Superform USDC rate providers and vaults on Mainnet and Base #257
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # ERC4626 Vault: `SuperVault` | ||
|
|
||
| ## Details | ||
| - Reviewed by: @mattpereira | ||
| - Checked by: @\<GitHub handle of secondary reviewer\> | ||
| - Deployed at: | ||
| - [ethereum:0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a](https://etherscan.io/address/0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a#code) | ||
| - [base:0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b](https://basescan.org/address/0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b#code) | ||
| - Audit report(s): | ||
| - [SuperVaults Audits](https://github.com/superform-xyz/SuperVaults/tree/main/audits) | ||
|
|
||
| ## Context | ||
| A SuperVault manages multiple Superforms (Superform positions linked to vaults) and incorporates mechanisms for rebalancing, whitelisting, and deposit limits. SuperVault contracts delegate most of their core ERC-4626 vault functionality to the Yearn V3 TokenizedStrategy contract. | ||
|
|
||
| ## Review Checklist: Bare Minimum Compatibility | ||
| Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. | ||
|
|
||
| - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). | ||
| - [x] The required Vault implements the required operational ERC4626 Interface | ||
|
|
||
| ## Review Checklist: Common Findings | ||
| Each of the items below represents a common red flag found in Rate Provider contracts. | ||
|
|
||
| If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. | ||
|
|
||
| ### Administrative Privileges | ||
| - [ ] The ERC4626 Vault is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). | ||
|
|
||
| ### Buffer blocklist | ||
| - [x] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. | ||
|
|
||
| ### Common Manipulation Vectors | ||
| - [ ] The ERC4626 Vault is susceptible to donation attacks. | ||
|
|
||
| ## Additional Findings | ||
| To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. | ||
|
|
||
| ## Conclusion | ||
| **Summary judgment: USABLE** | ||
| The outlined ERC4626 Vaults should work with Balancer pools, but are not compatible with buffers since `testWithdraw` reverts with "too much loss", perhaps because SuperVaults leverage Yearn v3 `TokenizedStrategy` contract, which requires profits to be gradually unlocked over time, making it difficult to guarantee immediate withdrawals at the expected share price. Fork tests can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/24) | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| \<Template: Copy this file and replace all elements inside \<\> brackets. Delete this particular block.\> | ||
|
|
||
| # Rate Provider: `ERC4626RateProvider` | ||
|
|
||
| ## Details | ||
| - Reviewed by: @mattpereira | ||
| - Checked by: @\<GitHub handle of secondary reviewer\> | ||
| - Deployed at: | ||
| - [ethereum:0x9fA39387D479fd456367190c82739eD6dC86491D](https://etherscan.io/address/0x9fA39387D479fd456367190c82739eD6dC86491D#code) | ||
| - [base:0x829Be222f36C6B7D48a7e1270b3c070BA2Ee98C4](https://basescan.org/address/0x829Be222f36C6B7D48a7e1270b3c070BA2Ee98C4#code) | ||
| - Audit report(s): | ||
| - [yAudit Superform Router Plus and Super Vaults Review](https://github.com/superform-xyz/SuperVaults/blob/main/audits/yAudit_report.pdf) | ||
|
|
||
| ## Context | ||
| The ERC4626 RateProvider fetches the rate of SuperVault tokens in terms of the underlying asset. The exchange rate is provided via the conversion between totalAssets and totalSupply. Each SuperVault manages multiple "Superforms", which are positions linked to other vaults. A `SuperVaultManager` role controls a whitelist of vaults where funds can be allocated. A `SuperVaultStrategist` role is allowed to rebalance the allocation of assets amongst whitelisted vaults. | ||
|
|
||
| ## Review Checklist: Bare Minimum Compatibility | ||
| Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. | ||
|
|
||
| - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. | ||
| - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. | ||
|
|
||
| ## Review Checklist: Common Findings | ||
| Each of the items below represents a common red flag found in Rate Provider contracts. | ||
|
|
||
| If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. | ||
|
|
||
| ### Administrative Privileges | ||
| - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). | ||
|
|
||
| - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). | ||
|
There was a problem hiding this comment. You mentioned it in your context section, the entity authorised by Since
behaves. As part of the review we learned that as part of the Based on my reading so far, there is super form validation to make sure only accurate data is added during a
Suggestion: I would tick the upgradeable section as it is not a "proxy upgrade" but a new contract inclusion upgrade and give a rundown of how such a process could potentially be misused and what guardrails are in place to protect against that. Ultimately add the address of the VaultStrategist and get in touch with Superform on the security of the pk / multisig and if helpful for the reader add that information here |
||
|
|
||
| ### Oracles | ||
| - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). | ||
|
|
||
| - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). | ||
|
|
||
| ### Common Manipulation Vectors | ||
| - [ ] The Rate Provider is susceptible to donation attacks. | ||
|
|
||
|
|
||
| ## Conclusion | ||
| **Summary judgment: USABLE** | ||
|
|
||
| The Rate Providers should work as expected with Balancer pools. No portion of the price pipeline is upgradeable, and common manipulation vectors are mitigated by SuperVaults deleagating most of their core ERC-4626 vault functionality to the Yearn V3 TokenizedStrategy contract. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without knowing the contract in details I suspect that gradual unlocks of profits should not lead to "losses" accrueing. At most the same amounts should be withdrawn, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My interpretation of the failling test was that it attempts to withdraw based on an expected amount the test calculates, but that amount ends up being too low because the SuperVault contract will only release funds that have been unlocked, and not the full amount including profits until the over time part elapses