Skip to content

code-423n4/2024-10-ronin

BranchesTags

Repository files navigation

Ronin audit details

  • Total Prize Pool: $50,000 in USDC
    • HM awards: $39,800 in USDC
    • QA awards: $1,700 in USDC
    • Judge awards: $4,800 in USDC
    • Scout awards: $500 in USDC
  • Read our guidelines for more details
  • Starts October 16, 2024 20:00 UTC
  • Ends October 30, 2024 20:00 UTC

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here. The Slither outputs can be found here and here

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

  • Centralization risk. Sky Mavis is responsible for maintaining the Katana V3 contracts and will able to upgrade the contract if necessary, as well as specify additional fee tiers.
  • All public known issues, including public audit reports of Uniswap V3 that affect Katana V3
  • If a liquidity pool (pair of tokens) is already open for liquidity provision on Katana V2, liquidity providers are expected to be able to migrate their liquidity to the corresponding pool on Katana V3 when it is created, without being restricted by the authorization function of the Governance.

Overview

Katana v3 is a decentralized exchange (DEX) protocol built on the foundations of Uniswap V3. It retains core features like concentrated liquidity, protocol fees, and the integrated price oracle mechanism. However, Katana v3 introduces key modifications to better align with specific project objectives.

Key Changes from Uniswap V3

  • Customizable Protocol Fee Tiers: Katana v3 allows for flexible fee structures with multiple protocol fee tiers, improving adaptability across different market conditions and asset types.
  • Authorized Protocol Actions: Certain actions within the protocol are managed more systematically through authorization, improving operational integrity and efficiency.
  • Feature Simplification: Unused features from Uniswap V3, such as NFT trading and protocol fee collection, were removed to streamline functionality and reduce complexity.

Links

Scope

Files in scope

File code
katana-v3-contracts/src/core/KatanaV3Pool.sol 566
katana-v3-contracts/src/periphery/NonfungiblePositionManager.sol 320
katana-operation-contracts/src/governance/KatanaGovernance.sol 227
katana-operation-contracts/src/aggregate-router/base/Dispatcher.sol 176
katana-v3-contracts/src/periphery/lens/MixedRouteQuoterV1.sol 150
katana-operation-contracts/src/aggregate-router/modules/katana/v3/V3SwapRouter.sol 126
katana-v3-contracts/src/periphery/NonfungibleTokenPositionDescriptor.sol 91
katana-v3-contracts/src/periphery/V3Migrator.sol 85
katana-v3-contracts/src/core/KatanaV3Factory.sol 77
katana-operation-contracts/src/aggregate-router/modules/Payments.sol 73
katana-operation-contracts/src/aggregate-router/modules/katana/v2/V2SwapRouter.sol 71
katana-v3-contracts/src/periphery/libraries/KatanaV2Library.sol 71
katana-v3-contracts/src/periphery/libraries/KatanaV2LibraryTestnet.sol 71
katana-operation-contracts/src/aggregate-router/AggregateRouter.sol 49
katana-v3-contracts/src/core/interfaces/pool/IKatanaV3PoolEvents.sol 49
katana-v3-contracts/src/core/interfaces/pool/IKatanaV3PoolState.sol 47
katana-v3-contracts/src/periphery/interfaces/IKatanaV2Pair.sol 44
katana-v3-contracts/src/external/interfaces/IKatanaGovernance.sol 43
katana-v3-contracts/src/periphery/interfaces/IMixedRouteQuoterV1.sol 28
katana-v3-contracts/src/periphery/base/PoolInitializer.sol 27
katana-v3-contracts/src/periphery/libraries/PoolAddress.sol 26
katana-v3-contracts/src/core/KatanaV3PoolDeployer.sol 25
katana-operation-contracts/src/aggregate-router/modules/katana/KatanaImmutables.sol 22
katana-operation-contracts/src/aggregate-router/libraries/Commands.sol 20
katana-v3-contracts/src/core/interfaces/IKatanaV3Factory.sol 19
katana-operation-contracts/src/governance/interfaces/IKatanaV2Factory.sol 16
katana-v3-contracts/src/core/KatanaV3PoolProxy.sol 16
katana-operation-contracts/src/aggregate-router/modules/PaymentsImmutables.sol 15
katana-v3-contracts/src/core/interfaces/IKatanaV3Pool.sol 13
katana-v3-contracts/src/core/interfaces/pool/IKatanaV3PoolImmutables.sol 13
katana-v3-contracts/src/periphery/base/PeripheryImmutableState.sol 13
katana-operation-contracts/src/aggregate-router/base/RouterImmutables.sol 10
katana-v3-contracts/src/external/libraries/AuthorizationLib.sol 10
katana-v3-contracts/src/core/KatanaV3PoolBeacon.sol 9
katana-v3-contracts/src/core/interfaces/IKatanaV3PoolDeployer.sol 8
katana-v3-contracts/src/periphery/interfaces/IPeripheryImmutableState.sol 6
katana-v3-contracts/src/core/interfaces/IKatanaV3PoolBeaconImmutables.sol 5
SUM: 2637

If you discover a bug in any contract or library outside of the files listed above that impact following contracts, we will consider the issue valid:

  • KatanaGovernance
  • AggregateRouter
  • KatanaV3Factory
  • NonfungiblePositionManager
  • V3Migrator
  • KatanaV3PoolBeacon
  • KatanaV3Pool

KatanaGovernance, KatanaV3Factory, NonfungiblePositionManager contracts are deployed with transparent proxy.

