- Start date2 Apr 2025
- End date11 Apr 2025
- Total awards$15,000 in USDC
- Duration9 days
- Details
BitVault audit details
- Total Prize Pool: $15,000 in USDC
- HM awards: up to $10,500 USDC
- If no valid Highs or Mediums are found, the HM pool is $0
- Judge awards: $2,500 in USDC
- Validator awards: $1,500 USDC
- Scout awards: $500 in USDC
- HM awards: up to $10,500 USDC
- Read our guidelines for more details
- Starts April 2, 2025 20:00 UTC
- Ends April 11, 2025 20:00 UTC
Note re: risk level upgrades/downgrades
Two important notes about judging phase risk adjustments:
- High- or Medium-risk submissions downgraded to Low-risk (QA) will be ineligible for awards.
- Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.
As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.
Automated Findings / Publicly Known Issues
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues
section is considered a publicly known issue and is ineligible for awards.
Out-of-Scope Considerations
- The owner's keys could get compromised. Any key management is out of scope.
- The Chainlink oracle could be compromised or faulty, which would also be out of scope.
Publicly Known Issues
Any issues that have been marked as acknowledged in the original forked repository of Popcorn-Limited/bvusd
as well as liquity/bold
should be considered out-of-scope. Specifically:
- Any public issue in the Liquity repository, including
wontfix
issues - Any known issue in the
bvusd
repository
If the impact of a previously acknowledged issue has been escalated adequately due to the delta introduced by the BitVault team, it may be considered in-scope for the contest.
Overview
The code of the BitVault project is a Liquity V2 fork introducing the following features:
- Dynamic Collateral Registry
- Whitelist Enforcement
- Configurable Collateral Ratios & Liquidation Configurations
- Shutdown Capability for Protocol Token Owner
Links
- Previous audits:
-- ChainSecurity Audit Report
-- Coinspect Audit Report
-- Dedaub Audit Report Round I
-- Dedaub Audit Report Round II - Documentation: https://github.com/Popcorn-Limited/bvusd/blob/main/README.md
- Website: https://www.bitvault.finance/
- X/Twitter: https://x.com/BitVaultFinance
Scope
Files in scope
See scope.txt
Files out of scope
See out_of_scope.txt
Scoping Q & A
Question | Answer |
---|---|
ERC20 used by the protocol | WBTC, WETH |
Test coverage | 99% (% Lines), 98.5% (% Functions) |
ERC721 used by the protocol | None |
ERC777 used by the protocol | None |
ERC1155 used by the protocol | None |
Chains the protocol will be deployed on | Arbitrum, Ethereum, Optimism |
ERC20 token behaviors in scope
External integrations (e.g., Uniswap) behavior in scope:
Question | Answer |
---|---|
Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
Pausability (e.g. Uniswap pool gets paused) | No |
Upgradeability (e.g. Uniswap gets upgraded) | No |
EIP compliance checklist
N/A
Additional context
Main invariants
Any invariants outlined in the original Popcorn-Limited/bvusd
and liquity/bold
are considered to be inherited by the BitVault implementation.
Attack ideas (where to focus for bugs)
The main questions that are of concern are:
- Can whitelists be circumvented somehow?
- Could whitelist additions brick the original logic in any way?
We would also like to know if changing configurational values after deployment could cause any issues. In detail, we are not interested in economic issues due to a misconfiguration but rather actual code / state issues such as the code not being able to handle a variable update.
All trusted roles in the protocol
Role | Description |
---|---|
Owner | Will be isolated in a 7/8 multisig |
Describe any novel or unique curve logic or mathematical models implemented in the contracts:
N/A
Running tests
To setup the project, make sure you have foundry
installed and then execute:
git clone https://github.com/code-423n4/2025-04-bitvault cd 2025-04-bitvault/contracts forge install
To run tests:
forge test
To run code coverage:
sudo apt-get install lcov forge coverage --report lcov lcov --remove lcov.info 'test/*' 'script/*' -o lcov_filtered.info lcov --extract lcov_filtered.info \ "src/CollateralRegistry.sol" \ "src/StabilityPool.sol" \ "src/BorrowerOperations.sol" \ "src/AddressesRegistry.sol" \ "src/Dependencies/LiquityBase.sol" \ "src/TroveManager.sol" \ -o lcov_scope.info lcov --list lcov_scope.info
Coverage Report
Filename | Lines | Functions |
---|---|---|
AddressesRegistry.sol | 96.0% (101) | 100% (7) |
BorrowerOperations.sol | 98.4% (621) | 97.3% (74) |
CollateralRegistry.sol | 99.2% (126) | 95.0% (20) |
Dependencies/LiquityBase.sol | 100% (36) | 100% (9) |
StabilityPool.sol | 99.5% (196) | 100% (28) |
TroveManager.sol | 99.7% (672) | 100% (63) |
Total: | 99.0% (1752) | 98.5% (201) |
Miscellaneous
Employees of BitVault and employees' family members are ineligible to participate in this audit.
Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.