├── .env.example ├── .github ├── ISSUE_TEMPLATE │ └── review-request.yml └── workflows │ └── validation.yml ├── .gitignore ├── .prettierignore ├── .prettierrc ├── README.md ├── erc4626 ├── AaveV3.md ├── BeefyWrapperReview.md ├── EVKVaulteAUSD-2Erc4626VaultReview.md ├── EVKVaulteUSDC-2Erc4626VaultReview.md ├── EVKVaulteUSDt-3Erc4626VaultReview.md ├── EVKVaultesavUSD-2Erc4626VaultReview9cb8.md ├── EVKVaultesavUSD-3Erc4626VaultReview.md ├── EulerVault.md ├── FluidVaults.md ├── MorphoVaults │ ├── V1-Incompatible-Gauntlet.md │ ├── V1-incompatible-Steakhouse.md │ ├── V1.1 Gauntlet.md │ ├── V1.1-Ionic.md │ ├── V1.1-Seamless.md │ ├── V1.1-Spark.md │ └── V1.1-Steakhouse.md ├── SiloV2Review.md ├── StakedinfiniFiUSDErc4626VaultReviewc704.md ├── StatATokenV2Review.md ├── StaticATokenLMAvalonReview.md ├── SuperformSuperVaultReview.md ├── VarlamoreSErc4626VaultReview7359.md ├── VarlamoreUSDCGrowthErc4626VaultReview2127.md ├── VarlamorescUSDErc4626VaultReviewb07d.md ├── VicunaReview.md ├── WrappedAaveOptimism AAVEErc4626VaultReviewe14e.md ├── WrappedAaveOptimism DAIErc4626VaultReview6f04.md ├── WrappedAaveOptimism LINKErc4626VaultReview4239.md ├── WrappedAaveOptimism LUSDErc4626VaultReviewdb45.md ├── WrappedAaveOptimism OPErc4626VaultReviewa908.md ├── WrappedAaveOptimism SUSDErc4626VaultReview6780.md ├── WrappedAaveOptimism USDCErc4626VaultReview1944.md ├── WrappedAaveOptimism USDCnErc4626VaultReview3e4a.md ├── WrappedAaveOptimism USDTErc4626VaultReviewab63.md ├── WrappedAaveOptimism WBTCErc4626VaultReview13a5.md ├── WrappedAaveOptimism WETHErc4626VaultReview86b0.md ├── WrappedAaveOptimism rETHErc4626VaultReview47b5.md ├── WrappedAaveOptimism wstETHErc4626VaultReview2b8e.md ├── WrappedExtraFiX Base USDCErc4626VaultReview8e16.md ├── WrappedExtraXBase USRErc4626VaultReview1483.md ├── registry.json ├── sDaiReview.md └── template.md ├── hooks ├── AkronWeightedLVRFeeHook.md ├── DirectionalFeeHook.md ├── ExitFeeHook.md ├── FeeTakingHook.md ├── LotteryHook.md ├── MevTaxHook.md ├── StableSurge.md ├── StableSurgeHookV2.md ├── registry.json └── template.md ├── package-lock.json ├── package.json ├── rate-providers ├── API3RateProvider.md ├── AffineLiquidRestakingRateProvider.md ├── AffineLiquidRestakingRateProviders.md ├── AngleStakedUSDARateProvider.md ├── AnkrETHRateProvider.md ├── BalancerRateProvider_USDF.md ├── BalancerRateProxy_uniETH.md ├── BeefyEscrowedSonic.md ├── BeefyUsdcSiloRateprovider.md ├── BlraSdaiRateProvider.md ├── ChainLinkRateProvider.md ├── CombinedRateProvider.md ├── ConstantRateProvider.md ├── DSRRateProvider.md ├── ETHxRateProvider.md ├── EVKVaulteAUSD-2RateProviderReview.md ├── EVKVaulteUSDC-2RateProviderReview.md ├── EVKVaulteUSDt-3RateProviderReview.md ├── EVKVaultesavUSD-2RateProviderReview911d.md ├── EVKVaultestS-5RateProviderReview534e.md ├── EulerWrappedRateprovider.md ├── FluidRateProviders.md ├── FraxtalPriceFeedProvider.md ├── GGAVAXRateProvider.md ├── GTokenRateProvider.md ├── GravitaRateProviders.md ├── HighGrowthEthRateProvider.md ├── HinkalEthRateProvider.md ├── InceptionLRTArbitrum.md ├── InceptionLRTRateProvider.md ├── InceptionLRTRateProvider_2.md ├── KernelRateProviders.md ├── LegacyReview.md ├── LoopRateProvider.md ├── MagpieMstETHRateProvider.md ├── MagpieMswETHRateProvider.md ├── MarketRateTransformerRateProviders.md ├── MellowRateProviders.md ├── MevEthRateProvider.md ├── MorphoERC4626RateProviders.md ├── OrbEthRateProvider.md ├── PlsRdntTokenV2.md ├── PufEthRateProvider.md ├── PythAggregatorRateProvider.md ├── QueenRateProvider.md ├── RateProvider_wFRK.md ├── ResolvLiquidityProviderTokenRateProvider.md ├── RingsStakedRateprovider.md ├── SavingsDAIRateProvider.md ├── SavingsDAIRateProviderGnosis.md ├── SiloWrappedRateprovider.md ├── SmardexRateProvider.md ├── SolvBTCAvalancheRateProviderReviewdf07.md ├── StakedFraxUSDRateProviderReview280f.md ├── StakedSonicRateprovider.md ├── StakedStreamUSDRateProviderReviewb0dc.md ├── StakedUSDaiRateProviderReview7289.md ├── StakedUTYRateProviderReview7bf6.md ├── StakedavUSDRateProviderReview.md ├── StakedavUSDRateProviderReviewd696.md ├── StakeddeUSDRateProviderReview.md ├── StakedinfiniFiUSDRateProviderReview1949.md ├── StakewiseOsTokenRateProviders.md ├── StakewiseRateProviderArbitrum.md ├── StakingLPUsdcRateProviderReview.md ├── StatATokenTestnetRateProvider.md ├── SuperformRateProviders.md ├── SyrupRateProvider.md ├── TBYRateProvider.md ├── TokemakRateProvider.md ├── TollgateChronicleRateProvider.md ├── TreehouseRateProvider.md ├── TruMaticRateProvider.md ├── UpshiftAvalancheAUSDRateProviderReview.md ├── VarlamoreSRateProviderReviewd14f.md ├── VarlamoreUSDCGrowthRateProviderReviewe757.md ├── VarlamorescUSDRateProviderReview54f5.md ├── VicunaWrapperRateprovider.md ├── WeETH.md ├── WeETHs.md ├── WrappedAaveOptimism AAVERateProviderReview5293.md ├── WrappedAaveOptimism DAIRateProviderReview30e0.md ├── WrappedAaveOptimism LINKRateProviderReview0258.md ├── WrappedAaveOptimism LUSDRateProviderReview1c70.md ├── WrappedAaveOptimism OPRateProviderReview985f.md ├── WrappedAaveOptimism SUSDRateProviderReview9da0.md ├── WrappedAaveOptimism USDCRateProviderReview880a.md ├── WrappedAaveOptimism USDCnRateProviderReviewb89f.md ├── WrappedAaveOptimism USDTRateProviderReview78b1.md ├── WrappedAaveOptimism WBTCRateProviderReview2eaa.md ├── WrappedAaveOptimism WETHRateProviderReview034f.md ├── WrappedAaveOptimism rETHRateProviderReview0735.md ├── WrappedAaveOptimism wstETHRateProviderReview70e0.md ├── WrappedExtraFiX Base USDCRateProviderReviewc321.md ├── WrappedExtraXBase USRRateProviderReview6fec.md ├── WrappedUsdPlusRateProvider.md ├── YieldFiyUSDRateProviderReview33e7.md ├── YieldFiyUSDRateProviderReview43cd.md ├── YieldNestRateProvider.md ├── YoVaultBTCRateProviderReviewfbc3.md ├── YoVaultETHRateProviderReview3d7a.md ├── YoVaultUSDRateProviderReview53ea.md ├── YyAvaxRateProvider.md ├── asETHRateProvider.md ├── cUSDOOpenEdenRateProvider.md ├── cdcEthRateProvider.md ├── eBTCRateProvider.md ├── ezETHRateProvider.md ├── ezETHRateProviderArbitrum.md ├── ezETHRateProviderMode.md ├── ezEigenRateProvider.md ├── genETHRateProvider.md ├── jitoSOLRateProvider.md ├── osEthRateProvider.md ├── rETHRateProvider.md ├── registry.json ├── rsETHRateProvider.md ├── rsETHRateProviderArbitrum.md ├── rsETHRateProviderOptimism.md ├── rsEthRateProviderPolygonZKEVM.md ├── rswethRateProvider.md ├── sDOLARateProvider.md ├── sFRAXRateProvider.md ├── sUSDERateProvider.md ├── sUSDERateProviderMainnet.md ├── sUSDSBaseRateProvider.md ├── sUSDXRateProvider.md ├── sUSDXRateProviderReview.md ├── sUSXRateProvider.md ├── sdeUSDRateProvider.md ├── st-yETHRateProvider.md ├── stAgEurRateProvider.md ├── stBTCRateProvider.md ├── stERNRateProvider.md ├── statATokenLMRateProvider.md ├── statATokenLMRateProviderAvalon.md ├── statATokenv2RateProvider.md ├── sveth.md ├── sweepRateProvider.md ├── template.md ├── wUSDKRateProvider.md ├── wUSDLPaxosRateProvider.md ├── wUSDMRateProvider.md ├── wUSDMRateProviderPyth.md ├── wanSonicRateprovider.md ├── woSonicRateprovider.md ├── wstethRateProvider.md ├── yUSDRateProvider.md ├── yUSDRateProviderArbitrum.md └── yUSDRateProviderBase.md ├── scripts ├── write-erc4626-review.ts └── write-review.ts ├── src ├── app.ts ├── erc4626App.ts ├── index.ts ├── services │ ├── etherscanApi.ts │ ├── hypernativeApi.ts │ └── index.ts ├── types │ ├── index.ts │ └── types.ts └── utils │ ├── abi │ ├── erc20.ts │ ├── erc4626.ts │ ├── index.ts │ └── rateProvider.ts │ ├── erc4626Template.ts │ ├── hypernative │ ├── rate-provider-rate-deviation.ts │ ├── rate-provider-rate-revert.ts │ └── rate-provider-upgrade.ts │ ├── index.ts │ ├── onchainCallHelpers.ts │ └── template.ts ├── test ├── erc4626schema.test.js └── schema.test.js └── tsconfig.json /.env.example: -------------------------------------------------------------------------------- 1 | ETHERSCAN_API_KEY= 2 | GNOSISSCAN_API_KEY= 3 | BASESCAN_API_KEY= 4 | OPTIMISM_SCAN_API_KEY= 5 | ARBITRUM_SCAN_API_KEY= 6 | FRAXSCAN_API_KEY= 7 | SNOWTRACE_API_KEY= 8 | SONICSCAN_API_KEY= 9 | 10 | TENDERLY_ACCOUNT_SLUG= 11 | TENDERLY_PROJECT_SLUG= 12 | TENDERLY_API_ACCESS_KEY= 13 | 14 | HYPERNATIVE_CLIENT_ID= 15 | HYPERNATIVE_CLIENT_SECRET= 16 | -------------------------------------------------------------------------------- /.github/workflows/validation.yml: -------------------------------------------------------------------------------- 1 | name: registry format validation 2 | on: 3 | pull_request: 4 | types: [opened, synchronize] 5 | jobs: 6 | lint: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Checkout code 10 | uses: actions/checkout@v2 11 | - name: Install dependencies 12 | run: npm install 13 | - name: Validate registry format 14 | run: npm run test -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Dependency directories 3 | node_modules/ 4 | 5 | # Slither 6 | slither/ 7 | 8 | # Downloads 9 | contracts/ 10 | 11 | # Environment 12 | .env 13 | 14 | # Python 15 | python/venv/ 16 | # Environment files 17 | .env 18 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | # Ignore all Markdown files: 2 | **/*.md 3 | 4 | # Ignore the settings 5 | tsconfig.json 6 | -------------------------------------------------------------------------------- /.prettierrc: -------------------------------------------------------------------------------- 1 | { 2 | "semi": false, 3 | "overrides": [ 4 | { 5 | "files": "*.sol", 6 | "options": { 7 | "bracketSpacing": false, 8 | "printWidth": 145, 9 | "tabWidth": 4, 10 | "useTabs": false, 11 | "singleQuote": false, 12 | "explicitTypes": "always" 13 | } 14 | }, 15 | { 16 | "files": "*.ts", 17 | "options": { 18 | "printWidth": 120, 19 | "tabWidth": 4, 20 | "singleQuote": true, 21 | "trailingComma": "all" 22 | } 23 | } 24 | ] 25 | } -------------------------------------------------------------------------------- /erc4626/AaveV3.md: -------------------------------------------------------------------------------- 1 | # ERC4626: `Aave V3` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - DAI: 8 | - [sepolia:0xDE46e43F46ff74A23a65EBb0580cbe3dFE684a17](https://sepolia.etherscan.io/address/0xDE46e43F46ff74A23a65EBb0580cbe3dFE684a17) 9 | - USDC: 10 | - [sepolia:0x8A88124522dbBF1E56352ba3DE1d9F78C143751e](https://sepolia.etherscan.io/address/0x8A88124522dbBF1E56352ba3DE1d9F78C143751e) 11 | - USDT: 12 | - [sepolia:0x978206fAe13faF5a8d293FB614326B237684B750](https://sepolia.etherscan.io/address/0x978206fAe13faF5a8d293FB614326B237684B750) 13 | - Audit report(s): 14 | - 15 | 16 | ## Context 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | 20 | ## Review Checklist: Common Findings 21 | 22 | ### Administrative Privileges 23 | 24 | ### Oracles 25 | 26 | ### Common Manipulation Vectors 27 | 28 | ## Additional Findings 29 | 30 | ## Conclusion 31 | **Summary judgment: SAFE** -------------------------------------------------------------------------------- /erc4626/EVKVaulteAUSD-2Erc4626VaultReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eAUSD-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x2137568666f12fc5A026f5430Ae7194F1C1362aB](https://snowtrace.io/address/0x2137568666f12fc5A026f5430Ae7194F1C1362aB) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [x] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/b044828b-1ddc-4c8c-8135-d0611ce74f98) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | Passing for tests can be found here: https://github.com/balancer/balancer-v3-erc4626-tests/pull/49 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan. 33 | 34 | -------------------------------------------------------------------------------- /erc4626/EVKVaulteUSDC-2Erc4626VaultReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eUSDC-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 22/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x39dE0f00189306062D79eDEC6DcA5bb6bFd108f9](https://snowtrace.io/address/0x39dE0f00189306062D79eDEC6DcA5bb6bFd108f9) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [x] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/2eeaa020-8fdf-48e7-9047-7bdcdac77d76) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | The passing tests can be found at: https://github.com/balancer/balancer-v3-erc4626-tests/pull/49 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan. 33 | 34 | -------------------------------------------------------------------------------- /erc4626/EVKVaulteUSDt-3Erc4626VaultReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eUSDt-3 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0xa446938b0204Aa4055cdFEd68Ddf0E0d1BAB3E9E](https://snowtrace.io/address/0xa446938b0204Aa4055cdFEd68Ddf0E0d1BAB3E9E) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [x] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/00d9b551-2708-4c4c-9ecd-1e2433363ba7) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | The passing tests can be found at: https://github.com/balancer/balancer-v3-erc4626-tests/pull/49 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan. 33 | 34 | -------------------------------------------------------------------------------- /erc4626/EVKVaultesavUSD-2Erc4626VaultReview9cb8.