Skip to content

Releases: ajna-finance/ajna-core

v10 RC9

07 Jan 19:50
@EdNoepel EdNoepel
v0.10.0-rc9
2d6bbcb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC9 Latest
Latest

v0.10.0 Release Candidate 9

Audit Fixes and Bug Resolutions

  • Dmitri 1 and 2, Sherlock 018-H, Certora Crit-01(Reserves): Issue with reserves being pumped by borrower fees exceeding kicker fees, potentially drained by liquidating a barely-collateralized loan and manipulating LUP.(#962 #1008 )
  • Certora Crit-01 (Reserves): Potential for an attacker to manipulate liquidity, drawing debt far above fair market value and impacting lender interests and reserve fees.(#962 #1008)
  • Kirill M-05 (Pools): Manipulation of book with collateral to avoid unutilized deposit fee, leading to universal deposit fee implementation. (#983)
  • Sherlock 006-M (Pools): First pool borrower facing extra interest, necessitating adjustments in interest calculations.(#968)
  • Sherlock 007-M (Pools): Unsafe truncation casting used for state variables, highlighting need for safe casting methods.(#967)
  • Sherlock 001-M (Pools): Incorrect use of auctionPrice in BPF calculations affecting bond rewards and penalties.(#970)
  • Dmitri 9, Sherlock 001-M (Pools): Borrowers exploiting high price takes to avoid penalties and impact kicker liquidation bonds.(#973 #997)
  • Kirill M-02 (Pools): Difficulty in kicking loans with TP below MIN_PRICE, leading to proposal for new loan management criteria.(#973)
  • Sherlock 016-H (Pools): Artificial amplification of kicker rewards through batched takes, requiring structural adjustments.(#976)
  • Sherlock 005-M (Pools): Risks of HPB bankruptcy due to unscaled values in debt forgiveness processes.(#971)
  • Kirill M-07 (Pools): Debate over the ability to kick a CRA with unsettled liquidations, contingent on reserve mechanism decisions.(#977)
  • Kirill L-08 (Pools): Reserve auction kick conditions not aligning with intended documentation or functionality.(#974)
  • Sherlock 009-M (Pools): lenderKick function incorrectly setting LUP, affecting interest calculations against hypothetical values.(#972 0b3305d)
  • Prototech 55 (Pools): Concerns about interest accrual potentially overflowing and impacting pool stability. (#954)
  • Kirill L-01 (Pools): Inconsistencies in dust checks for quote tokens, raising questions about user responsibility in token management.(#980)
  • Kirill L-05 (Pools): Presence of redundant or unused variables and parameters, prompting a need for code cleanup.(#967)

Improvements

  • Pools: Cleaned up event logging for take in ERC721 pools
  • Pools: Decreased time inbetween auctions
  • Pools: Removed revertBelowLup argument for moveLiquidity, addQuoteToken
  • Pools: addQuoteToken cannot be called on a bucket whose price exceeds that of the oldest auction
  • Pools: DepositFee now applies to all buckets and charges 8 hours of interest
  • Pools: thresholdPrice is now calculated with 1.04 collateralization factor
  • Pools: Altered auction price function to match WP
  • Pools: Once kicked, borrowers can no longer be removed from auction
  • Rewards: RewardsManager.sol has been removed
  • Invariant: Decoupled RewardsManager invariants from PositionManager as RewardsManager was removed
Assets 2
Loading

v10 RC8

13 Oct 15:11
@ith-harvey ith-harvey
v0.10.0-rc8
dc49848
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC8

v0.10.0 Release Candidate 8

Audit fixes

Fixed Point Solutions & Servo Farms

Bug fixes

  • Bug Fix (Pools): Likelihood of bad debt due to the liquidation bond
  • Bug Fix (Pools): Manipulation of the Neutral Price and the Auction Reference Price through the MOMP

Immunifi Bug Fixes

  • Immunifi Bug Fix (Pools): Borrower Grief via liquidations

Improvements

  • Base64 encode svg image string
  • Added Pool info utils mulicall to reduce stress on SDK
  • Updated licensing for L2s
  • Invariant testing improvements
  • Add returns for take and repayDebt
  • Remove multicall from position manager
  • new auction timings (3 half lives instead of 1)
  • Removal of incentives for reserves auction kick

Full changelog: v0.10.0-rc7...v0.10.0-rc8

Assets 2
Loading

v10 RC7

13 Oct 08:51
@ith-harvey ith-harvey
v0.10.0-rc7
a255759
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC7

v0.10.0 Release Candidate 7

Bug fixes

  • Bug Fix (Rewards): rewardsClaimed and updateRewardsClaimed are now recorded per pool per epoch.

