Liquid Ron Mitigation Review
Deposit RON, get liquid RON, tokens that automate user staking actions and unlocks your liquidity.
- Start date26 Feb 2025
- End date3 Mar 2025
- Total awards$5,000 in USDC
- Duration5 days
- Details
Liquid Ron Mitigation Review
- Total Prize Pool: $5,000 in USDC
- Warden awards: $3,750 in USDC
- Judge awards: $1,000 in USDC
- Scout awards: $250 in USDC
- Warden guidelines for C4 mitigation reviews
- Starts February 26, 2025 20:00 UTC
- Ends March 3, 2025 20:00 UTC
Important notes
Each warden must submit a mitigation review for every individual item listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.
❗️Update: February 28, 2025
A new commit was pushed to the Liquid Ron repo on February 28, 2025 20:03 UTC to add some logging data on a contract -- specifically, tracking the timestamp of delegation action.
C4's team had reviewed the commit and as it did not appear to interact with any existing code, we have made an exception to our code freeze requirement.
Findings being mitigated
Mitigations of all High and Medium issues will be considered in-scope and listed here.
- F-3: The calculation of
totalAssets()could be wrong ifoperatorFeeAmount> 0, this can cause potential loss for the new depositors - F-23: Operators are unable to perform any actions due to incorrect modifier implementation
- F-10: User can earn rewards by frontrunning the new rewards accumulation in Ron staking without actually delegating his tokens
Mitigations of these additional issues will also be considered in-scope:
- F-18:
_checkUserCanReceiveRondoes not guarantee that the user can receive RON - F-25:
LiquidRonvault can be bricked permanently, locking away allWRONassets - F-2: Proxies cannot be removed, which can cause
LiquidRon.pruneValidatorList,LiquidRon.getTotalStaked, andLiquidRon.getTotalRewardsfunction calls to revert due to out of gas - F-45: Validator Stake Count is not updated in ValidatorTracker
- F-32: Wrong Event Emission in Redeem Function
- F-156:
validatorIndexNot Cleared When Removing a Validator - F-22: Unnecessary loop could lead to DOS because of too much gas is needed
- F-1: The paused vault can receive deposits from the user
- F-17: Locked Funds
- F-27: Reentrancy in
_checkUserCanReceiveRoncan be exploited by malicious operator - S-736: QA Report - Low 4 (Inefficient view functions for large datasets)
- Various QA items (listed in scope table below, i.e. ADD-01 through ADD-04)
Overview of changes
Note that the findings F-17, F-27, and F-18 have all been fixed by omitting the _checkUserCanReceiveRon implementation and replacing it with the capability to specify a different receiver when performing withdrawal requests as well as deposits. These findings are grouped under the reference ID FX-1 in the Scope section below.
Scope
Branch
- Branch: https://github.com/OwlOfMoistness/liquid_ron/tree/ca4-mitigation
- Commits: https://github.com/OwlOfMoistness/liquid_ron/compare/main...ca4-mitigation
Mitigation of High & Medium Severity Issues
| Mitigation URL | Mitigation of | Purpose |
|---|---|---|
| Link | F-3 | Add operatorFeeAmount in totalAssets calculations |
| Link | F-23 | Bad operator modifer |
| Link | F-10 | Add a deposit fee that can be reset every period based on daily expected rewards |
Additional scope to be reviewed
These are additional changes that will be in scope.
| Mitigation URL | Reference ID | Purpose |
|---|---|---|
| Link | FX-1 | Update flow of withdrawal to add changeable receiver |
| Link | F-25 | Replace validator data storage from consensus addresses to IDs which never change |
| Link | F-2 | Add start index to start loop on specif validator and length of computation |
| Link | F-45 | QA, remove unused mapping |
| Link | F-32 | Fix wrong event emission |
| Link | F-156 | Clear validator Index when removing it |
| Link | F-22 | Remove for loop |
| Link | F-1 | Prevent native deposits when paused |
| Link | S-736: Low-4* | Improve getTotalStaked() to prevent recomputing state each call by tracking internally |
| Link 1, Link 2 | ADD-01 | QAs: getValidator func, payable withdraw ron, remove _checkIfPaused, immutable proxy var, check src/dst in proxy, remove dead code, deposit payable has receiver param |
| Link | ADD-02 | Fix test |
| Link | ADD-03 | Add forge lib |
| Link | ADD-04 | Add periodStartVariable for external data tracking |
*Note: commit title incorrectly mentions S-726.
Out of Scope
All known issues listed in the preceding audit's repo are considered known issues and out of scope.