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault esavUSD-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x72F92a966f1874f74e1b601BEe7CF57031B53A03](https://snowtrace.io/address/0x72F92a966f1874f74e1b601BEe7CF57031B53A03) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [x] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/a2fad089-d53c-45eb-affe-d35e725b78cd) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | Passing fork tests can be found here: https://github.com/balancer/balancer-v3-erc4626-tests/pull/49/files 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan. 33 | 34 | -------------------------------------------------------------------------------- /erc4626/EVKVaultesavUSD-3Erc4626VaultReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault esavUSD-3 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x5030183B3DD0105d69D7d45595C120Fc4b542EC3](https://snowtrace.io/address/0x5030183B3DD0105d69D7d45595C120Fc4b542EC3) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [x] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/2d6f2ed4-5bee-4031-b827-cedba11410ea) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | The passing fork tests can be found here: https://github.com/balancer/balancer-v3-erc4626-tests/pull/49/files 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan. 33 | 34 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1-Incompatible-Gauntlet.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorpho` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [ethereum:https://etherscan.io/address/0x2371e134e3455e0593363cBF89d3b6cf53740618](https://etherscan.io/address/0x2371e134e3455e0593363cBF89d3b6cf53740618) 8 | 9 | - Audit report(s): 10 | - [Security Reviews & Formal Verifications](https://docs.morpho.org/security-reviews/) 11 | - [MetaMorpho Spearbit Audit](https://github.com/morpho-org/metamorpho/blob/main/audits/2023-11-14-metamorpho-cantina-managed-review.pdf) 12 | 13 | ## Context 14 | A 4626 Vault which wrapps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ## Review Checklist: Common Findings 23 | Each of the items below represents a common red flag found in Rate Provider contracts. 24 | 25 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 26 | 27 | ### Administrative Privileges 28 | - [] The ERC4626 Vault is upgradeable. 29 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 30 | 31 | ### Common Manipulation Vectors 32 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 33 | 34 | ## Additional Findings 35 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 36 | 37 | ## Conclusion 38 | **Summary judgment: UNUSABLE** 39 | 40 | The outlined ERC4626 Vaults will not work well with Balancer pools due to a flash loan incompatibility on Morpho Vaults . The Vaults implement the required interfaces with fork tests passing as can be seen at: 41 | - [Morpho's Gauntlet Weth](https://github.com/balancer/balancer-v3-erc4626-tests/blob/f6245bfe043759ea17d7282ada58871dc12f8fcc/test/mainnet/ERC4626MainnetMorphoGauntletWeth.t.sol#L20) 42 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1-incompatible-Steakhouse.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorpho` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [ethereum:https://etherscan.io/address/0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB](https://etherscan.io/address/0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB) 8 | - [ethereum:https://etherscan.io/address/0xbEef047a543E45807105E51A8BBEFCc5950fcfBa](https://etherscan.io/address/0xbEef047a543E45807105E51A8BBEFCc5950fcfBa) 9 | - [ethereum:https://etherscan.io/address/0xbEEFC01767ed5086f35deCb6C00e6C12bc7476C1](https://etherscan.io/address/0xbEEFC01767ed5086f35deCb6C00e6C12bc7476C1) 10 | - Audit report(s): 11 | - [Security Reviews & Formal Verifications](https://docs.morpho.org/security-reviews/) 12 | - [MetaMorpho Spearbit Audit](https://github.com/morpho-org/metamorpho/blob/main/audits/2023-11-14-metamorpho-cantina-managed-review.pdf) 13 | 14 | ## Context 15 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 16 | 17 | ## Review Checklist: Bare Minimum Compatibility 18 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 19 | 20 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 21 | - [x] The required Vault implements the required operational ERC4626 Interface 22 | 23 | ## Review Checklist: Common Findings 24 | Each of the items below represents a common red flag found in Rate Provider contracts. 25 | 26 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 27 | 28 | ### Administrative Privileges 29 | - [] The ERC4626 Vault is upgradeable. 30 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 31 | 32 | ### Common Manipulation Vectors 33 | - [] The ERC4626 Vault is susceptible to donation attacks. 34 | 35 | ## Additional Findings 36 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 37 | 38 | ## Conclusion 39 | **Summary judgment: UNUSABLE** 40 | 41 | The outlined ERC4626 Vaults will not work well with Balancer pools due to a flash loan incompatibility on Morpho Vaults . The Vaults implement the required interfaces with fork tests passing as can be seen at:- [Morpho's Steakhouse USDC](https://github.com/balancer/balancer-v3-erc4626-tests/blob/main/test/mainnet/ERC4626MainnetMorphoSteakhouseUSDC.t.sol) 42 | - [Morpho's Steakhouse USDT](https://github.com/balancer/balancer-v3-erc4626-tests/blob/main/test/mainnet/ERC4626MainnetMorphoSteakhouseUSDT.t.sol) 43 | - [Morpho's Steakhouse wUSDL](https://github.com/balancer/balancer-v3-erc4626-tests/blob/main/test/mainnet/ERC4626MainnetMorphoSteakhouseWUSDL.t.sol) 44 | 45 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1.1 Gauntlet.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorphoV1_1` 2 | 3 | ## Details 4 | - Reviewed by: @MattPereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [ethereum:https://etherscan.io/address/0x1e6ffa4e9F63d10B8820A3ab52566Af881Dab53c](https://etherscan.io/address/0x1e6ffa4e9F63d10B8820A3ab52566Af881Dab53c) 8 | - [ethereum:https://etherscan.io/address/0x701907283a57FF77E255C3f1aAD790466B8CE4ef](https://etherscan.io/address/0x701907283a57FF77E255C3f1aAD790466B8CE4ef) 9 | 10 | - Audit report(s): 11 | - [Security Reviews & Formal Verifications](https://github.com/morpho-org/metamorpho-v1.1/tree/main/audits) 12 | - [MetaMorpho Spearbit Audit](https://github.com/morpho-org/metamorpho/blob/main/audits/2023-11-14-metamorpho-cantina-managed-review.pdf) 13 | 14 | ## Context 15 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 16 | 17 | ## Review Checklist: Bare Minimum Compatibility 18 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 19 | 20 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 21 | - [x] The required Vault implements the required operational ERC4626 Interface 22 | 23 | ## Review Checklist: Common Findings 24 | Each of the items below represents a common red flag found in Rate Provider contracts. 25 | 26 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 27 | 28 | ### Administrative Privileges 29 | - [] The ERC4626 Vault is upgradeable. 30 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 31 | 32 | ### Buffer blocklist 33 | - [ ] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. 34 | 35 | ### Common Manipulation Vectors 36 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 37 | 38 | ## Additional Findings 39 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 40 | 41 | ## Conclusion 42 | **Summary judgment: USABLE** 43 | The outlined ERC4626 Vaults should work well with Balancer pools. The Vaults implement the required interfaces with fork tests passing as can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/9/files). 44 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1.1-Ionic.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorphoV1_1` 2 | 3 | ## Details 4 | - Reviewed by: @mattpereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [base:0x5A32099837D89E3a794a44fb131CBbAD41f87a8C](https://basescan.org/address/0x5A32099837D89E3a794a44fb131CBbAD41f87a8C#code) 8 | - [base:0x23479229e52Ab6aaD312D0B03DF9F33B46753B5e](https://basescan.org/address/0x23479229e52Ab6aaD312D0B03DF9F33B46753B5e#code) 9 | - Audit report(s): 10 | - [Ionic Protocol Audits](https://doc.ionic.money/ionic-documentation/resources/audit) 11 | 12 | ## Context 13 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ## Review Checklist: Common Findings 22 | Each of the items below represents a common red flag found in Rate Provider contracts. 23 | 24 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 25 | 26 | ### Administrative Privileges 27 | - [] The ERC4626 Vault is upgradeable. 28 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 29 | 30 | ### Buffer blocklist 31 | - [ ] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. 32 | 33 | ### Common Manipulation Vectors 34 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 35 | 36 | ## Additional Findings 37 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 38 | 39 | ## Conclusion 40 | **Summary judgment: USABLE** 41 | The outlined ERC4626 Vaults should work well with Balancer pools. The Vaults implement the required interfaces with fork tests passing as can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/14). 42 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1.1-Seamless.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorphoV1_1` 2 | 3 | ## Details 4 | - Reviewed by: @mattpereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [base:0x616a4E1db48e22028f6bbf20444Cd3b8e3273738](https://basescan.org/address/0x616a4e1db48e22028f6bbf20444cd3b8e3273738#code) 8 | - Audit report(s): 9 | - [Seamless Protocol Audits](https://github.com/seamless-protocol/audits) 10 | 11 | ## Context 12 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 18 | - [x] The required Vault implements the required operational ERC4626 Interface 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [] The ERC4626 Vault is upgradeable. 