Improvements

  • Invariant: multiple pool support in positionManager and rewardsManager
  • Invariant: actors can have multiple NFT positions and transfer positions
  • Invariant: added position randomization

Full changelog: v0.10.0-rc6...v0.10.0-rc7

Assets 2
Loading

v10 RC6

13 Jul 05:43
@grandizzy grandizzy
v0.10.0-rc6
febd576
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC6

v0.10.0 Release Candidate 6

Audit fixes

Sherlock 2nd contest

  • SHERLOCK-111 (Pool): Wrong Inflator used in calculating HTP to determine accrualIndex (#916)
  • SHERLOCK-110 (Pool): Debt write off can be prohibited by HPB depositor by continuously allocating settlement blocking dust deposits in the higher buckets (#909 #919)
  • SHERLOCK-107, 86, 82, 113 (Pool): redesign kickWithDeposit functionality (#894)
  • SHERLOCK-106 (Pool): Settlement can be called when auction period isn't concluded, allowing HPB depositors to game bad debt settlements (#902)
  • SHERLOCK-104 (Pool): Mathematical Discrepancies in equations used for calculating Interest Rates (#903)
  • SHERLOCK-88 (Pool): LenderActions's moveQuoteToken can create a total debt undercoverage (#901)
  • SHERLOCK-87, 84 (Pool): moveQuoteToken updates pool state using intermediary LUP, biasing pool's interest rate calculations (#891)
  • SHERLOCK-85 (Pool): Limit index isn't checked in repayDebt, so user control is void (#914)
  • SHERLOCK-72 (Pool): Lenders lose interests and pay deposit fees due to no slippage control (#918)
  • SHERLOCK-31 (PositionManager): PositionManager & PermitERC721 do not comply with EIP-4494 (#907)

Bug fixes

  • Bug fix (Pool): t0DebtInAuction accumulator becomes outdated if quote token amount calculated to repay is rounded down to 0
  • Bug fix (Pool): use better precision (mulDiv) when calculating quote tokens in _calculateTakeFlowsAndBondChange in order to avoid discrepancies of exchange rate when collateral token has lower precision than quote token

Improvements

  • Revert position NFT transfer lock (which breaks automation / 3rd party integrations) (#875)
  • Readable order of operations (#917)

Full changelog: v0.10.0-rc5...v0.10.0-rc6

Assets 2
Loading

v10 RC5 Sherlock 2

03 Jun 17:19
@grandizzy grandizzy
v0.10.0-rc5
b301603
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC5 Sherlock 2

v0.10.0 Release Candidate 5

Audit fixes

PROTOTECH

CODEARENA

Bug fixes

  • Bug Fix (Pool): auction bonds and reserves auctioned are not guaranteed by the pool balance
  • Bug Fix (Pool): kicked reserves should not use guaranteed funds (kicked reserves + auction bond escrowed)
  • Bug Fix (Pool): kick fails on calculating bonds for unsettled auctions with 0 collateral and bad debt
  • Bug Fix (Pool): rounding invariant failures in kickWithDeposit

Improvements

  • ERC721PoolFactory: Change tokenIdsAllowed to return true if non-subset pool
  • Update solc to 0.8.18
  • PROTOTECH-31 (PositionManager): ERC721 is inherited multiple times in PositionManager (Fixed-Point-Solutions/prototech-ajna-audit#31)
  • RewardsManager: Loss of rewards due to underfunded contract
  • PROTOTECH-34: Informational Non-security Code Changes/Recommendations (Fixed-Point-Solutions/prototech-ajna-audit#34)
  • PROTOTECH-59: consider declaring RAY constant directly (Fixed-Point-Solutions/prototech-ajna-audit#59)
  • Pool factories: Simplify Collection Pool Deployment
  • Update params in Position manager external functions from struct params to distinct params inputs
  • Various gas improvements

