- Total Prize Pool: $390,000 USDC
- HM awards: $222,338 USDC
- Analysis awards: $13,476 USDC
- QA awards: $6,737 USDC
- Bot Race awards: $20,212 USDC
- Gas awards: $6,737 USDC
- Judge awards: $26,000 USDC
- Lookout awards: $12,000 USDC
- Scout awards: $500 USDC
- Mitigation Review: $82,000 USDC (Opportunity goes to top 5 certified wardens based on placement in this audit.)
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts July 05, 2023 20:00 UTC
- Ends August 04, 2023 20:00 UTC
Automated findings output for the audit can be found here. โ๏ธImportant: click "Raw" to view the entire report, as it is truncated in the default view.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
We are aware of the issue with the _ld2sdRate(). Currently if isLdChain isn't set to true for the chain within the deployment of the token, the maximum amount of token that can be sent is equal to 18e18.
Prior audits can be viewed here, and the contents of these are also considered known issues and ineligible for awards. It is recommended that wardens read both Certora reports for helpful context.
In particular, note that the issue described as "First depositor can steal value of some subsequent deposits" in the Certora audit is a known issue.
The Tapioca protocol is built with a lot of different smart contracts, scattered across 5 repositories. It's an Omnichain protocol working the LayerZero messaging layer. At its core, Tapioca ERC20/ERC721 contracts uses the LayerZero OFTv2 and ONFT721 contracts.
The main repository is tapioca-bar, which contains USDO, a stablecoin. BigBang, a CDP based contract that mint and burn USDO. And Singularity, a lending and borrowing platform.
The other repos are here to support the ecosystem as well as to create a synergy between the tokenemics and the protocol features.
- tap-token Contracts related to the tokenemics, is linked to
tapioca-barin an asymmetric way. - tapiocaz Contracts that contains a wrapper named
TOFT, which is used to wrap gas tokens and transfer allow their usage through the LayerZero network. - tapioca-periph Periphery contracts. The main contract is
MagnetarV2, acts as a helper that reduce the number of user taken actions/transactions. - YieldBox A "BentoBox v2". Acts as a vault, that allow for yield strategies to be applied on the asset.
- yieldbox-strategies Yield strategies that will be used by a YieldBox asset.
- The docs provide a lot of information about the protocol and the user flow, given the size of the protocol, we encourage checking it at https://docs.tapioca.xyz/tapioca/.
MagnetarV2does not have access control by design. The underlying is the one that implement those (Can be found onTOFT,Singularity,USDO,TapiocaOptionBroker).- Re-entrency on ownable contract should be considered as a vulnerability only if the last call leads to an external call with potential vulnerability.
| File | SLOC | Description | Libraries |
|---|---|---|---|
| Contracts (3) | |||
| YieldBox/contracts/NativeTokenFactory.sol | 72 | Creates ERC1155 tokens | |
| YieldBox/contracts/YieldBoxURIBuilder.sol | 123 | Inherited by YieldBox | @openzeppelin/* @boringcrypto/* |
| YieldBox/contracts/YieldBox.sol ๐งช ๐ฐ | 263 | Main Yieldbox contract | @boringcrypto/* @openzeppelin/* |
| Abstracts (1) | |||
| YieldBox/contracts/YieldBoxPermit.sol ๐งฎ | 67 | EIP-2612 for YieldBox | @openzeppelin/* |
| Libraries (2) | |||
| YieldBox/contracts/BoringMath.sol | 26 | Simple math lib | |
| YieldBox/contracts/YieldBoxRebase.sol ๐งช | 40 | Math lib for internal accounting | @boringcrypto/* |
| Total (over 6 files): | 591 |
- @boringcrypto/boring-solidity/contracts
- @openzeppelin/contracts/
- @chainlink/
- solady/
- @rari-capital/solmate
twAML is a simple model that is used in twTAP and TapiocaOptionBroker. A detailed explanation of how it works can be found here.