27 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 28 | 29 | ### Buffer blocklist 30 | - [ ] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. 31 | 32 | ### Common Manipulation Vectors 33 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 34 | 35 | ## Additional Findings 36 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 37 | 38 | ## Conclusion 39 | **Summary judgment: USABLE** 40 | The outlined ERC4626 Vaults should work well with Balancer pools. The Vaults implement the required interfaces with fork tests passing as can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/14). 41 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1.1-Spark.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorphoV1_1` 2 | 3 | ## Details 4 | - Reviewed by: @mattpereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [base:0x7BfA7C4f149E7415b73bdeDfe609237e29CBF34A](https://basescan.org/address/0x7BfA7C4f149E7415b73bdeDfe609237e29CBF34A#code) 8 | - Audit report(s): 9 | - [\](\) 10 | 11 | ## Context 12 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 18 | - [x] The required Vault implements the required operational ERC4626 Interface 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [] The ERC4626 Vault is upgradeable. 27 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 28 | 29 | ### Buffer blocklist 30 | - [ ] The reviewed ERC4626 Vault should be added to the blocked buffers metadata list. 31 | 32 | ### Common Manipulation Vectors 33 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 34 | 35 | ## Additional Findings 36 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 37 | 38 | ## Conclusion 39 | **Summary judgment: USABLE** 40 | The outlined ERC4626 Vaults should work well with Balancer pools. The Vaults implement the required interfaces with fork tests passing as can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/14). 41 | -------------------------------------------------------------------------------- /erc4626/MorphoVaults/V1.1-Steakhouse.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `MetaMorpho` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [ethereum:0x7204B7Dbf9412567835633B6F00C3Edc3a8D6330](https://etherscan.io/address/0x7204B7Dbf9412567835633B6F00C3Edc3a8D6330) 8 | - [ethereum:0xbEeFc011e94f43b8B7b455eBaB290C7Ab4E216f1](https://etherscan.io/address/0xbEeFc011e94f43b8B7b455eBaB290C7Ab4E216f1) 9 | - [ethereum:0xA1b60d96e5C50dA627095B9381dc5a46AF1a9a42](https://etherscan.io/address/0xA1b60d96e5C50dA627095B9381dc5a46AF1a9a42) 10 | - [ethereum:0x30881Baa943777f92DC934d53D3bFdF33382cab3](https://etherscan.io/address/0x30881baa943777f92dc934d53d3bfdf33382cab3) 11 | - [ethereum:0x097FFEDb80d4b2Ca6105a07a4D90eB739C45A666](https://etherscan.io/address/0x097FFEDb80d4b2Ca6105a07a4D90eB739C45A666) 12 | - Audit report(s): 13 | - [Security Reviews & Formal Verifications](https://docs.morpho.org/security-reviews/) 14 | 15 | ## Context 16 | A 4626 Vault which wraps underlying tokens in MetaMorpho vaults in order for vault curators to earn liquidity providers additional yield on their assets. 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 20 | 21 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults. 22 | - [x] The required Vault implements the required operational ERC4626 Interface 23 | 24 | ## Review Checklist: Common Findings 25 | Each of the items below represents a common red flag found in Rate Provider contracts. 26 | 27 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 28 | 29 | ### Administrative Privileges 30 | - [] The ERC4626 Vault is upgradeable. 31 | - note: Upgradeability remarks for rate relevant aspects can be found in the corresponding rate provider review. 32 | 33 | ### Common Manipulation Vectors 34 | - [] The ERC4626 Vault is susceptible to donation attacks. 35 | 36 | ## Additional Findings 37 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 38 | 39 | ## Conclusion 40 | **Summary judgment: USABLE** 41 | 42 | The outlined ERC4626 Vaults should work well with Balancer pools. The Vaults implement the required interfaces with fork tests passing as can be seen at: 43 | -------------------------------------------------------------------------------- /erc4626/StakedinfiniFiUSDErc4626VaultReviewc704.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedinfiniFi USD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Ethereum:0xDBDC1Ef57537E34680B898E1FEBD3D68c7389bCB](https://etherscan.io/address/0xDBDC1Ef57537E34680B898E1FEBD3D68c7389bCB) 9 | - Audit report(s): 10 | - [Audits](https://docsend.com/view/s/fzxkp623yzeux7am?accessed_from_email_verification=true). The docsend link needs a email verification but it is self executed by the person opening it. Audits are using a spearbit cantina. 11 | 12 | ## Context 13 | infiniFi is a self-coordinated depositor-driven system designed to tackle the challenges of duration 14 | gaps in traditional banking. Docs are available here: https://docsend.com/view/haj2zgnuaujy9bj6# 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 20 | - [x] The required Vault implements the required operational ERC4626 Interface 21 | 22 | ### Administrative Privileges 23 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 24 | - [ ] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/1f15619c-03dd-4456-8361-64f7b837f366) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | Passing fork-tests can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/blob/main/test/mainnet/ERC4626MainnetsiUSD.t.sol). 31 | 32 | ** upgradeable in this context means that: 33 | - The contract is a proxy contract with an implementation sourced from Etherscan. 34 | 35 | -------------------------------------------------------------------------------- /erc4626/SuperformSuperVaultReview.md: -------------------------------------------------------------------------------- 1 | # ERC4626 Vault: `SuperVault` 2 | 3 | ## Details 4 | - Reviewed by: @mattpereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [ethereum:0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a](https://etherscan.io/address/0xF7DE3c70F2db39a188A81052d2f3C8e3e217822a#code) 8 | - [base:0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b](https://basescan.org/address/0xe9F2a5F9f3c846f29066d7fB3564F8E6B6b2D65b#code) 9 | - Audit report(s): 10 | - [SuperVaults Audits](https://github.com/superform-xyz/SuperVaults/tree/main/audits) 11 | 12 | ## Context 13 | A SuperVault manages multiple Superforms (Superform positions linked to vaults) and incorporates mechanisms for rebalancing, whitelisting, and deposit limits. SuperVault contracts delegate most of their core ERC-4626 vault functionality to the Yearn V3 TokenizedStrategy contract. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ## Review Checklist: Common Findings 22 | Each of the items below represents a common red flag found in Rate Provider contracts. 23 | 24 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 25 | 26 | ### Administrative Privileges 27 | - [ ] The ERC4626 Vault is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 28 | 29 | ### Compatibility 30 | - [x] The reviewed ERC4626 Vault shall be used for swaps. 31 | - [x] The reviewed ERC4626 Vault shall be used to add and remove liquidity to pools using wrapped tokens. 32 | - [ ] The reviewed ERC4626 Vault shall be used to add and remove liquidity to pools using underlying tokens. 33 | 34 | ### Common Manipulation Vectors 35 | - [ ] The ERC4626 Vault is susceptible to donation attacks. 36 | 37 | ## Additional Findings 38 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 39 | 40 | ## Conclusion 41 | **Summary judgment: USABLE** 42 | The outlined ERC4626 Vaults should work with Balancer pools, but are not compatible with buffers since `testWithdraw` reverts with "too much loss", perhaps because SuperVaults leverage Yearn v3 `TokenizedStrategy` contract, which requires profits to be gradually unlocked over time, making it difficult to guarantee immediate withdrawals at the expected share price. Fork tests can be seen [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/24) -------------------------------------------------------------------------------- /erc4626/VarlamoreSErc4626VaultReview7359.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamoreS rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0xDED4aC8645619334186f28B8798e07ca354CFa0e](https://sonicscan.org//address/0xDED4aC8645619334186f28B8798e07ca354CFa0e) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [ ] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/589d842c-d6f6-40a5-a699-242c12b070ef) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/VarlamoreUSDCGrowthErc4626VaultReview2127.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamoreUSDC Growth rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0xF6F87073cF8929C206A77b0694619DC776F89885](https://sonicscan.org//address/0xF6F87073cF8929C206A77b0694619DC776F89885) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [ ] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [ ] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f317b9d0-af02-400e-b792-7dbc72bdde64) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/VarlamorescUSDErc4626VaultReviewb07d.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamorescUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0xb6A23cB29e512Df41876B28D7A848BD831f9c5Ba](https://sonicscan.org//address/0xb6A23cB29e512Df41876B28D7A848BD831f9c5Ba) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [ ] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [ ] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/af65561e-7e63-4d20-af63-7c2e6502d25d) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism AAVEErc4626VaultReviewe14e.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism AAVE rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x527604E4D87A7562ec653dbe2878D0DCAB7f1972](https://optimistic.etherscan.io/address/0x527604E4D87A7562ec653dbe2878D0DCAB7f1972) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/d09063de-b2d3-4cca-b4b9-13e86bac5a27) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism DAIErc4626VaultReview6f04.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism DAI rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x61b620FAd391b53A2D0973b10a3Ed69558d5c66E](https://optimistic.etherscan.io/address/0x61b620FAd391b53A2D0973b10a3Ed69558d5c66E) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/cdfdcb9a-dee4-490c-b214-4a252d3460f1) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism LINKErc4626VaultReview4239.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism LINK rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xC438643b0eee8a314eEC53eb8A1Ee6467C88fc24](https://optimistic.etherscan.io/address/0xC438643b0eee8a314eEC53eb8A1Ee6467C88fc24) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/cca97a41-83a3-47f1-ad84-f5fb756590b4) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism LUSDErc4626VaultReviewdb45.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism LUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x413093E03d6aeE4F2F7e48D4b88881bf4932b249](https://optimistic.etherscan.io/address/0x413093E03d6aeE4F2F7e48D4b88881bf4932b249) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/6f3936ba-e2e8-4c01-80ab-eb01211b2171) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism OPErc4626VaultReviewa908.