PoolTogether Aave v3 contest details
- $20,500 USDC main award pot
- $1,500 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts April 29, 2022 00:00 UTC
- Ends May 1, 2022 23:59 UTC
Resources
Contest Scope
This is a contest to evaluate the Aave V3 Yield Source contract for PoolTogether.
This contract adheres to the Yield Source Interface, which is a generic interface that allows a Yield Source Prize Pool to use an external contract to generate interest. As long as a contract supports the Yield Source Interface, it can be plugged into the Yield Source Prize Pool. This makes it easy to add new yield sources.
This contract also adheres to the ERC20 standard and mints tokens to the Prize Pool when users deposit into it. These tokens represent the share of deposits owned by a Prize Pool. Users can then withdraw their deposits from the Prize Pool and these shares are then burnt. This flow is illustrated in the following diagrams:
You can learn more about PoolTogether V4 and how the Yield Source Prize Pool works at the following links:
- Smart Contracts Overview
- Flow of Funds
- Yield Source Prize Pool Documentation
- Yield Source Prize Pool Contract
To learn more about Aave V3, you can read the documentation here:
Only the following contract is part of the audit scope:
| Contract Name | Source Lines of Code | Libraries | External Calls |
|---|---|---|---|
| AaveV3YieldSource | ~200 sLoC | OpenZeppelin, Manageable | Aave V3 Pool, Aave V3 RewardsController |
Areas of Concern
The main areas of concern are the following:
- is the unlimited approval of the Aave V3 Pool contract safe? Focus on the following line and the functions
decreaseERC20AllowanceandincreaseERC20Allowance. - are the shares being calculated correctly? Focus on the
_tokenToSharesand_sharesToTokenfunctions. Keep in mind that aTokens’ value is pegged to the value of the corresponding supplied asset at a 1:1 ratio. - is the minting and burning of shares being done correctly? Focus on the
supplyTokenToandredeemTokenfunctions. - is there any reentrancy attack possible? Focus on the functions to withdraw and deposit.
- are functions being restricted correctly in term of ownership and managership?
Gas Optimization
When suggesting gas optimizations, please run the yarn test command and write down the improvement in gas usage in your report. Don't forget to set the REPORT_GAS environment variable to true in order to generate the gas report.
Contact
If you have any questions, don't hesitate to reach out to us on the C4 Discord channel setup for this contest.