- Total Prize Pool: $74,600 in USDC
- HM awards: $45,400 in USDC
- Analysis awards: $2,500 USDC
- QA awards: $1,300 in USDC
- Gas awards: $1,300 in USDC
- Judge awards: $10,460 in USDC
- Scout awards: $500 in USDC
- Mitigation Review: $13,140 in USDC (Opportunity goes to top 3 backstage wardens based on placement in this audit who RSVP.)
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts April 8, 2024 20:00 UTC
- Ends April 16, 2024 20:00 UTC
This audit repo and its Discord channel are accessible to certified wardens only. Participation in private audits is bound by:
- Code4rena's Certified Contributor Terms and Conditions
- C4's Certified Contributor Code of Professional Conduct
All discussions regarding private audits should be considered private and confidential, unless otherwise indicated.
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
If the owner of the pool or PoolUnderwriter are compromised, then pools could be drained by setting underwriting terms against worthless NFTs. The security of those wallets is in a separate layer (multi-sig / governor contract) and should not be considered.
Gondi is a decentralized non-custodial NFT lending protocol that offers the most flexible and capital efficient primitive.
Gondi loans allows borrowers to access liquidity and obtain the best marginal rate when available as well as allow lenders to earn yield on their capital with the flexibility of entering and exiting their position any moment without affecting borrowers' loans.
Gondi V3 loan offers are submitted from both protocol pools as well as peers market participants creating deep liquidity as well as precise risk pricing..
- Documentation: https://app.gitbook.com/invite/4HJV0LcOOnJ7AVJ77p8e/KW6r5CM24fuLQn0gSSXQ
- Previous audits: https://app.gitbook.com/o/4HJV0LcOOnJ7AVJ77p8e/s/W2WSJrV6PSLWo4p8vIGq/security-and-audits
- Website: https://www.gondi.xyz/
- X/Twitter: https://twitter.com/gondixyz
- Discord: https://discord.gg/HJc7zpTT
See scope.txt
| File | Logic Contracts | Lines | nLines | SLOC |
|---|---|---|---|---|
| /src/lib/AddressManager.sol | 1 | 100 | 100 | 61 |
| /src/lib/AuctionLoanLiquidator.sol | 1 | 336 | 321 | 241 |
| /src/lib/AuctionWithBuyoutLoanLiquidator.sol | 1 | 133 | 124 | 93 |
| /src/lib/InputChecker.sol | 1 | 15 | 15 | 9 |
| /src/lib/LiquidationDistributor.sol | 1 | 123 | 111 | 106 |
| /src/lib/LiquidationHandler.sol | 1 | 115 | 112 | 77 |
| /src/lib/Multicall.sol | 1 | 22 | 22 | 15 |
| /src/lib/UserVault.sol | 1 | 376 | 355 | 271 |
| /src/lib/callbacks/CallbackHandler.sol | 1 | 84 | 75 | 53 |
| /src/lib/callbacks/PurchaseBundler.sol | 1 | 320 | 308 | 247 |
| /src/lib/loans/BaseLoan.sol | 1 | 216 | 216 | 117 |
| /src/lib/loans/BaseLoanHelpers.sol | 1 | 39 | 23 | 25 |
| /src/lib/loans/LoanManager.sol | 1 | 161 | 136 | 105 |
| /src/lib/loans/LoanManagerRegistry.sol | 1 | 31 | 31 | 20 |
| /src/lib/loans/MultiSourceLoan.sol | 1 | 1155 | 1058 | 864 |
| /src/lib/loans/WithLoanManagers.sol | 1 | 29 | 29 | 19 |
| /src/lib/pools/AaveUsdcBaseInterestAllocator.sol | 1 | 105 | 105 | 75 |
| /src/lib/pools/FeeManager.sol | 1 | 79 | 79 | 51 |
| /src/lib/pools/LidoEthBaseInterestAllocator.sol | 1 | 173 | 173 | 134 |
| /src/lib/pools/Pool.sol | 1 | 766 | 731 | 507 |
| /src/lib/pools/PoolOfferHandler.sol | 1 | 170 | 155 | 114 |
| /src/lib/pools/WithdrawalQueue.sol | 1 | 145 | 145 | 82 |
| /src/lib/utils/BytesLib.sol | 1 | 95 | 95 | 50 |
| /src/lib/utils/Hash.sol | 1 | 200 | 196 | 169 |
| /src/lib/utils/Interest.sol | 1 | 39 | 39 | 30 |
| /src/lib/utils/TwoStepOwned.sol | 1 | 48 | 48 | 31 |
| /src/lib/utils/ValidatorHelpers.sol | 1 | 82 | 79 | 49 |
| /src/lib/utils/WithProtocolFee.sol | 1 | 86 | 86 | 54 |
| Totals | 28 | 5243 | 4967 | 3669 |
See out_of_scope.txt
| Question | Answer |
|---|---|
| ERC20 used by the protocol | USDC / WETH |
| Test coverage | 77.11% |
| ERC721 used by the protocol | ๐๏ธ |
| Chains the protocol will be deployed on | Ethereum |
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
- While a loan is outstanding, MultiSourceLoan must own the collateral.
Security of collateral in MultiSourceLoan. Pool accounting and potential exploits.
| Role | Description |
|---|---|
| Owner of Pool | This will be a Governor contract that will update the PoolUnderwriter/base rate strategy. |
git clone --recurse https://github.com/code-423n4/2024-04-gondi
git submodule update --init --recursiveTo run code coverage
forge coverage --ir-minimumTo run gas benchmarks
forge test --gas-reportTo run Slither (See slither.txt)
slither .Gas report: See gas-report.txt
Test coverage:
Employees for Gondi and employees' family members are ineligible to participate in this audit.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent