GithubHelp home page GithubHelp logo

louislung / 2023-02-kuma Goto Github PK

View Code? Open in Web Editor NEW

This project forked from code-423n4/2023-02-kuma

0.0 0.0 0.0 2.9 MB

Shell 0.39% JavaScript 35.54% Ruby 1.17% Nix 0.01% Makefile 0.05% Solidity 62.84% Dockerfile 0.01%

2023-02-kuma's Introduction

My learnings

Setup

  1. found that foundry image has some issue with extension install in dev container, solution is to add following in devcontainer.json
"settings": {
        "extensions.verifySignature": false
      }

General learnings

  1. don't aim to understand all business logic at the begining, start from some important function (e.g. transfer, approve, etc), then think about some exteme cases that could happen (e.g. if transfer to zero address / if transfer to itself, etc) 1.1 imporatant to show example and poc
  2. [M-02/KIB-02L/KFC-03L] a constraint implemented in 1 function, is it implemented in other function (e.g. addPayee doesn't allow duplicate payee, but does changePayee check that?)
  3. [M-03] for call to 3rd party, any validation missed (e.g. check updated_at for oracle)
  4. [M-04] some revert condition may not makes sense, may be those conditions are exterme cases, but not impossible
  5. [KIB-01L] does it use 3rdparty framework properly?, e.g. OpenZeppelin _disableInitializers

For the H-01 finding 2. forge test --debug "test_transfer" --no-match-test "test_transfer_|test_transferFrom" --match-contract My_KIBTokenTransfer 3. forge test --match-contract My_KIBTokenTransfer This test reproduce the high issue in code4arena

KUMA Protocol Versus contest details

  • Total Prize Pool: $38,600 USDC
    • HM awards: $25,500 USDC
    • QA report awards: $3,000 USDC
    • Gas report awards: $1,500 USDC
    • Judge + presort awards: $8,100 USDC
    • Scout awards: $500 USDC
  • Join C4 Discord to register
  • Submit findings using the C4 form
  • Read our guidelines for more details
  • Starts February 17, 2023 20:00 UTC
  • Ends February 22, 2023 20:00 UTC

Overview

This repo contains source contracts and testing suites for the MCAG contracts and the KUMA Protocol. Each corresponding project directory contains documentation in the /docs folder.

The src/kuma-protocol/ folder contains the contracts that comprise the decentralized KUMA protocol. See docs/kuma-protocol/ for KUMA protocol docs.

The src/mcag-contracts/ contains contracts that are managed by the centralized MCAG entity. See docs/mcag-contracts/ for MCAG contracts docs.