Full changelog: v0.10.0-rc4...v0.10.0-rc5

Assets 2
Loading

v10 RC4 Prototech labs

24 Apr 05:51
@grandizzy grandizzy
v0.10.0-rc4
a5e00c2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC4 Prototech labs

v0.10.0 Release Candidate 4

Audit fixes

  • Sherlock review (Pool): Apply penalty in case deposit is moved from LUP to below LUP (#665)
  • Sherlock review (RewardsManager): Update toBucket.lpsAtStakeTime instead of using the stale LPB. (#671 #684)
  • TOB-AJNA-3 (PoolInfoUtils): Incorrect inflator arithmetic in view functions (#685)
  • TOB-AJNA-5 (3rd party contracts) : Older versions of external libraries are used: Update OZ contracts library to 4.8.2 (#711)
  • TOB-AJNA-8 (Pool): Array lengths are not checked in LP allowance update functions (#725)
  • TOB-AJNA-4 (Pool): Reset interest rate if debtEma < 5% of depositEma and pool rate > 10% (#733)
  • TOB-AJNA-2 (Pool - FenwickTree): Global scalar (at index 8192) is never updated (#753)
  • TOB improvement (RewardsManager): UPDATE_CLAIM_REWARD state var should be constant (#729)
  • TOB improvement (RewardsManager): check for 0x address in RewardsManager constructor (#732)
  • TOB improvement (Pool PoolDeployer): Comments and reuse code (#736)
  • TOB improvement (Pool): Emit event when Flashloan taken (#731)

Bug fixes

  • Bug Fix (Pool): Gracefully revert when collateral pull (#670)
  • Bug Fix (Pool): Revert if encumbered collateral is calculated as zero for non zero debt (#673)
  • Bug Fix (Pool): HPB bankruptcy on settle (#675)
  • Bug Fix (Pool): Update lender deposit time only when non-zero lps are added (#674)
  • Bug Fix (Pool): Bucket take with tiny deposit (#676)
  • Bug fix (Pool): Mul before div consistency (#699)
  • Bug Fix (Pool): Fix settle with reserves and interest accrual roundings (#687)
  • Bug Fix (PositionManager): Ensure PositionManager.moveLiquidity accrues interest (#700)
  • Bug fix (Pool): Interest accrue at LUP vs HTP (#696)
  • Bug Fix (Pool): Use unscaled remaining amount when remove deposit (#714)
  • Bug Fix (PoolInfoUtils): Prevent DIV/0 revert calculating MOMP on a pool with no loans (#712)
  • Bug Fix (Pool): Fenwick Rounding Improvements (Invariant fix F3 F4) (#719)
  • Bug Fix (PoolFactory): Restrict Deployment of Matching Quote and Collateral tokens (#735)
  • Bug Fix (Pool): Mau overflow regression fix (fix for issue #724) (#726)
  • Bug Fix (Pool): Ensure pool debt doesn't exceed deposits when remove quote token (#738)
  • Bug Fix (ERC721Pool): Update rebalance tokenIds logic (#746)
  • Bug Fix (RewardsManager): (Oasis) Resolve DIV/0 unstaking in a burn epoch with no burn (#748)
  • Bug Fix (Pool): CT1-CT7 failure: collateral transfered out from bucket should never be larger than bucket collateral (#759)
  • Bug Fix (Pool): Fix kickWithDeposit overflow underflow (#754)
  • Bug Fix (Pool): Calculate t0Debt2ToCollateral ratio only for loans not in auction (#758)

