Basin audit details

• Total Prize Pool: $7,750 in USDC
  • HM awards: $5,510 in USDC
  • QA awards: $240 in USDC
  • Judge awards: $1,500 in USDC
  • Scout awards: $500 in USDC
• Read our guidelines for more details
• Starts August 23, 2024 20:00 UTC
• Ends August 27, 2024 20:00 UTC

This is a Private audit

This audit repo and its Discord channel are accessible to certified wardens only. Participation in private audits is bound by:

1. Code4rena's Certified Contributor Terms and Conditions
2. Code4rena's Certified Contributor Code of Professional Conduct

All discussions regarding private audits should be considered private and confidential unless otherwise indicated.

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.

All findings in the following audit reports:

• 06/16/23: Basin Halborn Report @ e5441fc
• 06/16/23: Basin Cyfrin Report @ e5441fc
• 10/05/23: Basin Code4rena Report @ 7e51c02
• All bug reports from the Immunefi program are listed here.

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

Basin

Code Version: 1.0.0
Whitepaper Version: 1.0.0

Multi Flow

The Multi Flow Pump implementation is also included in this repository at MultiFlowPump.sol.

Code Version: 1.0.0
Whitepaper Version: 1.0.0

About

Basin is a composable EVM-native decentralized exchange protocol.

• Audits
• Documentation
  • Motivation
• License

Audits

• Cyfrin Basin Audit
• Halborn Basin Audit

Documentation

• Basin Whitepaper
• Multi Flow Whitepaper
• Basin Docs

A {Well} is a constant function AMM that allows the provisioning of liquidity into a single pooled on-chain liquidity position.

Each Well is defined by its Tokens, Well function, and Pump.

• The Tokens define the set of ERC-20 tokens that can be exchanged in the Well.
• The Well function defines an invariant relationship between the Well's reserves and the supply of LP tokens. See {IWellFunction}.
• Pumps are on-chain oracles that are updated upon each interaction with the Well. See {IPump}.

A Well's tokens, Well function, and Pump are stored as immutable variables during Well construction to prevent unnecessary SLOAD calls during operation.

Wells support swapping, adding liquidity, and removing liquidity in balanced or imbalanced proportions.

Wells maintain two components of state:

• a balance of tokens received through Well operations ("reserves")
• an ERC-20 LP token representing pro-rata ownership of the reserves

Well functions and Pumps can independently choose to be stateful or stateless.

Including a Pump is optional.

Each Well implements ERC-20, ERC-2612 and the {IWell} interface.

Motivation

Allowing composability of the pricing function and oracle at the Well level is a deliberate design decision with significant implications.

In particular, a standard AMM interface invoking composable components allows for developers to iterate upon the underlying pricing functions and oracles, which greatly impacts gas and capital efficiency.

However, this architecture shifts much of the attack surface area to the Well's components. Users of Wells should be aware that anyone can deploy a Well with malicious components, and that new Wells SHOULD NOT be trusted without careful review. This understanding is particularly important in the DeFi context in which Well data may be consumed via on-chain registries or off-chain indexing systems.

The Wells architecture aims to outline a simple interface for composable AMMs and leave the process of evaluating a given Well's trustworthiness as the responsibility of the user. To this end, future work may focus on development of on-chain Well registries and factories which create or highlight Wells composed of known components.

An example factory implementation is provided in {Aquifer} without any opinion regarding the trustworthiness of Well functions and the Pumps using it. Wells are not required to be deployed via this mechanism.

License

MIT

Links

• Previous audits: All can be found here
• Documentation: https://docs.basin.exchange/
• Website: https://basin.exchange
• X/Twitter: https://twitter.com/basinexchange
• Discord: https://basin.exchange/discord

---

Scope

See scope.txt

ℹ️ All of the contracts below were audited in Basin's July audit. Here is a commit highlighting the changes.

Files in scope

Files out of scope

See out_of_scope.txt

Scoping Q & A

General questions

ERC20 token behaviors in scope

External integrations (e.g., Uniswap) behavior in scope:

EIP compliance checklist

• None

Additional context

Main invariants

• None

Attack ideas (where to focus for bugs)

• None

All trusted roles in the protocol

• N/A

Describe any novel or unique curve logic or mathematical models implemented in the contracts:

• With regard to the Stable 2 Well Function, a lookup table is used to assist the Newtonian estimation to decrease the computation needed to converge to an answer. See inline comments.

Running tests

Setup the repo and requirements:

git clone https://github.com/code-423n4/2024-08-basin.git
cd 2024-07-basin
git submodule update --init --recursive
foundryup
forge install

Setup Python environment and perform the tests (Make sure your MAINNET_RPC_URL is set in .env file):

python3 -m venv env 
source env/bin/activate 
python3 -m pip install -r requirements.txt
forge test --ffi

To run code coverage:

forge  coverage --ffi

Miscellaneous

Employees of Beanstalk Farms contributors and employees' family members are ineligible to participate in this audit.