diff --git a/erc4626/SuperformSuperVaultReview.md b/erc4626/SuperformSuperVaultReview.md new file mode 100644 index 0000000..c9c125e --- /dev/null +++ b/erc4626/SuperformSuperVaultReview.md @@ -0,0 +1,41 @@ +# ERC4626 Vault: `SuperVault` + +## Details +- Reviewed by: @mattpereira +- Checked by: @\ +- Deployed at: + - [ethereum:0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a](https://etherscan.io/address/0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a#code) + - [base:0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b](https://basescan.org/address/0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b#code) +- Audit report(s): + - [yAudit Report](https://github.com/superform-xyz/SuperVaults/tree/main/audits) + +## Context +\ + +## Review Checklist: Bare Minimum Compatibility +Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. + +- [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). +- [x] The required Vault implements the required operational ERC4626 Interface + +## Review Checklist: Common Findings +Each of the items below represents a common red flag found in Rate Provider contracts. + +If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. + +### Administrative Privileges +- [ ] The ERC4626 Vault is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). + +### Buffer blocklist +- [ ] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. + +### Common Manipulation Vectors +- [ ] The ERC4626 Vault is susceptible to donation attacks. + +## Additional Findings +To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. + +## Conclusion +**Summary judgment: \** + +\ \ No newline at end of file diff --git a/erc4626/registry.json b/erc4626/registry.json index 9899a76..b373d39 100644 --- a/erc4626/registry.json +++ b/erc4626/registry.json @@ -86,6 +86,13 @@ } }, "base": { + "0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b": { + "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", + "name": "Superform USDC", + "summary": "safe", + "review": "./SuperformSuperVaultReview.md", + "warnings": [] + }, "0x616a4E1db48e22028f6bbf20444Cd3b8e3273738": { "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", "name": "MetaMorpho v1.1 Seamless USDC", @@ -172,6 +179,13 @@ } }, "ethereum": { + "0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a": { + "asset": "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48", + "name": "Superform USDC", + "summary": "safe", + "review": "./SuperformSuperVaultReview.md", + "warnings": [] + }, "0x2371e134e3455e0593363cBF89d3b6cf53740618": { "asset": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2", "name": "MetaMorpho Gauntlet wETH Prime", diff --git a/rate-providers/SuperformRateProviders.md b/rate-providers/SuperformRateProviders.md new file mode 100644 index 0000000..11e60b1 --- /dev/null +++ b/rate-providers/SuperformRateProviders.md @@ -0,0 +1,45 @@ +\ brackets. Delete this particular block.\> + +# Rate Provider: `ERC4626RateProvider` + +## Details +- Reviewed by: @mattpereira +- Checked by: @\ +- Deployed at: + - [ethereum:0x9fA39387D479fd456367190c82739eD6dC86491D](https://etherscan.io/address/0x9fA39387D479fd456367190c82739eD6dC86491D#code) + - [base:0x829Be222f36C6B7D48a7e1270b3c070BA2Ee98C4](https://basescan.org/address/0x829Be222f36C6B7D48a7e1270b3c070BA2Ee98C4#code) +- Audit report(s): + - [yAudit Superform Router Plus and Super Vaults Review](https://github.com/superform-xyz/SuperVaults/blob/main/audits/yAudit_report.pdf) + +## Context +\ + +## Review Checklist: Bare Minimum Compatibility +Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. + +- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. +- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. + +## Review Checklist: Common Findings +The ERC4626 RateProvider fetches the rate of SuperVault tokens in terms of the underlying asset. The exchange rate is provided via the conversion between totalAssets and totalSupply. The SuperVault contract leverages Yearn v3's `TokenizedStrategy` as a proxy implementation that handles core ERC4626 vault logic. It extends this foundation by adding specialized functionality for managing multiple Superform positions through weight-based allocation, rebalancing capabilities, and whitelist controls. + +If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. + +### Administrative Privileges +- [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). + +- [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). + +### Oracles +- [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). + +- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). + +### Common Manipulation Vectors +- [ ] The Rate Provider is susceptible to donation attacks. + + +## Conclusion +**Summary judgment: USABLE** + +The Rate Providers should work well with Balancer pools. diff --git a/rate-providers/registry.json b/rate-providers/registry.json index efdf0e4..267b828 100644 --- a/rate-providers/registry.json +++ b/rate-providers/registry.json @@ -697,6 +697,15 @@ } }, "base": { + "0x829Be222f36C6B7D48a7e1270b3c070BA2Ee98C4": { + "asset": "0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b", + "name": "Superform USDC Rate Provider", + "summary": "safe", + "review": "./SuperformRateProviders.md", + "warnings": [], + "factory": "0xEfD3aF73d3359014f3B864d37AC672A6d3D7ff1A", + "upgradeableComponents": [] + }, "0xe1b1e024f4Bc01Bdde23e891E081b76a1A914ddd": { "asset": "0xd95ca61CE9aAF2143E81Ef5462C0c2325172E028", "name": "WrappedUsdPlusRateProvider", @@ -923,6 +932,15 @@ } }, "ethereum": { + "0x9fA39387D479fd456367190c82739eD6dC86491D": { + "asset": "0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a", + "name": "Superform USDC Rate Provider", + "summary": "safe", + "review": "./SuperformRateProviders.md", + "warnings": [], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [] + }, "0x1aCB59d7c5D23C0310451bcd7bA5AE46d18c108C": { "asset": "0xF1617882A71467534D14EEe865922de1395c9E89", "name": "asETHRateProvider",