiquidationPoolManager
protocol
address must be payable, and able to handle ERC20s transferred. This address will be set to our Protocol's treasury wallet.LiquidationPool
holders
. This could cause a problem throughout contract if there are a high number of stakersgetAcceptedTokens
array length unchecked, but uses an administrative contract which is managed by us. Unlikely to be more than 5-10 itemsposition
function depends on getTstTotal
not being 0. However, if current position has TST, then TSTtotal
will never be 0distributeFees
function requires an approval of EUROs beforehand, but LiquidationPoolManager approves the amount before calling the functiondistributeAssets
function requires stakeTotal
to be greater than 0, but this will always be the case if any _positionStake > 0
collateralRate
being greater than 0. This value is managed in our administrative SmartVaultManager contract, and the project is dependent on that value being correctLiquidationPool
requires EUROs BURNER_ROLE
permission, but this is an important function of the Liquidation PoolAdditional Issues
Rank | Username | |||||
1 | d dimulski | $3873.46 | 344 | 3 (0) | 0 (0) | 2 |
2 | m matej | $2817.95 | 325 | 3 (0) | 1 (0) | 2 |
3 | 0 0xCiphky | $2620.87 | 304 | 2 (0) | 3 (0) | 2 |
4 | p | $1818.37 | 220 | 2 (0) | 1 (0) | 0 |
5 | r rvierdiiev | $1733.07 | 160 | 1 (0) | 3 (0) | 0 |
6 | t t0x1c | $953.09 | 246 | 2 (0) | 1 (0) | 8 |
7 | T Tricko | $725.12 | 198 | 1 (0) | 4 (0) | 1 |
8 | B | $340.32 | 25 | 0 (0) | 1 (0) | 2 |
9 | c charlesCheerful | $340.12 | 103 | 1 (0) | 0 (0) | 1 |
10 | N NentoR | $332.82 | 240 | 2 (0) | 2 (0) | 0 |
11 | l | $331.46 | 20 | 0 (0) | 1 (0) | 0 |
12 | C Cosine | $311.46 | 332 | 2 (0) | 4 (0) | 2 |
13 | h haxatron | $243.38 | 248 | 2 (0) | 2 (0) | 0 |
14 | g greatlake | $227.01 | 192 | 1 (0) | 4 (0) | 2 |
15 | E ElHaj | $176.89 | 140 | 1 (0) | 2 (0) | 0 |
16 | k | $161.25 | 40 | 0 (0) | 2 (0) | 0 |
17 | 0 0xspryon | $161.09 | 20 | 0 (0) | 1 (0) | 0 |
18 | 0 0xbtk | $154.98 | 105 | 1 (0) | 0 (0) | 2 |
19 | k khramov | $133.24 | 160 | 1 (0) | 3 (0) | 0 |
20 | c carlitox477 | $125.35 | 270 | 2 (0) | 3 (0) | 1 |
21 | c carrotsmuggler | $124.07 | 165 | 1 (0) | 3 (0) | 2 |
22 | p ptsanev | $109.41 | 202 | 2 (0) | 0 (0) | 1 |
23 | 0 0x6a70 | $101.92 | 50 | 0 (0) | 2 (0) | 1 |
24 | A Aamirusmani1552 | $96.79 | 246 | 2 (0) | 2 (0) | 3 |
25 | 0 0xAraj | $94.76 | 162 | 1 (0) | 3 (0) | 1 |
26 | T Tripathi | $90.99 | 160 | 1 (0) | 3 (0) | 0 |
27 | d dyoff | $77.33 | 142 | 1 (0) | 2 (0) | 1 |
28 | E EVDocPhantom | $76.44 | 142 | 1 (0) | 2 (0) | 1 |
29 | s | $66.43 | 242 | 2 (0) | 2 (0) | 1 |
30 | B BjornBug | $59.99 | 40 | 0 (0) | 2 (0) | 0 |
31 | y y4y | $58.79 | 120 | 1 (0) | 1 (0) | 0 |
32 | G Greed | $58.79 | 120 | 1 (0) | 1 (0) | 0 |
33 | K KrisRenZo | $58.76 | 122 | 1 (0) | 1 (0) | 1 |
34 | T | $58.76 | 22 | 0 (0) | 1 (0) | 1 |
35 | b bbl4de | $58.72 | 120 | 1 (0) | 1 (0) | 0 |
36 | A Alchmy0 | $58.72 | 20 | 0 (0) | 1 (0) | 0 |
37 | t tutkata | $58.72 | 20 | 0 (0) | 1 (0) | 0 |
38 | 0 0xStriker | $58.72 | 20 | 0 (0) | 1 (0) | 0 |
39 | K | $58.72 | 20 | 0 (0) | 1 (0) | 0 |