Improvements

  • Gas improvement (Pool): Calculate reserve on the spot when needed (#688)
  • Gas improvement (RewardsManager): Calculate rewards outside bucket loop (#720)
  • Gas improvement (Pool): Do not try to settle with reserves if reserves is not positive (#740)
  • Gas improvement (Pool FenwickTree): Fenwick gas improvements (#761)
  • Code consistency (Pool): Introduce Maths.floorWdiv and floorWmul functions (#705)
  • Code consistency (PoolInfoUtils): Expose auction price and status (#721)
  • Code consistency (RewardsManager): update PositionManager.MoveLiquidity event to provide all necessary details (#734)
  • Code consistency (Pool): Libraries consistency: (#669)
  • Code consistency (Pool): Improve SettlerActions.settlePoolDebt function (#752)
  • Documentation improvement: Update diagrams (#749)
  • Documentation improvement: Fix forge docs (#750)
  • Documentation improvement(Pool): kickneutral price comments improvements (#664)
  • Documentation improvement (RewardsManager): IRewardsManagerOwnerActions.moveStakedLiquidity comments improvements (#666)
  • Documentation improvement (Pool): Pool contract code maintanence (#663)
  • Documentation improvement (Pool): Documented Net Interest Margin calculation (#683)
  • Tests Improvements: Unit test for pledging loan with huge collateral, effect on rates and EMAs (#667)
  • Tests Improvements: Brownie tests: remove ptp, change how borrow amount calculated, fix LP scaling bugs (#668)
  • Tests Improvements: EMA testing (#678)
  • Tests Improvements: Protocol invariants tests update (#672)
  • Tests Improvements: RewardsManager test refactor and cleanup (#718)
Assets 2
Loading

v10 RC3 ToB

06 Mar 08:46
@grandizzy grandizzy
v0.10.0-rc3
65bcd8e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC3 ToB

v0.10.0 Release Candidate 3

Sherlock audit fixes

  • Sherlock 116 (Pools - change function signatures): Incorrect Validation in Pool.sol#transferLPs lead to a DOS attack (#625 #659) Introduced Pool.increaseLPAllowance, Pool.decreaseLPAllowance and Pool.revokeLPAllowance to set the amount of LPs allowed for transferors
  • Sherlock 156 (Pools - change function signatures): Anyone can transfer approved LP tokens (Pools - change function signatures) (#625 #659)
    Introduced Pool.approveLpTransferors and Pool.revokeLpTransferors lender external function to allow addresses as LPs transferors
  • Sherlock 111 (Pools - change function signatures): Adversary can grief kicker by frontrunning kickAuction call with a large amount of loan (#633)
    Introduced limitIndex param to Pool.kick and Pool.kickWithDeposit functions (#633)
  • Sherlock 100 (Pools): Interest rates can be raised above the market as a griefing, disabling the pool (#644 #662)
  • Sherlock 13 (PositionManager): Memorializing an NFT position on the same bucket of a previously memorialized NFT locks redemption (#626 #656)
  • Sherlock 19 (PositionManager): Minting an NFT with a position on the same bucket as a previously minted NFT changes its deposit time (#626 #656)

Bug fixes

  • Bug fix (Pool): Revert on remove collateral if not enough LPs. Mul before div (#613)
  • Bug fix (Pool): fix reserves calculation, maintain single totalBondEscrowed accumulator (#637)
  • Bug fix (Pool): Fix deposit time logic when move quote token, account bucket bankruptcy (#623)
  • Bug fix (Pool): allow kicker to withdraw parts of claimable bonds amount (#642)
  • Bug fix (RewardsManager): Handle bankrupt buckets in RewardManager. (#630)
  • Bug fix (PositionManager): Remove transfer with permit (#654)

Improvements

  • Improvement (Pool): Remove early withdrawal penalty, implement unutilized deposit fee (#640 #658)
  • Improvement (Pool): validate user input and revert in case of noops (#636)
  • Improvement (RewardsManager): Allow move staked nft liquidity, introduced RewardsManager.moveStakedLiquidity function (#638)
  • Improvement (gas optimization): Pack BucketState struct into a single slot (#645)
  • Improvement (consistency): RewardsManager: rename lastInteractionBurnEpoch to lastClaimedEpoch (#544)
  • Events improvements (Pool, PositionManager - change events signatures):
    include indexes in MemorializePosition, RedeemPosition, MoveLiquidity events (#628)
    include current burn epoch in ReserveAuction event (#635)
  • NFT support improvements (ERC721Pool, PositionManager, RewardsManager): remove usage of safeTransferFrom and onERC721Recieved (#629)
  • Improvements (Pool - change function signatures) :
    return moved amount from Pool.moveQuoteToken function (#624)
    return alreadyTaken from Pool.auctionInfo function (#634)
    return totalInterestEarned from Pool.reservesInfo function
Assets 2
Loading

v10 RC2 ToB

13 Feb 11:21
@grandizzy grandizzy
v0.10.0-rc2
ec79122
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC2 ToB

  • Code maintenance: (#565)
    improve tests coverage
    apply same style for all tests
    port contracts deployment to use forge scripts
    update CI pipeline
    update README with token limitations

  • Code maintenance: LP tokens naming refactor to LPs (#543)

  • Code maintenance: Gas improvements (#542)

  • Bug fix: (Pools) Take underflows when full pool debt repaid (#551)

  • Bug fix: (ERC721Pool) settle leaves pledged collateral accumulator inconsistent (#567)

  • Sherlock 162: (ERC721Pool) taker callback misreports quote funds whenever there was collateral amount rounding (#568)

  • Bug fix: (Pools) Flashloans for non 18 decimals tokens should use token precision instead pool precision (#569)

  • Sherlock 104: (ERC721Pool) Settled collateral of a borrower aren't available for lenders until borrower's debt is fully cleared (#570)

  • Sherlock 105: (ERC721Pool) mergeOrRemoveCollateral allows to remove collateral while auction is clearable (#571)

  • Sherlock 101: (Pools) Flashloan end result isn't controlled (#572)

  • Sherlock 183: RewardsManager doesn't delete old bucket snapshot info on unstaking (#573)

  • Sherlock 151: (RewardsManager) Permanent freezing of unclaimed yield (#574 #596)

  • Sherlock 134: (PositionManager) Transferring funds to yourself reset balance to 0 (#575 #597)

  • Sherlock 075: (Pools - change function signatures) If borrower or kicker got blacklisted by asset contract their collateral or bond funds can be permanently frozen with the pool (#578)

  • Sherlock 139: (Pools) scaledQuoteTokenAmount isn't updated to be collateral sell value in the quote token constraint case of _calculateTakeFlowsAndBondChange (#579)

  • Sherlock 096: (Pool factories) Interest rate for pool is bounded wrongly (#580)

  • Sherlock 068: (ERC721Pool) take will proceed with truncated collateral amount and full debt when borrower's collateral is fractional (#581 #599)

  • Sherlock 120: (RewardsManger) Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards (#576)

  • Sherlock 121: (RewardsManger) Calculating new rewards is susceptible to precision loss due to division before multiplication (#576)

  • Sherlock 163 140 34 31: (ERC721Pool) Remove support for non standard NFTs (#585)

  • Sherlock 98: (PositionManager) Reentrancy possible in mint() function (#577)

  • Sherlock 145: (Pools) Take with atomic swap: Anyone who approved quote tokens to a pool can be forced to take (#589)

  • Sherlock 70: (Pools) user can drawDebt that is below dust amount (#598)

  • change safeTransferFrom to transferFrom to support Oasis (#592)

  • Sherlock 148: (Pools) Use pool debt when calculating MOMP in Loans.update (#586)

  • Bug fix: (PositionManager) Fix front running vulnerability in safeTransferFromWithPermit method (#593)

  • Sherlock 148 83. LPs and Exchange Rate with WAD precision to avoid rounding issues (#606)

  • Sherlock 39: (Pools - change function signatures) expiration timestamp and slippage control (#600)

  • Test improvement: Protocol invariants testing (#609)

  • Bug fix: Disallow auctioned borrowers to draw more debt or pull collateral if auction is not settled. (#611)

  • Sherlock 73: (ERC721Pool) unique constraint on subset erc721 pools can be bypassed (#591)

Assets 2
Loading

v10 RC1 Sherlock

08 Jan 18:59
@grandizzy grandizzy
v0.10.0-rc1
463dcd3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v10 RC1 Sherlock

v0.10.0 Release Candidate 1

Assets 2
Loading