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism OP rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x712Ef4D78f43ecAfa106ea003704a908C99D7f11](https://optimistic.etherscan.io/address/0x712Ef4D78f43ecAfa106ea003704a908C99D7f11) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f6f81d00-dd87-47a3-893a-43600d01387b) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism SUSDErc4626VaultReview6780.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism SUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x0ec63A55a688E5Ba26afe8d9250114505E8b60a0](https://optimistic.etherscan.io/address/0x0ec63A55a688E5Ba26afe8d9250114505E8b60a0) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/ee80d66f-d5e3-4f3b-9cca-498ba47b5b44) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism USDCErc4626VaultReview1944.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x0B590eF479c8e03825Ae779839aCb4583aCc15FD](https://optimistic.etherscan.io/address/0x0B590eF479c8e03825Ae779839aCb4583aCc15FD) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/eecd4e5f-7426-4895-b0e5-2d15abf5ed15) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism USDCnErc4626VaultReview3e4a.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDCn rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x41B334E9F2C0ED1f30fD7c351874a6071C53a78E](https://optimistic.etherscan.io/address/0x41B334E9F2C0ED1f30fD7c351874a6071C53a78E) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/1787b044-0f6b-45e5-aa5c-06dcb16fc7fb) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism USDTErc4626VaultReviewab63.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDT rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x927CfF131fD5B43FC992D071929b2c095d6E4b70](https://optimistic.etherscan.io/address/0x927CfF131fD5B43FC992D071929b2c095d6E4b70) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/21a779db-94b7-4316-bdcb-02fe2f40402c) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism WBTCErc4626VaultReview13a5.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism WBTC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xEA9020a9e04C557478daD749A1aaD242b443042C](https://optimistic.etherscan.io/address/0xEA9020a9e04C557478daD749A1aaD242b443042C) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/0508496e-90e9-4fef-9d3c-e1c68e0c6565) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism WETHErc4626VaultReview86b0.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism WETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x464b808c2C7E04b07e860fDF7a91870620246148](https://optimistic.etherscan.io/address/0x464b808c2C7E04b07e860fDF7a91870620246148) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/4e5630ba-c120-45e3-a605-04f21efc2988) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism rETHErc4626VaultReview47b5.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism rETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x8e6a81b9d541A0CeA090818B62C4B2DE7f2A2Cf7](https://optimistic.etherscan.io/address/0x8e6a81b9d541A0CeA090818B62C4B2DE7f2A2Cf7) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/49a3374c-eb3d-418b-bf7f-4c6d64a41e0c) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedAaveOptimism wstETHErc4626VaultReview2b8e.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism wstETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xbaF95bB30CDab3d5b7a11B67EDeF5631bD62be86](https://optimistic.etherscan.io/address/0xbaF95bB30CDab3d5b7a11B67EDeF5631bD62be86) 9 | - Audit report(s): 10 | - [StataToken](https://github.com/bgd-labs/aave-v3-origin/blob/main/audits/2024-12-05_MixBytes_AaveStataToken(watoken)SecurityAuditReport.pdf) 11 | 12 | ## Context 13 | A 4626 Vault which wraps aTokens in order to translate the rebasing nature of yield accrual into a non-rebasing value accrual. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/6d4a3b5e-0ed4-489e-985d-2ff10ac01fe6) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | -------------------------------------------------------------------------------- /erc4626/WrappedExtraFiX Base USDCErc4626VaultReview8e16.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedExtraFi X Base USDC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 30/05/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x589A7339C6d0c8777E7429F57f2f95c069c37288](https://basescan.org/address/0x589A7339C6d0c8777E7429F57f2f95c069c37288) 9 | - Audit report(s): 10 | - [ExtraFi audits](https://github.com/ExtraFi/static-a-token-v3/tree/main/audits) 11 | 12 | ## Context 13 | Extrafi XLend is a smart lending protocol offering multi-accounts and advanced lending/borrowing strategies. In a long-term vision, XLend aims to be the liquidity layer empowering composable DeFi strategies. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/57325102-817e-4924-8199-6886171decc9) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | The passing fork tests can be found in this [pr](https://github.com/balancer/balancer-v3-erc4626-tests/pull/58) 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan. 32 | 33 | -------------------------------------------------------------------------------- /erc4626/WrappedExtraXBase USRErc4626VaultReview1483.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedExtraX Base USR rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 30/05/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x98eFe85735F253a0ed0Be8e2915ff39f9e4AfF0F](https://basescan.org/address/0x98eFe85735F253a0ed0Be8e2915ff39f9e4AfF0F) 9 | - Audit report(s): 10 | - [ExtraFi audits](https://github.com/ExtraFi/static-a-token-v3/tree/main/audits) 11 | 12 | ## Context 13 | Extrafi XLend is a smart lending protocol offering multi-accounts and advanced lending/borrowing strategies. In a long-term vision, XLend aims to be the liquidity layer empowering composable DeFi strategies. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [x] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [ ] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `mint` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/73adb81a-0f49-4671-bc42-952a42461a00) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | The passing fork tests can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/pull/58). 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan. 32 | 33 | -------------------------------------------------------------------------------- /hooks/AkronWeightedLVRFeeHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `AkronWeightedLVRFeeHook` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @ 6 | - Deployed at: 7 | - [base:0xa45570815dbe7bf7010c41f1f74479be322d02bd](https://basescan.org/address/0xa45570815dbe7bf7010c41f1f74479be322d02bd#readContract) 8 | - [arbitrum:0xD221aFFABdD3C1281ea14C5781DEc6B0fCA8937E](https://arbiscan.io/address/0xd221affabdd3c1281ea14c5781dec6b0fca8937e) 9 | - Audit report(s): 10 | - No audits available. 11 | 12 | ## Context 13 | Fees are calculated based on current balances, weights and direction/size of the swap. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | 17 | - [x] The returned `HookFlags` match the implemented hook functions 18 | 19 | ### Administrative Privileges 20 | 21 | ## Conclusion 22 | **Summary judgment: USABLE** 23 | 24 | -------------------------------------------------------------------------------- /hooks/DirectionalFeeHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `Directional Fee` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sepolia:0xD9e535a65eb38F962B84f7BBD2bf60293bA54058](https://sepolia.etherscan.io/address/0xcdF93FaB48405bb9df9c321b6306e701be6F9859) 8 | - Audit report(s): 9 | - 10 | 11 | ## Context 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | 15 | - [x] The returned `HookFlags` match the implemented hook functions 16 | 17 | ### Administrative Privileges 18 | 19 | ## Conclusion 20 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/ExitFeeHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `Exit Fee` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sepolia:0x2Aa9D4066DAe16ef001765efF2cA8F41Bde0b019](https://sepolia.etherscan.io/address/0x307d96183f133c738Af11D1971BF0A5ee15312be) 8 | - Audit report(s): 9 | - 10 | 11 | ## Context 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | 15 | - [x] The returned `HookFlags` match the implemented hook functions 16 | 17 | ### Administrative Privileges 18 | 19 | ## Conclusion 20 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/FeeTakingHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `Fee Taking` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sepolia:0x790ae803b6c0467C6A4cbDc6d6d712DE34CfdB76](https://sepolia.etherscan.io/address/0x5c7FB0734d327ECeE2cA5cF2F5fE0f5Ff32dbf0b) 8 | - Audit report(s): 9 | - 10 | 11 | ## Context 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | 15 | - [x] The returned `HookFlags` match the implemented hook functions 16 | 17 | ### Administrative Privileges 18 | 19 | ## Conclusion 20 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/LotteryHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `Lottery` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sepolia:0x0E85194F9eD75F0EFf2b89B73b6AD3053be03853](https://sepolia.etherscan.io/address/0xb4b339a93B7E3D9B8266d52C96608F0615326B98) 8 | - Audit report(s): 9 | - 10 | 11 | ## Context 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | 15 | - [x] The returned `HookFlags` match the implemented hook functions 16 | 17 | ### Administrative Privileges 18 | 19 | ## Conclusion 20 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/MevTaxHook.md: -------------------------------------------------------------------------------- 1 | # Hook: `MevCaptureHook` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @ 6 | - Deployed at: 7 | - [sepolia:0xEC9578e79d412537095501584284B092D2F6b9F7](https://sepolia.etherscan.io/address/0xEC9578e79d412537095501584284B092D2F6b9F7#code) 8 | - [arbitrum:0x5B42eC6D40f7B7965BE5308c70e2603c0281C1E9](https://arbiscan.io/address/0x5B42eC6D40f7B7965BE5308c70e2603c0281C1E9#code) 9 | - [base:0x7a2535f5fb47b8e44c02ef5d9990588313fe8f05](https://basescan.org/address/0x7a2535f5fb47b8e44c02ef5d9990588313fe8f05#code) 10 | - [gnosis:0xa1D0791a41318c775707C56eAe247AF81a05322C](https://gnosisscan.io/address/0xa1D0791a41318c775707C56eAe247AF81a05322C) 11 | - [mainnet:0x1bcA39b01F451b0a05D7030e6e6981a73B716b1C](https://etherscan.io/address/0x1bcA39b01F451b0a05D7030e6e6981a73B716b1C) 12 | 13 | - Audit report(s): 14 | - [Certora audits](https://github.com/balancer/balancer-v3-monorepo/blob/main/audits/certora/2025-02-07.pdf) 15 | 16 | ## Context 17 | By implementing a fee that scales with priority fees, the system redistributes MEV profits that otherwise would go to the sequencer. Searchers still extract the same value, but instead of fees flowing solely to the sequencer, a portion is redirected to liquidity providers as tax revenue. 