40 | K Kose | $46.22 | 48 | 0 (0) | 2 (0) | 0 |
41 | 0 0x996 | $46.20 | 4 | 0 (0) | 0 (0) | 2 |
42 | P Phantomsands | $44.36 | 202 | 2 (0) | 0 (0) | 1 |
43 | 0 0xRizwan | $38.32 | 44 | 0 (0) | 2 (0) | 2 |
44 | C Ciara and Gio | $35.93 | 224 | 2 (0) | 1 (0) | 2 |
45 | 0 0xrs | $35.58 | 264 | 2 (0) | 3 (0) | 2 |
46 | D DarkTower | $35.54 | 162 | 1 (0) | 3 (0) | 1 |
47 | m mojitoauditor | $34.03 | 122 | 1 (0) | 1 (0) | 1 |
48 | n | $33.08 | 111 | 1 (0) | 0 (0) | 5 |
49 | 0 00xSEV | $32.19 | 220 | 2 (0) | 1 (0) | 0 |
50 | s stakog | $32.18 | 120 | 1 (0) | 1 (0) | 0 |
51 | n neocrao | $32.18 | 120 | 1 (0) | 1 (0) | 0 |
52 | B Bauer | $29.14 | 124 | 1 (0) | 1 (0) | 2 |
53 | a asuiTouthang | $27.56 | 107 | 1 (0) | 0 (0) | 3 |
54 | I | $27.26 | 43 | 0 (0) | 2 (0) | 1 |
55 | s spacelord47 | $25.91 | 203 | 2 (0) | 0 (0) | 1 |
56 | f flacko | $22.15 | 4 | 0 (0) | 0 (0) | 2 |
57 | i inzinko | $20.78 | 42 | 0 (0) | 2 (0) | 1 |
58 | a alexbabits | $20.37 | 104 | 1 (0) | 0 (0) | 2 |
59 | 0 0xAsen | $19.97 | 242 | 2 (0) | 2 (0) | 1 |
60 | t | $19.88 | 42 | 0 (0) | 2 (0) | 1 |
61 | 0 0x9527 | $19.59 | 222 | 2 (0) | 1 (0) | 1 |
62 | n nmirchev8 | $19.51 | 122 | 1 (0) | 1 (0) | 1 |
63 | e eeshenggoh | $18.64 | 24 | 0 (0) | 1 (0) | 2 |
64 | M MaslarovK | $18.52 | 102 | 1 (0) | 0 (0) | 1 |
65 | s slvDev | $18.49 | 104 | 1 (0) | 0 (0) | 2 |
66 | 0 | $15.88 | 220 | 2 (0) | 1 (0) | 0 |
67 | d | $15.81 | 106 | 1 (0) | 0 (0) | 3 |
68 | J JrNet | $15.80 | 120 | 1 (0) | 1 (0) | 0 |
69 | 0 0xmuxyz | $15.80 | 120 | 1 (0) | 1 (0) | 0 |
70 | 0 0xMAKEOUTHILL | $15.80 | 20 | 0 (0) | 1 (0) | 0 |
71 | S SovaSlava | $14.40 | 124 | 1 (0) | 1 (0) | 2 |
72 | D Daniel526 | $13.38 | 25 | 0 (0) | 1 (0) | 2 |
73 | A ACai | $9.53 | 104 | 1 (0) | 0 (0) | 2 |
74 | r ravikiranweb3 | $9.45 | 4 | 0 (0) | 0 (0) | 2 |
75 | f favelanky | $9.42 | 102 | 1 (0) | 0 (0) | 1 |
76 | d | $9.41 | 2 | 0 (0) | 0 (0) | 1 |
77 | S SAQ | $9.41 | 2 | 0 (0) | 0 (0) | 1 |
78 | d djxploit | $6.55 | 24 | 0 (0) | 1 (0) | 2 |
79 | A Auditism | $6.40 | 104 | 1 (0) | 0 (0) | 2 |
80 | A Aitor | $6.36 | 102 | 1 (0) | 0 (0) | 1 |
81 | 0 0xSwahili | $6.35 | 2 | 0 (0) | 0 (0) | 1 |
82 | S SaharAP | $6.35 | 2 | 0 (0) | 0 (0) | 1 |
83 | S SolSaver | $6.35 | 2 | 0 (0) | 0 (0) | 1 |
84 | B Bauchibred | $4.98 | 22 | 0 (0) | 1 (0) | 1 |
85 | P PTolev | $3.48 | 244 | 2 (0) | 2 (0) | 2 |
86 | C Cryptor | $3.40 | 44 | 0 (0) | 2 (0) | 2 |
87 | g georgishishkov | $2.00 | 202 | 2 (0) | 0 (0) | 1 |
88 | t thankyou | $2.00 | 102 | 1 (0) | 0 (0) | 1 |
89 | m mahdiRostami | $1.95 | 148 | 1 (0) | 2 (0) | 0 |
90 | e emrekocak | $1.93 | 102 | 1 (0) | 0 (0) | 1 |
91 | F FalconHoof | $1.93 | 102 | 1 (0) | 0 (0) | 1 |
92 | k ke1caM | $1.56 | 242 | 2 (0) | 2 (0) | 1 |
93 | i iamandreiski | $1.51 | 140 | 1 (0) | 2 (0) | 0 |
94 | n ni8mare | $1.48 | 42 | 0 (0) | 2 (0) | 1 |
95 | T Timenov | $1.44 | 140 | 1 (0) | 2 (0) | 0 |
96 | m mylifechangefast | $1.44 | 40 | 0 (0) | 2 (0) | 0 |
97 | Z ZanyBonzy | $1.44 | 40 | 0 (0) | 2 (0) | 0 |
98 | s smbv1923 | $1.44 | 40 | 0 (0) | 2 (0) | 0 |
99 | J Jeffauditor | $1.44 | 40 | 0 (0) | 2 (0) | 0 |
100 | r ro1sharkm | $1.44 | 40 | 0 (0) | 2 (0) | 0 |