Krystal DeFi Invitational

Automate and optimize your liquidity earnings on DEXes.

  • Start date21 Jun 2024
  • End date1 Jul 2024
  • Total awards$20,000 in USDC
  • Duration10 days

Krystal DeFi audit details

This is a Private audit

This audit repo and its Discord channel are accessible to certified wardens only. Participation in private audits is bound by:

  1. Code4rena's Certified Contributor Terms and Conditions
  2. C4's Certified Contributor Code of Professional Conduct

All discussions regarding private audits should be considered private and confidential, unless otherwise indicated.

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

Overview

Krystal's smart contracts simplify the experience of managing liquidity on concentrated liquidity DEXs, such as
Uniswap V3 or Quickswap V3, by providing these features:

  • Zap In: Swap any token and add the resulting liquidity to the pool.
  • Adjust: Withdraw all liquidity from your current position, including unclaimed fees, and then re-add it to a new position.
  • Compound: Claim your unclaimed fees and automatically add them back to your current position.
  • Zap Out: Withdraw all liquidity and unclaimed fees from your position, then swap them to any token.

Users can use any features above in one single transaction. They can leverage these features through the smart contract
V3Utils for manual control. Alternatively, they can allow Krystal to automate the process through the V3Automation smart contract.

Links


Files in scope

See scope.txt

FileLogic ContractsInterfacesnSLOCPurposeLibraries used
/src/Common.sol11555Handles swap, manages liquidity and charges feesv3-periphery/interfaces/external/IWETH9.sol<br>v3-periphery/interfaces/INonfungiblePositionManager.sol<br>@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol<br>v3-core/libraries/FullMath.sol<br>@openzeppelin/contracts/access/AccessControl.sol<br>@openzeppelin/contracts/utils/structs/EnumerableSet.sol<br>@openzeppelin/contracts/security/Pausable.sol
/src/EIP712.sol1****35@openzeppelin/contracts/utils/cryptography/ECDSA.sol
/src/StructHash.sol1****231
/src/V3Automation.sol1****142Executes users's order
/src/V3Utils.sol1****174Helps users managing liquidity manually@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol
Totals511137

Files out of scope

See out_of_scope.txt

File
./script/Common.s.sol
./script/Init.s.sol
./script/StructHash.s.sol
./script/V3Automation.s.sol
./script/V3Utils.s.sol
./script/Verify.s.sol
./test/Helper.t.sol
./test/IntegrationTestBase.sol
./test/integration/Common.t.sol
./test/integration/V3Automation.t.sol
./test/integration/V3Utils.t.sol
Totals: 11

Scoping Q & A

General questions

QuestionAnswer
ERC20 used by the protocolAny
Test coverage84.43% (423/501 statements)
ERC721 used by the protocolERC721 tokens which minted through NonfungiblePositionManager (NFPM) on Dexs (Uniswap V3, QuickSwap V3)
ERC777 used by the protocolNone
ERC1155 used by the protocolNone
Chains the protocol will be deployed onEthereum,Arbitrum,Base,BSC,Optimism,Polygon

ERC20 token behaviors in scope

External integrations (e.g., Uniswap) behavior in scope:

QuestionAnswer
Enabling/disabling fees (e.g. Blur disables/enables fees)No
Pausability (e.g. Uniswap pool gets paused)Yes
Upgradeability (e.g. Uniswap gets upgraded)No

EIP compliance checklist

N/A

Additional context

Main invariants

N/A

Attack ideas (where to focus for bugs)

N/A

All trusted roles in the protocol

RoleDescription
AdminManage roles, set the maximum fees, pause/unpause contract operation, whitelist NFPM contracts, set fee taker address
OperatorExecute automatic orders for users
WithdrawerWithdraw tokens (ERC-20, ERC-721) and native currency

Describe any novel or unique curve logic or mathematical models implemented in the contracts:

N/A

Running tests

git clone https://github.com/code-423n4/2024-06-krystal-defi.git cd 2024-06-krystal-defi forge update # Install dependencies cp sample.env .env forge test --gas-report

To run code coverage

forge coverage
File% Lines% Statements% Branches% Funcs
src/Common.sol79.23% (164/207)82.75% (235/284)51.75% (59/114)79.31% (23/29)
src/EIP712.sol60.00% (3/5)75.00% (6/8)100.00% (0/0)75.00% (3/4)
src/StructHash.sol100.00% (16/16)100.00% (32/32)100.00% (0/0)100.00% (16/16)
src/V3Automation.sol82.26% (51/62)82.86% (58/70)55.26% (21/38)85.71% (6/7)
src/V3Utils.sol82.93% (68/82)85.98% (92/107)58.33% (28/48)100.00% (4/4)
Total81.18% (302/372)84.43% (423/501)54.00% (108/200)86.67% (52/60)

Miscellaneous

Employees of Krystal and employees' family members are ineligible to participate in this audit.