18 | 19 | ## Review Checklist: Bare Minimum Compatibility 20 | 21 | - [x] The returned `HookFlags` match the implemented hook functions 22 | 23 | ### Administrative Privileges 24 | 25 | ## Conclusion 26 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/StableSurge.md: -------------------------------------------------------------------------------- 1 | # Hook: `StableSurgeHook` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sepolia:0x30CE53fA38a1399F0CA158b5c38362c80E423bA9](https://sepolia.etherscan.io/address/0x30CE53fA38a1399F0CA158b5c38362c80E423bA9) 8 | - [arbitrum:0x0Fa0f9990D7969a7aE6f9961d663E4A201Ed6417](https://arbiscan.io/address/0x0Fa0f9990D7969a7aE6f9961d663E4A201Ed6417#code) 9 | - [base:0xb2007B8B7E0260042517f635CFd8E6dD2Dd7f007](https://basescan.org/address/0xb2007B8B7E0260042517f635CFd8E6dD2Dd7f007#code) 10 | - [gnosis:0xe4f1878eC9710846E2B529C1b5037F8bA94583b1](https://gnosisscan.io/address/0xe4f1878eC9710846E2B529C1b5037F8bA94583b1#code) 11 | - [mainnet:0xb18fA0cb5DE8cecB8899AAE6e38b1B7ed77885dA](https://etherscan.io/address/0xb18fA0cb5DE8cecB8899AAE6e38b1B7ed77885dA#code) 12 | - Audit report(s): 13 | - [Certora audit](https://github.com/balancer/balancer-v3-monorepo/blob/main/audits/certora/2025-01-30.pdf) 14 | ## Context 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | 18 | - [x] The returned `HookFlags` match the implemented hook functions 19 | 20 | ### Administrative Privileges 21 | 22 | Functions updating sensitive pool state information are guarded behind administrative controls such as `setMaxSurgeFeePercentage` and `setSurgeThresholdPercentage`. 23 | 24 | ## Conclusion 25 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/StableSurgeHookV2.md: -------------------------------------------------------------------------------- 1 | # Hook: `StableSurgeHook` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: 6 | - Deployed at: 7 | - [sepolia:0x7dfca838fD5fCd70f876431D41CaA3E3E2ea1520](https://sepolia.etherscan.io/address/0x7dfca838fD5fCd70f876431D41CaA3E3E2ea1520) 8 | - [arbitrum:0x7c1b7A97BfAcD39975dE53e989A16c7BC4C78275](https://arbiscan.io/address/0x7c1b7A97BfAcD39975dE53e989A16c7BC4C78275#code) 9 | - [base:0xDB8d758BCb971e482B2C45f7F8a7740283A1bd3A](https://basescan.org/address/0xDB8d758BCb971e482B2C45f7F8a7740283A1bd3A#code) 10 | - [gnosis:0x90BD26fbb9dB17D75b56E4cA3A4c438FA7C93694](https://gnosisscan.io/address/0x90BD26fbb9dB17D75b56E4cA3A4c438FA7C93694#code) 11 | - [mainnet:0xBDbADc891BB95DEE80eBC491699228EF0f7D6fF1](https://etherscan.io/address/0xBDbADc891BB95DEE80eBC491699228EF0f7D6fF1#code) 12 | - [avalanche:0x86705Ee19c0509Ff68F1118C55ee2ebdE383D122](https://snowtrace.io/address/0x86705Ee19c0509Ff68F1118C55ee2ebdE383D122/contract/43114/code) 13 | - [optimism:0xF39CA6ede9BF7820a952b52f3c94af526bAB9015](https://optimistic.etherscan.io/address/0xF39CA6ede9BF7820a952b52f3c94af526bAB9015#code) 14 | - Audit report(s): 15 | - [Certora audit](https://github.com/balancer/balancer-v3-monorepo/blob/main/audits/certora/2025-01-30.pdf) 16 | 17 | ## Context 18 | 19 | ## Review Checklist: Bare Minimum Compatibility 20 | 21 | - [x] The returned `HookFlags` match the implemented hook functions 22 | 23 | ### Administrative Privileges 24 | 25 | Functions updating sensitive pool state information are guarded behind administrative controls such as `setMaxSurgeFeePercentage` and `setSurgeThresholdPercentage`. 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** -------------------------------------------------------------------------------- /hooks/template.md: -------------------------------------------------------------------------------- 1 | # Hook: `HookName` 2 | 3 | ## Details 4 | - Reviewed by: @ 5 | - Checked by: @ 6 | - Deployed at: 7 | - 8 | - Audit report(s): 9 | - 10 | 11 | ## Context 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | 15 | - [ ] The returned `HookFlags` match the implemented hook functions 16 | 17 | ### Administrative Privileges 18 | 19 | ## Conclusion 20 | **Summary judgment: USABLE / UNUSABLE** -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "code-review", 3 | "version": "1.0.0", 4 | "description": "A collection of smart contract code reviews performed upon friendly request.", 5 | "directories": { 6 | "test": "test" 7 | }, 8 | "scripts": { 9 | "test": "npx jest", 10 | "lint": "npx prettier --write 'rate-providers/registry.json'", 11 | "write-review": "ts-node scripts/write-review.ts", 12 | "write-erc4626-review": "ts-node scripts/write-erc4626-review.ts", 13 | "generate-agent": "ts-node scripts/create-agent.ts", 14 | "format": "npx prettier --write 'scripts/**/*.ts' 'src/**/*.ts'" 15 | }, 16 | "author": "", 17 | "license": "MIT", 18 | "dependencies": { 19 | "ajv": "^8.13.0" 20 | }, 21 | "devDependencies": { 22 | "@types/node": "^22.13.9", 23 | "dotenv": "^16.4.7", 24 | "jest": "^29.7.0", 25 | "prettier": "3.2.5", 26 | "ts-node": "^10.9.2", 27 | "typescript": "^5.8.2", 28 | "viem": "^2.23.7" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /rate-providers/BlraSdaiRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `BlraSdaiRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [gnosis:0xCCfE43E5853C87225948317379ffD910039f6A14](https://gnosisscan.io/address/0xCCfE43E5853C87225948317379ffD910039f6A14#code) 8 | - Audit report(s): 9 | - [No audits provided] 10 | 11 | ## Context 12 | This rate provider fetches the BRLA (brasilian real) / USD exchange rate from a Chronicle Labs Oracle. It then divides by the `sDaiDaiRate` to calculate the `blraSdaiRate`. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 18 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 27 | 28 | - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 29 | 30 | ### Oracles 31 | - [x] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 32 | - source: Chronicle Labs 33 | - source address: [ethereum:0xEB2F9EF61A2174A4066CB36E265Ea6D5Dd0ADCFe](https://gnosisscan.io/address/0xEB2F9EF61A2174A4066CB36E265Ea6D5Dd0ADCFe#code) 34 | - any protections? YES 35 | The oracle is based on a previous review. For more information see the [review]("./TollgateChronicleRateProvider.md"). 36 | 37 | - [x] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). The rate is based on an open market exchange rate of BRL/USD. 38 | 39 | ### Common Manipulation Vectors 40 | - [x] The Rate Provider is susceptible to donation attacks. For details see the [review]("./SavingsDAIRateProviderGnosis.md"). 41 | 42 | ## Additional Findings 43 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 44 | 45 | ## Conclusion 46 | **Summary judgment: USABLE** 47 | 48 | This rate provider is a combination of previously investigated rate providers, which were deemed usable. This investigated rate provider should work well with Balancer pools. 49 | -------------------------------------------------------------------------------- /rate-providers/ChainLinkRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: Rate Providers predating this repo 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: N.A. 6 | - Deployed at: 7 | See the `RateProviderCreated(address indexed rateProvider)` events emitted by the `ChainLinkRateProviderFactory` contracts deployed on 8 | - [Ethereum mainnet addresses](https://etherscan.io/address/0x1311Fbc9F60359639174c1e7cC2032DbDb5Cc4d1) 9 | - [Polygon mainnet addresses](https://polygonscan.com/address/0xa3b370092aeb56770B23315252aB5E16DAcBF62B#code) 10 | - [Arbitrum mainnet addresses](https://arbiscan.io/address/0x5DbAd78818D4c8958EfF2d5b95b28385A22113Cd#code) 11 | - [Optimism mainnet addresses](https://optimistic.etherscan.io/address/0x83E443EF4f9963C77bd860f94500075556668cb8) 12 | - [BSC mainnet addresses](https://bscscan.com/address/0x6817149cb753BF529565B4D023d7507eD2ff4Bc0#code) 13 | - [Gnosis mainnet addresses](https://gnosisscan.io/address/0xDB8d758BCb971e482B2C45f7F8a7740283A1bd3A#code) 14 | - [Avalanche mainnet addresses](https://snowtrace.dev/address/0x76578ecf9a141296Ec657847fb45B0585bCDa3a6/contract/43114/code) 15 | - [Polygon zkEVM mainnet addresses](https://zkevm.polygonscan.com/address/0x4132f7AcC9dB7A6cF7BE2Dd3A9DC8b30C7E6E6c8#code) 16 | - [Base mainnet addresses](https://basescan.org/address/0x0a973b6db16c2ded41dc91691cc347beb0e2442b#code) 17 | - [Goerli testnet addresses](https://goerli.etherscan.io/address/0xDB8d758BCb971e482B2C45f7F8a7740283A1bd3A#code) 18 | - [Sepolia testnet addresses](https://sepolia.etherscan.io/address/0xA8920455934Da4D853faac1f94Fe7bEf72943eF1#code) 19 | - Audit report(s): 20 | - N.A. 21 | 22 | ## Context 23 | ChainLink Rate Providers are Rate Providers that expose a Chainlink Pricefeed's data scaled to a fixed-point value with 18 decimals. 24 | 25 | ## Review Checklist: Bare Minimum Compatibility 26 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 27 | 28 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 29 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 30 | 31 | ### Oracles 32 | - Chainlink Data Feeds provide data that is aggregated from many data sources by a [decentralized set of independent node operators](https://docs.chain.link/architecture-overview/architecture-decentralized-model?parent=dataFeeds). The Decentralized Data Model describes this in detail. However, there are some exceptions where data for a feed can come only from a single data source or where data values are calculated. 33 | 34 | ## Conclusion 35 | **Summary judgment: SAFE** 36 | 37 | Chainlink Rate Providers have been working well with Balancer pools for an extended amount of time. A specific review for the involved Rate Provider is not accessible as this review is applicable to all Chainlink Rate Providers. -------------------------------------------------------------------------------- /rate-providers/EVKVaulteAUSD-2RateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eAUSD-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x392Eb09258cEC61C3f7278A4c855d6686202aF85](https://snowtrace.io/address/0x392Eb09258cEC61C3f7278A4c855d6686202aF85) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/10577ea1-579f-4b8a-afb9-8bb9e5b46c0f) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/EVKVaulteUSDC-2RateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eUSDC-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 22/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0xfEFCB3d15100f87911631f0A625bAf87dfFb8a5f](https://snowtrace.io/address/0xfEFCB3d15100f87911631f0A625bAf87dfFb8a5f) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/48ce69a4-8e0d-4fed-ad60-dc1e56568032) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/EVKVaulteUSDt-3RateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault eUSDt-3 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x4e7cE59ccBF84fA0C1d012Ae2F86f990d324A038](https://snowtrace.io/address/0x4e7cE59ccBF84fA0C1d012Ae2F86f990d324A038) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/01803749-8fb4-455e-baee-180deb7e5782) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/EVKVaultesavUSD-2RateProviderReview911d.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault esavUSD-2 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x9062a576D3e6Cf6999e99e405608063033c4CFF6](https://snowtrace.io/address/0x9062a576D3e6Cf6999e99e405608063033c4CFF6) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/c00e2fae-1af8-4ea6-b2e6-744860b3ad68) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/EVKVaultestS-5RateProviderReview534e.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: EVKVault estS-5 rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0x0ff8189d1f1ab65b63bcd003c036d0fea79004da](https://sonicscan.org//address/0x0ff8189d1f1ab65b63bcd003c036d0fea79004da) 9 | - Audit report(s): 10 | - [EVK Audits](https://docs.euler.finance/security/audits) 11 | 12 | ## Context 13 | This rate provider combines the rate of two underlying rate providers. These rates can vary from any source on chain, as long the IRateProvider interface is respected. For the purpose of these contracts and their respective factory, the intention is that only reviewed rate providers can be utilized in the CombinedRateProviderFactory to create a new rate when necessary. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f9521c70-1c40-48b6-8332-7e3f4aac13d0) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/EulerWrappedRateprovider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `ERC4626RateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @franzns 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sonic:0xad597fce59dbbd13bcd5bcc1a6fd654acfa92eff](https://sonicscan.org/address/0xad597fce59dbbd13bcd5bcc1a6fd654acfa92eff#code) 8 | - [sonic:0x7a5a8bece4c24c0c903f6adbc866a42c1799926d](https://sonicscan.org/address/0x7a5a8bece4c24c0c903f6adbc866a42c1799926d#code) 9 | - Audit report(s): 10 | - [EVK Audits](https://docs.euler.finance/security/audits) 11 | 12 | ## Context 13 | The ERC4626 Rate Provider fetches the rate of an Euler Market. The rate provider was created using the ERC4626 Rateprovider factory which calls convertToAssets on the ERC4626 to expose the rate. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ## Review Checklist: Common Findings 22 | Each of the items below represents a common red flag found in Rate Provider contracts. 23 | 24 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 25 | 26 | ### Administrative Privileges 27 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 28 | 29 | - [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 30 | The Beacon is [here](https://sonicscan.org/address/0xf075cc8660b51d0b8a4474e3f47edac5fa034cfb#readContract) which can be upgraded by the [upgradeAdmin](https://sonicscan.org/address/0x9A75b862fD7fe841A946DC6850580b544988Ea70#code) which is a governor contract. The governor contract admin is: 31 | - admin address: [sonic:0x85678469e789fe90e051953b926b77d6e76cd571](https://sonicscan.org/address/0x85678469e789fe90e051953b926b77d6e76cd571#code) 32 | - admin type: multisig 33 | - multisig threshold/signers: 3/8 34 | - multisig timelock? Yes: 4 days 35 | 36 | 37 | ### Oracles 38 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 39 | 40 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 41 | 42 | ### Common Manipulation Vectors 43 | - [ ] The Rate Provider is susceptible to donation attacks. 44 | 45 | ## Conclusion 46 | **Summary judgment: SAFE** 47 | 48 | The Rate Providers should work well with Balancer pools. The underlying contracts have been audited. Computation of totalAssets do not rely on `balanceOf()` calls and also their audits do not indicate any risk of a donation attack vector. -------------------------------------------------------------------------------- /rate-providers/LegacyReview.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: Rate Providers predating this repo 2 | 3 | ## Details 4 | - Reviewed by: N.A. 5 | - Checked by: N.A. 6 | - Deployed at: 7 | - See the respective entry in `registry.json` 8 | - Audit report(s): 9 | - N.A. 10 | 11 | ## Context 12 | This repo was initially established in July 2023 to make the Rate Provider review process more accessible. However Rate Provider usage predates this repo and these Rate Providers do not have a review which is included here. For completeness purposes any Rate Provider that predates this review process is considered a "legacy Rate Provider" and will be linked to this review file as part of the `registry.json`. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 18 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - Legacy Rate Providers can have administrative privileges such as a proxy architecture or `onlyOwner` functions which could update the pricing data. An LP is encouraged to investigate the Rate Provider address in the `registry.json`. 27 | 28 | - Legacy Rate Providers & downstream involved contracts (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price) can be upgradeable. An LP is encouraged to investigate the whole pricing pipeline starting from the Rate Provider mentioned in the `registry.json`. 29 | 30 | ### Oracles 31 | - Legacy Rate Providers can have price data be provided by an off-chain source. (e.g., a Chainlink oracle, a multisig, or a network of nodes). An LP is encouraged to investigate the whole pricing pipeline starting from the Rate Provider mentioned in the `registry.json`. 32 | 33 | - Legacy Rate Providers can have volatile price data (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). An LP is encouraged to investigate the whole pricing pipeline starting from the Rate Provider mentioned in the `registry.json`. 34 | 35 | ### Common Manipulation Vectors 36 | - Legacy Rate Providers can be susceptible to donation attacks, where a token donation to any of the involved pricing pipeline contracts can result in rate changes. An LP is encouraged to investigate the whole pricing pipeline starting from the Rate Provider mentioned in the `registry.json`. 37 | 38 | ## Conclusion 39 | **Summary judgment: SAFE** 40 | 41 | Legacy Rate Providers have been working well with Balancer pools for an extended amount of time. A specific review for the involved Rate Provider is not accessible. -------------------------------------------------------------------------------- /rate-providers/LoopRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: LoopRateProvider 2 | 3 | ## Details 4 | - Reviewed by: @brunoguerios 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [ethereum:0x1f037c849CF2448d67A120543EA4ec3CE5A95FcA](https://etherscan.io/address/0x1f037c849CF2448d67A120543EA4ec3CE5A95FcA) 8 | - [Protocol Audits](https://docs.loopfi.xyz/extras/security) 9 | 10 | ## Context 11 | This rate provider works with a standard approach of `totalAssets/totalSupply`. 12 | 13 | ## Review Checklist: Bare Minimum Compatibility 14 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 15 | 16 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 17 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 18 | 19 | ## Review Checklist: Common Findings 20 | Each of the items below represents a common red flag found in Rate Provider contracts. 21 | 22 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 26 | 27 | - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 28 | 29 | ### Oracles 30 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 31 | 32 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 33 | 34 | ### Common Manipulation Vectors 35 | - [x] The Rate Provider is susceptible to donation attacks. 36 | 37 | Rate is calculated as `totalAssets/totalSupply`. If a user donates a large amount of `PoolV3` tokens to `StakingLPEth` contract, the rate will increase. This could be used to manipulate the rate in a way that benefits the attacker. 38 | ``` 39 | /** @dev See {IERC4626-totalAssets}. */ 40 | function totalAssets() public view virtual override returns (uint256) { 41 | return _asset.balanceOf(address(this)); 42 | } 43 | ``` 44 | 45 | ## Additional Findings 46 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 47 | 48 | No additional findings. 49 | 50 | ## Conclusion 51 | **Summary judgment: SAFE** 52 | 53 | 54 | -------------------------------------------------------------------------------- /rate-providers/ResolvLiquidityProviderTokenRateProvider.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: ResolvLiquidity Provider Token rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 22/05/2025. 6 | 7 | - Deployed at: 8 | - [Ethereum:0x4017F109CF5583D68A6E213CC65f609Cd12791E6](https://etherscan.io/address/0x4017F109CF5583D68A6E213CC65f609Cd12791E6) 9 | - Audit report(s): 10 | - [Resolv audits](https://docs.resolv.xyz/litepaper/resources/security) 11 | 12 | ## Context 13 | RLP is an ERC20 token representing a share in insurance pool of Resolv where the price is updated by a dedicated off-chain service. These updates are executed through a transaction signing process using Resolv's KMS, which means that the updates are performed by the EOA (external operator account).The fundamental oracle updates the price every 24 hours. The price changes are limited between 0.45% and 0.5%, and there are built-in safeguards to enforce these strict lower and upper bounds. Depending on internal calculations and other factors, multiple price updates may occur within this period. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/2417c18d-4056-4a74-abb1-1e9f92b23034) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/SavingsDAIRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `SavingsDAIRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @rabmarut 5 | - Checked by: @baileyspraggins 6 | - Deployed at: 7 | - [ethereum:0xc7177B6E18c1Abd725F5b75792e5F7A3bA5DBC2c](https://etherscan.io/address/0xc7177b6e18c1abd725f5b75792e5f7a3ba5dbc2c#code) 8 | - Audit report(s): 9 | - [ChainSecurity - Savings Dai](https://github.com/makerdao/sdai/blob/0377fa3a3e8af846f7511fb7cfe18c2e276e9dfa/audits/ChainSecurity_Oazo_Apps_Limited_Savings_Dai_audit_1.pdf) 10 | 11 | ## Context 12 | Savings DAI (`sDAI`) is a yield-bearing token representing `DAI` deposited in Maker's DAI Saving Rate (DSR) module. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 18 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 27 | - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 28 | 29 | ### Oracles 30 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 31 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 32 | 33 | ### Common Manipulation Vectors 34 | - [ ] The Rate Provider is susceptible to donation attacks. 35 | 36 | ## Additional Findings 37 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 38 | 39 | - N/A 40 | 41 | ## Conclusion 42 | **Summary judgment: SAFE** 43 | 44 | This is a highly minimal Rate Provider that queries the exchange rate directly from the `sDAI` token, which computes/queries it directly from the DAI Savings Rate (DSR) module. There are no privileges, upgradeability, or oracles anywhere in the system, and prices are fetched from verifiable on-chain data. The largest "threat" lies in MakerDAO's ability to set the Savings Rate, but this is hardly a threat at all. MakerDAO is one of the largest and longest-standing DAOs in DeFi, and the Savings Rate is fundamental in governing the `DAI` token. 45 | 46 | This Rate Provider sets the standard to which others should be measured. 47 | -------------------------------------------------------------------------------- /rate-providers/SolvBTCAvalancheRateProviderReviewdf07.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: SolvBTCAvalanche rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 14/05/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x41F21f6eE1742e15775efcf52e0ecFD2CE8309C2](https://snowtrace.io/address/0x41F21f6eE1742e15775efcf52e0ecFD2CE8309C2) 9 | - Audit report(s): 10 | - [SOLV audits](https://github.com/solv-finance/Audit/tree/main/Solv-Yield-Bearing-Tokens) 11 | 12 | ## Context 13 | SolvBTC is built to address these issues by unifying Bitcoin liquidity across multiple chains, serving as a universal Bitcoin reserve for DeFi users. It offers a flexible, yield-generating solution for Bitcoin holders who want to move their assets across blockchain ecosystems without dealing with fragmented liquidity or the risks tied to individually wrapped BTC assets. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/d6365e20-4fa0-438f-9ce5-7d8aa70763cd) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/StakedFraxUSDRateProviderReview280f.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedFrax USD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 20/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x91151ba698253e24c23a754d94f94049a17e8084](https://optimistic.etherscan.io/address/0x91151ba698253e24c23a754d94f94049a17e8084) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/dc8d0443-ebb1-454d-821b-c840fee0b580) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/StakedSonicRateprovider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `StakedSonicRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @franzns 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [sonic:0xe5da20f15420ad15de0fa650600afc998bbe3955](https://sonicscan.org/address/0xe5da20f15420ad15de0fa650600afc998bbe3955#code) 8 | - Audits: 9 | - [Beets Staked Sonic Audits](https://github.com/beethovenxfi/sonic-staking/tree/main/audits) 10 | 11 | ## Context 12 | The Staked Sonic contract has the getRate function built in natively. It is a wrapper around a call to converToAssets(1e18). The rate reflects the conversion rate of 1e18 stS to S(onic). 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 18 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 27 | 28 | - [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 29 | - [sonic:0xe5da20f15420ad15de0fa650600afc998bbe3955](https://sonicscan.org/address/0xe5da20f15420ad15de0fa650600afc998bbe3955#code) 30 | - upgradeable component: `StakedSonic` ([sonic:0xe5da20f15420ad15de0fa650600afc998bbe3955](https://sonicscan.org/address/0xe5da20f15420ad15de0fa650600afc998bbe3955#code)) 31 | - owner address: [sonic:0xf750f4E0813898C544A4349526206e1165F0E5d0](https://sonicscan.org/address/0xf750f4E0813898C544A4349526206e1165F0E5d0) 32 | - admin owner: [sonic:0x7B782A460Def196149f8369BdeC30e3f2F2356EB](https://sonicscan.org/address/0x7B782A460Def196149f8369BdeC30e3f2F2356EB) 33 | - admin type: Multisig 5/7 34 | - multisig timelock? Yes, 3 weeks. 35 | 36 | 37 | ### Oracles 38 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 39 | 40 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 41 | 42 | ### Common Manipulation Vectors 43 | - [ ] The Rate Provider is susceptible to donation attacks. 44 | 45 | ## Conclusion 46 | **Summary judgment: SAFE** 47 | 48 | The Rate Providers should work well with Balancer pools. The underlying contracts have been audited. Computation of totalAssets do not rely on `balanceOf()` calls and also their audits do not indicate any risk of a donation attack vector. -------------------------------------------------------------------------------- /rate-providers/StakedStreamUSDRateProviderReviewb0dc.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedStream USD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 29/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0xd802379b61aa58aaf1c845211599a307b5086c27](https://sonicscan.org//address/0xd802379b61aa58aaf1c845211599a307b5086c27) 9 | - Audit report(s): 10 | - [Code4Arena](https://docs.streamprotocol.money/security-audit.pdf) 11 | 12 | ## Context 13 | xUSD is a yield bearing stable coin. The rateprovider uses an e oracle which tracks the rate growth against its underlying. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/715e1fe4-9b48-4e5f-9786-cf99af62527a) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/StakedUSDaiRateProviderReview7289.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedUSDai rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 16/05/2025. 6 | 7 | - Deployed at: 8 | - [Arbitrum One:0x76889a37f3E7E56b314c593Df5b749Ce86E9d828](https://arbiscan.io/address/0x76889a37f3E7E56b314c593Df5b749Ce86E9d828) 9 | - Audit report(s): 10 | - [Audits](https://docs.usd.ai/technical-overview/audits) 11 | 12 | ## Context 13 | USD.AI is a yield-bearing synthetic dollar backed by loans against AI hardware, compute, and DePIN assets. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/0655bf07-3ab3-4c58-96a8-2b684bbffaff) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/StakedUTYRateProviderReview7bf6.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedUTY rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 18/05/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x6Be2e71238e2000cBA004a38aceA357d14D7e081](https://snowtrace.io/address/0x6Be2e71238e2000cBA004a38aceA357d14D7e081) 9 | - Audit report(s): 10 | - [XYS audits](https://xsy-1.gitbook.io/xsy-main/audits) 11 | 12 | ## Context 13 | $UTY, also known as Unity, is a digital synthetic dollar (DSD). Unity is a delta-neutral asset and serves as the synthetic dollar at the center of XSY’s ecosystem of decentralized financial products. 14 | Whitelisted users can mint $UTY with various assets, starting with AVAX, whic is used to construct the synthetic delta-neutral backing of $UTY. By using $UTY within XSY’s defi partners, like Pharaoh and Euler, users can earn a portion of the rewards available for early $UTY adopters. A synthetically delta-neutral asset is a financial position built using derivatives such that changes in the underlying asset price has little to no effect on the position's overall value. In Unity’s case, It works by splitting the collateral backing the assets into two offsetting positions: 15 | A long spot holding of the native protocol asset, e.g. AVAX, and 16 | A short of native protocol asset perpetual future. 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 20 | 21 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 22 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 26 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 27 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/3a315674-4ec9-4912-9262-8cd90c5fee60) 28 | 29 | ## Conclusion 30 | **Summary judgment: USABLE** 31 | 32 | ** upgradeable in this context means that: 33 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 34 | 35 | -------------------------------------------------------------------------------- /rate-providers/StakedavUSDRateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedavUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 03/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0xEC21c3e82B89EC14d3dDF4beBD50f4B1bd52CFE6](https://snowtrace.io/address/0xEC21c3e82B89EC14d3dDF4beBD50f4B1bd52CFE6) 9 | - Audit report(s): 10 | - [Omniscia avUSD System Security Audit](https://omniscia.io/reports/avant-protocol-avusd-system-667c1e7026467900183ec9e9/) 11 | - [Avant Security](https://docs.avantprotocol.com/security/audits) 12 | 13 | ## Context 14 | The savUSD Rate provider pertains to the staking contract for Avant USD (avUSD). The staking contract has a cool down or timelock prevent atomic unstaking, meaning this asset cannot be used as a boosted type. 15 | The buffer has been [seeded](https://snowtrace.io/tx/0x27edceb760ed7fefade51de6d0091c31c2cf559cc748b7b5c947cd41b71fcf8a?chainid=43114) to remedy any security and integration concerns. The savUSD token will be used to provide LPs a yield bearing stablecoin as a default swap path. 16 | 17 | ## Review Checklist: Bare Minimum Compatibility 18 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 19 | 20 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 21 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 22 | 23 | ### Administrative Privileges 24 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 25 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 26 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/6ae6e8f3-cda5-4869-b4da-bb1dccf6710c) 27 | 28 | ## Conclusion 29 | **Summary judgment: USABLE** 30 | 31 | ** upgradeable in this context means that: 32 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 33 | 34 | -------------------------------------------------------------------------------- /rate-providers/StakedavUSDRateProviderReviewd696.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedavUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 23/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0xfa5D15F15bC1BeBf3B413d9373E27586ac799dB6](https://snowtrace.io/address/0xfa5D15F15bC1BeBf3B413d9373E27586ac799dB6) 9 | - Audit report(s): 10 | - [Euler audits](https://docs.euler.finance/security/overview/) 11 | 12 | ## Context 13 | The Euler Vault Kit (EVK) is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools. 14 | Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/6c88c216-b864-4c8a-a3fc-fd29ba5fa01a) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/StakeddeUSDRateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakeddeUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 04/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x7DB6B5bD0E9EAC1E050544f478961830cc676d30](https://snowtrace.io/address/0x7DB6B5bD0E9EAC1E050544f478961830cc676d30) 9 | - Audit report(s): 10 | - [Elixir Audits](https://docs.elixir.xyz/audit) 11 | 12 | ## Context 13 | sdeUSD uses and ERC4626 vault interface but includes a cooldown time for users to withdraw. Due to this feature, atomic deposit and withdrawals are not possible and this asset cannot be used in a boosted pool. The wrapped asset must be the only option for users to deposit and withdraw on the Balancer interface. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/a5605aea-cf25-4ca6-8baf-127e5a6f4208) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/StakedinfiniFiUSDRateProviderReview1949.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakedinfiniFi USD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Ethereum:0x50a6dBB52D271b68D17b018a5b60f0d0EB711e67](https://etherscan.io/address/0x50a6dBB52D271b68D17b018a5b60f0d0EB711e67) 9 | - Audit report(s): 10 | - [Audits](https://docsend.com/view/s/fzxkp623yzeux7am?accessed_from_email_verification=true). The docsend link needs a email verification but it is self executed by the person opening it. Audits are using a spearbit cantina. 11 | 12 | ## Context 13 | infiniFi is a self-coordinated depositor-driven system designed to tackle the challenges of duration 14 | gaps in traditional banking. Docs are available here: https://docsend.com/view/haj2zgnuaujy9bj6# 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/2d59ab51-5ca2-45f4-967a-b82fd2107d22) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/StakingLPUsdcRateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: StakingLPUsdc rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 04/04/2025. 6 | 7 | - Deployed at: 8 | - [Ethereum:0x7C40E25A57BC93ef7Ee3506F111D3E108f7Ae0a8](https://etherscan.io/address/0x7C40E25A57BC93ef7Ee3506F111D3E108f7Ae0a8) 9 | - Audit report(s): 10 | - [Loop Protocol Audits](https://docs.loopfi.xyz/extras/security) 11 | 12 | ## Context 13 | This rate provider works with a standard approach of totalAssets/totalSupply. This asset has a cooldown time for unlocking and should not be used as a buffer even though it appears to have an ERC4626 interface. Users can only deposit and withdraw using the wrapped token. 14 | 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/dd80c75c-55f2-4af6-a24d-33dfc36077be) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/StatATokenTestnetRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `ERC4626RateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @mattpereira 5 | - Checked by: @mkflow27 6 | - Deployed at: 7 | - [sepolia:0xB1B171A07463654cc1fE3df4eC05f754E41f0A65](https://sepolia.etherscan.io/address/0xB1B171A07463654cc1fE3df4eC05f754E41f0A65) 8 | - [sepolia:0x22db61f3a8d81d3d427a157fdae8c7eb5b5fd373](https://sepolia.etherscan.io/address/0x22db61f3a8d81d3d427a157fdae8c7eb5b5fd373) 9 | - [sepolia:0x34101091673238545De8a846621823D9993c3085](https://sepolia.etherscan.io/address/0x34101091673238545De8a846621823D9993c3085) 10 | - Audit report(s): 11 | - [Scaffold Audits](https://github.com/balancer/scaffold-balancer-v3) 12 | 13 | ## Context 14 | Testnet rate providers for the static AAVE tokens balancer is using to test boosted pools feature of v3 contracts 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. @mendesfabio deployed these contracts 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ## Review Checklist: Common Findings 23 | Each of the items below represents a common red flag found in Rate Provider contracts. 