Scope

Files in scope

File SLOC Description and Coverage Libraries
Contracts (12)
src/kuma-protocol/KUMAAccessController.sol 9 - @openzeppelin/*
src/mcag-contracts/AccessController.sol 16 - @openzeppelin/*
src/mcag-contracts/Blacklist.sol 33 Central registry for blacklisted addresses that are not allowed to interact with the NFT,   100.00% @openzeppelin/*
src/kuma-protocol/KBCToken.sol 67 A Clone Bond NFT Token that is issued when the KIBT yield is not high enough to buy back the original Bond NFT,   100.00% @openzeppelin/* @openzeppelin-upgradeable/* @mcag/*
src/mcag-contracts/MCAGAggregator.sol 67 Oracle that MCAG manages to publish central bank rates,   100.00% @openzeppelin/*
src/kuma-protocol/MCAGRateFeed.sol 🧮 75 Contract that reads the price from the MCAG central bank rate oracle,   100.00% @openzeppelin/* @mcag/*
src/mcag-contracts/KYCToken.sol 77 Untransferable NFT that MCAG will airdrop to KYC users,   100.00% @openzeppelin/*
src/kuma-protocol/KUMAAddressProvider.sol 🧮 118 AddressProvider that stores the mappings for the KIBT, KUMASwap and KUMAFeeCollector for each risk class,   100.00% @openzeppelin/*
src/mcag-contracts/KUMABondToken.sol 134 NFT that MCAG will issue for each purchased real world bond,   100.00% @openzeppelin/*
src/kuma-protocol/KUMAFeeCollector.sol 🧮 159 100.00% @openzeppelin/*
src/kuma-protocol/KIBToken.sol 🧮 251 Interesting Bearing ERC20, one for each risk class,   100.00% @openzeppelin-upgradeable/* @openzeppelin/*
src/kuma-protocol/KUMASwap.sol 🧮 Σ 394 Main contract that always swapping a Bond NFT for the KIBT ERC20, one KUMASwap per risk class (country, term, currency),   100.00% @openzeppelin/* @mcag/* @openzeppelin-upgradeable/*
Interfaces (10)
src/mcag-contracts/interfaces/IBlacklist.sol 11 - @openzeppelin/*
src/kuma-protocol/interfaces/IMCAGRateFeed.sol 14 - @openzeppelin/* @mcag/*
src/mcag-contracts/interfaces/MCAGAggregatorInterface.sol 15 -
src/mcag-contracts/interfaces/IKYCToken.sol 17 - @openzeppelin/*
src/kuma-protocol/interfaces/IKBCToken.sol 20 - @openzeppelin-upgradeable/*
src/kuma-protocol/interfaces/IKUMAFeeCollector.sol 22 -
src/kuma-protocol/interfaces/IKUMAAddressProvider.sol 27 - @openzeppelin/*
src/mcag-contracts/interfaces/IKUMABondToken.sol 32 - @openzeppelin/*
src/kuma-protocol/interfaces/IKIBToken.sol 38 - @openzeppelin/* @openzeppelin-upgradeable/*
src/kuma-protocol/interfaces/IKUMASwap.sol 59 - @openzeppelin/*
Total (over 22 files): 1655 100.00%

Out of scope

All other files in the repo

External imports

Additional Context

Please see the docs/ folder for more context.

Scoping Details

- If you have a public code repo, please share it here: n/a
- How many contracts are in scope?: 22
- Total SLoC for these contracts?:  1634
- How many external imports are there?: n/a
- How many separate interfaces and struct definitions are there for the contracts within scope?: 3 structs, 10 interfaces
- Does most of your code generally use composition or inheritance?: inheritance
- How many external calls?: n/a
- What is the overall line coverage percentage provided by your tests?: 100%
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: KUMA Protocol will depend on the Mimo Capital AG contracts
- Please describe required context: Please read the docs in each respective folder
- Does it use an oracle?: No
- Does the token conform to the ERC20 standard?: Yes
- Are there any novel or unique curve logic or mathematical models?: No
- Does it use a timelock function?: No
- Is it an NFT?: Yes
- Does it have an AMM?: No
- Is it a fork of a popular project?: No
- Does it use rollups?: No
- Is it multi-chain?: No
- Does it use a side-chain?: No

Tests

This repo contains relevant tests for the two source projects. To run tests:

  1. Make sure all git submodules are installed using git submodule update --init
  2. Run forge test

Make sure forge is at least on the following version: forge 0.2.0 (1a56901 2023-02-15T00:05:20.802314Z)

To skip invariant and fuzz tests run forge test --no-match-path "{*invariant*,*fuzz*}"

Quickstart Command

Alternatively use the following quickstart command:

rm -Rf 2023-02-kuma || true && git clone https://github.com/code-423n4/2023-02-kuma.git -j8 --recurse-submodules && cd 2023-02-kuma && git submodule update --init && foundryup && forge install && forge build && forge test --gas-report

Running Static Analysis

The root folder contains a slither.config.json file that can be used to run static analysis on the kuma-protocol project. Refer to the foundry docs on how to run Slither

Invariant testing

For the following files the invariants should be run with fail_on_revert = true in the foundry.toml:

[invariant]
runs = 256
depth = 256
fail_on_revert = true

Then run the tests with forge test --match-path "*fail.on.revert*"

2023-02-kuma's People

Contributors

m19 avatar kartoonjoy avatar itsmetechjay avatar louislung avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.