All vulnerabilities in the KatanaGovernance contract that do not affect user funds will have their severity downgraded by one level.

Priority files

katana-v3-contracts:

src/core/KatanaV3PoolProxy.sol
src/core/KatanaV3Pool.sol
src/core/KatanaV3Factory.sol
src/periphery/NonfungiblePositionManager.sol
src/periphery/V3Migrator.sol

katana-operation-contracts:

src/aggregate-router/AggregateRouter.sol
src/aggregate-router/modules/katana/v2/V2SwapRouter.sol
src/aggregate-router/modules/katana/v3/V3SwapRouter.sol

Files out of scope

These files are explicitly out of scope:

katana-v3-contracts/src/periphery/SwapRouter.sol
katana-v3-contracts/src/periphery/examples/PairFlash.sol
katana-v3-contracts/src/periphery/libraries/KatanaV2LibraryTestnet.sol
katana-v3-contracts/src/periphery/lens/MixedRouteQuoterV1Testnet.sol

Scoping Q & A

General questions

Question Answer
ERC20 used by the protocol Any (all possible ERC20s)
ERC721 used by the protocol N/A
ERC777 used by the protocol N/A
ERC1155 used by the protocol N/A
Chains the protocol will be deployed on Ronin

ERC20 token behaviors in scope

Question Answer
Missing return values Out of scope
Fee on transfer Out of scope
Balance changes outside of transfers Out of scope
Upgradeability Out of scope
Flash minting Out of scope
Pausability Out of scope
Approval race protections Out of scope
Revert on approval to zero address Out of scope
Revert on zero value approvals Out of scope
Revert on zero value transfers Out of scope
Revert on transfer to the zero address Out of scope
Revert on large approvals and/or transfers Out of scope
Doesn't revert on failure Out of scope
Multiple token addresses Out of scope
Low decimals ( < 6) Out of scope
High decimals ( > 18) Out of scope
Blocklists Out of scope

External integrations (e.g., Uniswap) behavior in scope

Question Answer
Enabling/disabling fees (e.g. Blur disables/enables fees) Yes
Pausability (e.g. Uniswap pool gets paused) Yes
Upgradeability (e.g. Uniswap gets upgraded) Yes

EIP compliance checklist

N/A

Additional context

Main invariants

  • User can remove their provided liquidity
  • Only owner can add fee tier as well as enable flash loan feature
  • Protocol fees will be directly transferred to the treasury without fee-collecting operations needed

Attack ideas (where to focus for bugs)

  • Funds blocking
  • Stealing of funds
  • Protocol insolvency
  • Fee distribution logic
  • Access control on pool contract
  • Contract upgradability patterns

All trusted roles in the protocol

Role
Proxy Admin
Governance Owner
Beacon Owner
Factory Owner (i.e. the Governance contract)

Describe any novel or unique curve logic or mathematical models implemented in the contracts

N/A

Assumptions

As Uniswap V3, Katana V3 was developed with the following assumptions, and thus any bug must also adhere to the following assumptions to be valid:

  • The total supply of any token does not exceed 2128 - 1, i.e. type(uint128).max.
  • The transfer and transferFrom methods of any token strictly decrease the balance of the token sender by the transfer amount and increases the balance of token recipient by the transfer amount, i.e. fee on transfer tokens are excluded.
  • The token balance of an address can only change due to a call to transfer by the sender or transferFrom by an approved address, i.e. rebase tokens and interest bearing tokens are excluded.
  • If a liquidity pool (pair of tokens) is already open for liquidity provision on Katana V2, liquidity providers are expected to be able to migrate their liquidity to the corresponding pool on Katana V3 when it is created, without being restricted by the authorization function of the Governance.

Testnet deploy

All contracts are deployed on Saigon testnet. Note that these on-chain contracts are provided for testing purpose and not considered as in-scope assets.

Running tests

katana-v3-contracts:

git clone https://github.com/ronin-chain/katana-v3-contracts --recurse
cd katana-v3-contracts && git checkout release/v1.0.0
forge build

katana-operation-contracts:

git clone https://github.com/ronin-chain/katana-operation-contracts --recurse
cd katana-operation-contracts && git checkout release/v1.0.0
forge build

Miscellaneous

Employees of Sky Mavis / Ronin and employees' family members are ineligible to participate in this audit.

Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6