Superposition
Longtail, Arbitrum's cheapest most rewarding AMM, is the first AMM that pays you to use it, built on concepts like payment for orderflow.
View Repo- Start date23 Aug 2024
- End date13 Sep 2024
- Total awards$60,750 in USDC
- Duration21 days
- Details
Superposition audit details
- Total Prize Pool: $60,750 in USDC
- HM awards: $38,880 in USDC
- QA awards: $1,620 in USDC
- Judge awards: $7,000 in USDC
- Scout awards: $750 in USDC
- Validator awards: $3,500 USDC
- Mitigation Review: $9,000 USDC (Opportunity goes to top 3 backstage wardens based on placement in this audit who RSVP.)
- Read our guidelines for more details
- Starts August 23, 2024 20:00 UTC
- Ends September 13, 2024 20:00 UTC
Automated Findings / Publicly Known Issues
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
- It is possible for someone to grief the protocol by creating a pool with bad configuration.
- It is possible for the permissioned account to do things to grief the protocol.
Overview
Longtail is a concentrated liquidity AMM powered by Arbitrum Stylus. Arbitrum Stylus is a WASM frontend to the EVM on Arbitrum.
Longtail differs from a traditional V3 AMM in the following ways:
- One contract for everything: Liquidity is centralised in one contract.
- One shared asset between every pool: fUSDC is shared between every pool.
- Contract addresses are embedded in the compiled code: Contract addresses are set using environment variables.
- Native support for permit2: Permit2 is natively supported for a better UX.
- Diamond-like proxy for dispatch: A Solidity contract is used to delegatecall to different facets of the contract.
Links
- Webapp https://long.so
- Previous audits: https://github.com/fluidity-money/long.so/tree/development/audits
- Documentation: https://docs.long.so
- Website: https://superposition.so
- X/Twitter: https://x.com/superpositionso
- Discord: https://discord.gg/Xxa8H3tp
Scope
See scope.txt
Files in scope
| File | SLOC |
|---|---|
| pkg/sol/SeawaterAMM.sol | 396 |
| pkg/sol/OwnershipNFTs.sol | 117 |
| pkg/seawater/src/maths/sqrt_price_math.rs | 1239 |
| pkg/seawater/src/lib.rs | 925 |
| pkg/seawater/src/pool.rs | 490 |
| pkg/seawater/src/wasm_erc20.rs | 332 |
| pkg/seawater/src/maths/swap_math.rs | 316 |
| pkg/seawater/src/tick.rs | 220 |
| pkg/seawater/src/eth_serde.rs | 219 |
| pkg/seawater/src/maths/tick_math.rs | 191 |
| pkg/seawater/src/maths/bit_math.rs | 138 |
| pkg/seawater/src/error.rs | 133 |
| pkg/seawater/src/types.rs | 112 |
| pkg/seawater/src/maths/full_math.rs | 106 |
| pkg/seawater/src/position.rs | 91 |
| pkg/seawater/src/host_erc20.rs | 58 |
| pkg/seawater/src/maths/tick_bitmap.rs | 52 |
| pkg/seawater/src/maths/liquidity_math.rs | 37 |
| pkg/seawater/src/immutables.rs | 23 |
| pkg/seawater/src/maths/utils.rs | 11 |
| pkg/seawater/src/maths/mod.rs | 9 |
| pkg/seawater/src/maths/unsafe_math.rs | 9 |
| pkg/seawater/src/main.rs | 8 |
| pkg/seawater/src/permit2_types.rs | 8 |
| pkg/seawater/src/erc20.rs | 5 |
| pkg/seawater/src/events.rs | 3 |
| Total | 5248 |
Files out of scope
Any file not listed in the table above.
See also out_of_scope.txt
Scoping Q & A
General questions
| Question | Answer |
|---|---|
| ERC20 used by the protocol | Modern USDC (Arbitrum deployed) |
| Test coverage | N/A |
| ERC721 used by the protocol | None |
| ERC777 used by the protocol | None |
| ERC1155 used by the protocol | None |
| Chains the protocol will be deployed on | Superposition (Arbitrum Orbit chain) |
ERC20 token behaviors in scope
| Question | Answer |
|---|---|
| Missing return values | Out of scope |
| Fee on transfer | Out of scope |
| Balance changes outside of transfers | Out of scope |
| Upgradeability | Out of scope |
| Flash minting | In scope |
| Pausability | Out of scope |
| Approval race protections | Out of scope |
| Revert on approval to zero address | Out of scope |
| Revert on zero value approvals | Out of scope |
| Revert on zero value transfers | Out of scope |
| Revert on transfer to the zero address | Out of scope |
| Revert on large approvals and/or transfers | Out of scope |
| Doesn't revert on failure | Out of scope |
| Multiple token addresses | Out of scope |
| Low decimals ( < 6) | In scope |
| High decimals ( > 18) | In scope |
| Blocklists | Out of scope |
External integrations (e.g., Uniswap) behavior in scope:
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
EIP compliance checklist
N/A
Additional context
Main invariants
- Only the owner can modify their positions.
- Only valid tick ranges, and fee structures, are accessible.
- Users should be able to swap a reasonable amount determined by the appropriate conversion function.
- Users should receive a correct fee amount.
- We should follow Uniswap V3's math faithfully.
Attack ideas (where to focus for bugs)
- Fee taking for ticks is possibly incorrect. We have a deployment that initially had bad behaviour with delta that we suspect is the cause of the issue that we replicated locally, but we haven't verified if that's not the case.
- Can people swap more than they should be able?
- Does the position taking function take more than it should?
- Is it possible to brick a pool with low liquidity?
- Are our ticks correct?
All trusted roles in the protocol
| Role | Description |
|---|---|
| Operator | Controls access to the repo, and implementation addresses. |
| Emergency Council | Can shut the dapp down if needed. |
| NFT manager | Allows addresses to control their ownership of assets as a NFT. |
Describe any novel or unique curve logic or mathematical models implemented in the contracts:
Concentrated liquidity algorithms based on Uniswap.
Running tests
See pkg/README for a detailed explanation
Then run the following command:
https://github.com/code-423n4/2024-08-superposition
cd 2024-08-superposition/pkg
rustup target add wasm32-unknown-unknown
cargo install cargo-stylus
./tests.sh # this would test the rust files from the files in `tests`.
Some of the tests are expected to fail:
eli_incr_positionandincr_position_fee_growth_tickare issues that cropped up in production that we isolated by reproducing the remote state into our contracts. the production contract was deployed at one point with a change from the current version of this code that we believe may have contributed to causing this to happen.ethers_suite_uniswap_orchestrated_uniswap_twois possibly indicative of an issue. it needs investigation whether this is correct behaviour- We left these tests for researchers to pore through and hopefully identify the root cause, the team hasn't succeeded so far.
Miscellaneous
Employees of Superposition and employees' family members are ineligible to participate in this audit.
Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.