- If you have a public code repo, please share it here: https://github.com/Tapioca-DAO/Tapioca-bar https://github.com/Tapioca-DAO/tap-token https://github.com/Tapioca-DAO/TapiocaZ https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies https://github.com/Tapioca-DAO/YieldBox
- How many contracts are in scope?: 62
- Total SLoC for these contracts?: 13499
- How many external imports are there?: 15
- How many separate interfaces and struct definitions are there for the contracts within scope?: 50
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 10
- What is the overall line coverage percentage provided by your tests?: 90
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: false
- Please describe required context: n/a
- Does it use an oracle?: Custom oracle that may use Chainlink or UniV3 or best of Chainlink/UniV3
- Does the token conform to the ERC20 standard?: True / also non-ERC20 token
- Are there any novel or unique curve logic or mathematical models?: twAML inherited contracts uses a math model that can be found on the page 5 of the paper https://www.tapioca.xyz/docs/twAML.pdf
- Does it use a timelock function?: True
- Is it an NFT?:
- Does it have an AMM?:
- Is it a fork of a popular project?: True; Heavily modified version of Kashi lending & borrowing. It implements a new Permit system for both lending & borrowing actions, a new liquidation system and a module based architecture.
- Does it use rollups?:
- Is it multi-chain?: True
- Does it use a side-chain?: False
- Describe any specific areas you would like addressed. E.g. Please try to break XYZ.":
Tap-Token repo:
Integrity of twAML model within the used contracts (TapiocaOptionBroker, TapiocaDAOPortal).
Correct user participation and exit on twAML contracts (tOB, tDP).
Proper OTC deal execution on tOB.
Tapioca-Bar repo:
Lending & borrowing mechanism.
Function access with lend/borrow approval/permit.
Closed liquidations.
TapiocaZ repo:
mTapiocaOFT/Balancer contract balancing mechanism.
export ALCHEMY_API_KEY="<your-alchemy-api-key>" && export PRIVATE_KEY="ae330c71c0930902aae1bdabdca36457e5b92a095c8ad171fd3ae6519961cc2a" && rm -Rf 2023-07-tapioca || true && git clone https://github.com/code-423n4/2023-07-tapioca.git -j8 && cd 2023-07-tapioca && git submodule update --init && nvm install 18.0 && cd tapiocaz-audit && git submodule update --init && yarn && npx hardhat compile && cd .. && cd YieldBox && git submodule update --init && yarn && npx hardhat compile && cd .. && cd tapioca-bar-audit && git submodule update --init && yarn && npx hardhat compile && cd .. && cd tapioca-periph-audit && git submodule update --init && yarn && npx hardhat compile && cd .. && cd tapioca-yieldbox-strategies-audit && git submodule update --init && yarn && npx hardhat compile && cd .. && cd tap-token-audit && git submodule update --init && yarn && npx hardhat compile && cd .. && cd tapiocaz-audit && REPORT_GAS=true npx hardhat test && cd .. && cd YieldBox && REPORT_GAS=true npx hardhat test && cd .. && cd tapioca-bar-audit && REPORT_GAS=true npx hardhat test && cd .. && cd tapioca-periph-audit && export BINANCE_WALLET_ADDRESS=0x28C6c06298d514Db089934071355E5743bf21d60 && export UniswapV2Router02=0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D && export UniswapV2Factory=0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f && export UniswapV3Router=0xE592427A0AEce92De3Edee1F18E0157C05861564 && export UniswapV3Factory=0x1F98431c8aD98523631AE4a59f267346ea31F984 && export Curve3Pool=0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7 && export USDT=0xdac17f958d2ee523a2206206994597c13d831ec7 && export USDC=0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 && export WETH=0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2 && REPORT_GAS=true npx hardhat test && cd .. && cd tapioca-yieldbox-strategies-audit && REPORT_GAS=true NODE_ENV=mainnet npx hardhat test && cd .. && cd tap-token-audit && REPORT_GAS=true npx hardhat test && cd ..
Some tests are skipped, either because it requires a specific chain to be on (Some tests might run solely on Mainnet, while others on Arbitrum). Others are skipped due to being there for helping purposes, or being too old but aren't cleaned.
yarn
npx hardhat compile
npx hardhat test
Set enabled key to true in hardhat.export.ts>config.gasReporter
gasReporter: {
enabled: true,
}Slither does not currently work on tapioca-periph-audit repo. If you find a workaround, please share in the discord.
Coverage is broken for some repos because we use IR compilation. Disabling it might output a stack too deep compilation error.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent