Gondi Invitational
Gondi is a decentralized non-custodial NFT lending protocol engineered to enable the most capital efficient loan primitive and credit market for NFTs.
- Start date8 Apr 2024
- End date16 Apr 2024
- Total awards$74,600 in USDC
- Duration8 days
- Details
Gondi Invitational audit details
- Total Prize Pool: $74,600 in USDC
- HM awards: $45,400 in USDC
- Analysis awards: $2,500 USDC
- QA awards: $1,300 in USDC
- Gas awards: $1,300 in USDC
- Judge awards: $10,460 in USDC
- Scout awards: $500 in USDC
- Mitigation Review: $13,140 in USDC (Opportunity goes to top 3 backstage wardens based on placement in this audit who RSVP.)
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts April 8, 2024 20:00 UTC
- Ends April 16, 2024 20:00 UTC
This is a Private audit
This audit repo and its Discord channel are accessible to certified wardens only. Participation in private audits is bound by:
- Code4rena's Certified Contributor Terms and Conditions
- C4's Certified Contributor Code of Professional Conduct
All discussions regarding private audits should be considered private and confidential, unless otherwise indicated.
Automated Findings / Publicly Known Issues
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
If the owner of the pool or PoolUnderwriter are compromised, then pools could be drained by setting underwriting terms against worthless NFTs.
The security of those wallets is in a separate layer (multi-sig / governor contract) and should not be considered.
Overview
Gondi is a decentralized non-custodial NFT lending protocol that offers the most flexible and capital efficient primitive.
Gondi loans allows borrowers to access liquidity and obtain the best marginal rate when available as well as allow lenders to earn yield on their capital with the flexibility of entering and exiting their position any moment without affecting borrowers' loans.
Gondi V3 loan offers are submitted from both protocol pools as well as peers market participants creating deep liquidity as well as precise risk pricing..
Links
- Documentation: https://app.gitbook.com/invite/4HJV0LcOOnJ7AVJ77p8e/KW6r5CM24fuLQn0gSSXQ
- Previous audits: https://app.gitbook.com/o/4HJV0LcOOnJ7AVJ77p8e/s/W2WSJrV6PSLWo4p8vIGq/security-and-audits
- Website: https://www.gondi.xyz/
- X/Twitter: https://twitter.com/gondixyz
- Discord: https://discord.gg/HJc7zpTT
Scope
See scope.txt
Files in scope
| File | Logic Contracts | Lines | nLines | SLOC |
|---|---|---|---|---|
| /src/lib/AddressManager.sol | 1 | 100 | 100 | 61 |
| /src/lib/AuctionLoanLiquidator.sol | 1 | 336 | 321 | 241 |
| /src/lib/AuctionWithBuyoutLoanLiquidator.sol | 1 | 133 | 124 | 93 |
| /src/lib/InputChecker.sol | 1 | 15 | 15 | 9 |
| /src/lib/LiquidationDistributor.sol | 1 | 123 | 111 | 106 |
| /src/lib/LiquidationHandler.sol | 1 | 115 | 112 | 77 |
| /src/lib/Multicall.sol | 1 | 22 | 22 | 15 |
| /src/lib/UserVault.sol | 1 | 376 | 355 | 271 |
| /src/lib/callbacks/CallbackHandler.sol | 1 | 84 | 75 | 53 |
| /src/lib/callbacks/PurchaseBundler.sol | 1 | 320 | 308 | 247 |
| /src/lib/loans/BaseLoan.sol | 1 | 216 | 216 | 117 |
| /src/lib/loans/BaseLoanHelpers.sol | 1 | 39 | 23 | 25 |
| /src/lib/loans/LoanManager.sol | 1 | 161 | 136 | 105 |
| /src/lib/loans/LoanManagerRegistry.sol | 1 | 31 | 31 | 20 |
| /src/lib/loans/MultiSourceLoan.sol | 1 | 1155 | 1058 | 864 |
| /src/lib/loans/WithLoanManagers.sol | 1 | 29 | 29 | 19 |
| /src/lib/pools/AaveUsdcBaseInterestAllocator.sol | 1 | 105 | 105 | 75 |
| /src/lib/pools/FeeManager.sol | 1 | 79 | 79 | 51 |
| /src/lib/pools/LidoEthBaseInterestAllocator.sol | 1 | 173 | 173 | 134 |
| /src/lib/pools/Pool.sol | 1 | 766 | 731 | 507 |
| /src/lib/pools/PoolOfferHandler.sol | 1 | 170 | 155 | 114 |
| /src/lib/pools/WithdrawalQueue.sol | 1 | 145 | 145 | 82 |
| /src/lib/utils/BytesLib.sol | 1 | 95 | 95 | 50 |
| /src/lib/utils/Hash.sol | 1 | 200 | 196 | 169 |
| /src/lib/utils/Interest.sol | 1 | 39 | 39 | 30 |
| /src/lib/utils/TwoStepOwned.sol | 1 | 48 | 48 | 31 |
| /src/lib/utils/ValidatorHelpers.sol | 1 | 82 | 79 | 49 |
| /src/lib/utils/WithProtocolFee.sol | 1 | 86 | 86 | 54 |
| Totals | 28 | 5243 | 4967 | 3669 |
Files out of scope
See out_of_scope.txt
Scoping Q & A
General questions
| Question | Answer |
|---|---|
| ERC20 used by the protocol | USDC / WETH |
| Test coverage | 77.11% |
| ERC721 used by the protocol | 🖊️ |
| Chains the protocol will be deployed on | Ethereum |
ERC20 token behaviors in scope
External integrations (e.g., Uniswap) behavior in scope
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
Additional context
Main invariants
- While a loan is outstanding, MultiSourceLoan must own the collateral.
Attack ideas (where to focus for bugs)
Security of collateral in MultiSourceLoan.
Pool accounting and potential exploits.
All trusted roles in the protocol
| Role | Description |
|---|---|
| Owner of Pool | This will be a Governor contract that will update the PoolUnderwriter/base rate strategy. |
Running tests
git clone --recurse https://github.com/code-423n4/2024-04-gondi git submodule update --init --recursive
To run code coverage
forge coverage --ir-minimum
To run gas benchmarks
forge test --gas-report
To run Slither (See slither.txt)
slither .
Gas report: See gas-report.txt
Test coverage:
Miscellaneous
Employees for Gondi and employees' family members are ineligible to participate in this audit.