24 | 25 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 26 | 27 | ### Administrative Privileges 28 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 29 | - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 30 | 31 | ### Oracles 32 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 33 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 34 | 35 | ### Common Manipulation Vectors 36 | - [ ] The Rate Provider is susceptible to donation attacks. 37 | 38 | ## Additional Findings 39 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 40 | 41 | 42 | ## Conclusion 43 | **Summary judgment: SAFE** 44 | 45 | These are only testnet rate providers with a spoof audit report link to allow for pool creation UI development that is reliant on `priceRateProviderData` returned by the `tokenGetTokens` query of the Balancer API -------------------------------------------------------------------------------- /rate-providers/UpshiftAvalancheAUSDRateProviderReview.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: UpshiftAvalanche AUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 04/04/2025. 6 | 7 | - Deployed at: 8 | - [Avalanche:0x06fF8A561Eabe71554fa44C727E76fCaa731F5ef](https://snowtrace.io/address/0x06fF8A561Eabe71554fa44C727E76fCaa731F5ef) 9 | - Audit report(s): 10 | - [Upshift Smart Contract Audits](https://docs.upshift.finance/architecture/smart-contract-audits) 11 | 12 | ## Context 13 | Upshift vaults direct funds to various underlying strategies for users to earn additional yields. The vaults appear to be ERC4626, but are not due to the required cooldown time before withdrawing. Therefore withdrawals are not atomic and this asset cannot be used for an ERC4626 buffer on Balancer. Users must deposit and withdraw using the wrapped token only. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f7ae03d4-1431-4308-ba23-1ab80ef6912f) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/VarlamoreSRateProviderReviewd14f.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamoreS rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0x0e686cf5430a5b67d6a8d28907d8f8f7b2046128](https://sonicscan.org//address/0x0e686cf5430a5b67d6a8d28907d8f8f7b2046128) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [ ] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/53674132-117c-4eaf-b551-bc226c990cd2) 25 | 26 | ## Conclusion 27 | **Summary judgment: UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/VarlamoreUSDCGrowthRateProviderReviewe757.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamoreUSDC Growth rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0x7481373be81ad9bff00dfb03717cf9854a4ff077](https://sonicscan.org//address/0x7481373be81ad9bff00dfb03717cf9854a4ff077) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [ ] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/09a40c6e-c5da-4961-95fc-aa4e02afd24b) 25 | 26 | ## Conclusion 27 | **Summary judgment: UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/VarlamorescUSDRateProviderReview54f5.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: VarlamorescUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/05/2025. 6 | 7 | - Deployed at: 8 | - [Sonic:0x9fac714bfdd10090cafb49d002cfa82e83362ef5](https://sonicscan.org//address/0x9fac714bfdd10090cafb49d002cfa82e83362ef5) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [ ] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/ba87adea-fe53-4529-9614-8f1ee00355f4) 25 | 26 | ## Conclusion 27 | **Summary judgment: UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism AAVERateProviderReview5293.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism AAVE rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xfde55e81434f05db33329b0896e60a989fa3ea65](https://optimistic.etherscan.io/address/0xfde55e81434f05db33329b0896e60a989fa3ea65) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/bd41ee6e-9054-4526-92b2-06dddf1480ec) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism DAIRateProviderReview30e0.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism DAI rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x0643b504c2fa33b7f98a99b92138d94d372998de](https://optimistic.etherscan.io/address/0x0643b504c2fa33b7f98a99b92138d94d372998de) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/d6153653-8c5d-4a21-b638-639ab81dcf74) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism LINKRateProviderReview0258.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism LINK rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x49b6bf1a81f25250c58f234a9e3ef5d88c7e0a2e](https://optimistic.etherscan.io/address/0x49b6bf1a81f25250c58f234a9e3ef5d88c7e0a2e) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/23897ae3-59c4-4669-8d51-33d9bf920889) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism LUSDRateProviderReview1c70.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism LUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x477b39f88dc5dda8b525060d4b4aed582f22add3](https://optimistic.etherscan.io/address/0x477b39f88dc5dda8b525060d4b4aed582f22add3) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/328efb08-145f-4857-8551-84a9655ddfad) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism OPRateProviderReview985f.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism OP rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x538fae4c3f76ccfe7cd4741fa669539cf31a7938](https://optimistic.etherscan.io/address/0x538fae4c3f76ccfe7cd4741fa669539cf31a7938) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/1c00155f-f40f-4c2e-9d81-f7332110a55c) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism SUSDRateProviderReview9da0.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism SUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x0e5dbd9cf65558e5709877dd1cec1e6acf233e05](https://optimistic.etherscan.io/address/0x0e5dbd9cf65558e5709877dd1cec1e6acf233e05) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/c56c70fd-58ab-4017-b231-5308328d2f62) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism USDCRateProviderReview880a.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x1210697804380213844445f6e8a40593d8775b3d](https://optimistic.etherscan.io/address/0x1210697804380213844445f6e8a40593d8775b3d) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f43ce345-2e9f-4299-9bf4-35c73da72bc1) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism USDCnRateProviderReviewb89f.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDCn rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x2124372fb3f106a9753edf1c248eb1fd3fc72833](https://optimistic.etherscan.io/address/0x2124372fb3f106a9753edf1c248eb1fd3fc72833) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/8017990f-7282-4c97-96a2-7648289ea4aa) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism USDTRateProviderReview78b1.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism USDT rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x56AF1076b9baCe64A9CaCf366270d727BF874212](https://optimistic.etherscan.io/address/0x56AF1076b9baCe64A9CaCf366270d727BF874212) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/48d34e35-a652-4177-87ee-09311dd09c2d) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism WBTCRateProviderReview2eaa.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism WBTC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x52b6b1d3a52d0d294e41328b56b3b6323ce3f99d](https://optimistic.etherscan.io/address/0x52b6b1d3a52d0d294e41328b56b3b6323ce3f99d) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/41e5fcc0-e0bb-46bd-ad18-c27403d19a61) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism WETHRateProviderReview034f.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism WETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0x35B6B84cE756769338a7b9665c178Be001a1137C](https://optimistic.etherscan.io/address/0x35B6B84cE756769338a7b9665c178Be001a1137C) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/08d94bda-1c21-4109-bcea-df6fe0540329) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism rETHRateProviderReview0735.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism rETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 15/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xdd4cac23a178d221d4ea159b9ce0697cae05081b](https://optimistic.etherscan.io/address/0xdd4cac23a178d221d4ea159b9ce0697cae05081b) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f43e1a44-9418-4e11-b960-b22284a8a375) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedAaveOptimism wstETHRateProviderReview70e0.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedAave Optimism wstETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 12/05/2025. 6 | 7 | - Deployed at: 8 | - [OP Mainnet:0xf6655d9F5C2060eF4836A067e61A78891F8fEB03](https://optimistic.etherscan.io/address/0xf6655d9F5C2060eF4836A067e61A78891F8fEB03) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/a35a0622-993f-4311-9db9-ecabbb1419a4) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedExtraFiX Base USDCRateProviderReviewc321.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedExtraFi X Base USDC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 30/05/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x2e40AcBBB710e04BeE940560Af0B0932018b67Ec](https://basescan.org/address/0x2e40AcBBB710e04BeE940560Af0B0932018b67Ec) 9 | - Audit report(s): 10 | - [ExtraFi audits](https://github.com/ExtraFi/static-a-token-v3/tree/main/audits) 11 | 12 | ## Context 13 | Extrafi XLend is a smart lending protocol offering multi-accounts and advanced lending/borrowing strategies. In a long-term vision, XLend aims to be the liquidity layer empowering composable DeFi strategies. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/4308397b-4633-4716-b3dc-3cb9cc05a12e) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/WrappedExtraXBase USRRateProviderReview6fec.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: WrappedExtraX Base USR rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 30/05/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x9caC674EADA0cfA8Fd6DD3ab4498E77E421A5a0B](https://basescan.org/address/0x9caC674EADA0cfA8Fd6DD3ab4498E77E421A5a0B) 9 | - Audit report(s): 10 | - [ExtraFi audits](https://github.com/ExtraFi/static-a-token-v3/tree/main/audits) 11 | 12 | ## Context 13 | Extrafi XLend is a smart lending protocol offering multi-accounts and advanced lending/borrowing strategies. In a long-term vision, XLend aims to be the liquidity layer empowering composable DeFi strategies. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/f8cbaf88-133e-4313-a2f6-4d2b424543fd) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/YieldFiyUSDRateProviderReview33e7.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: YieldFiyUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 02/05/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x2fb9fb5eB65c17B405c1B1c02bAE992D625B34c6](https://basescan.org/address/0x2fb9fb5eB65c17B405c1B1c02bAE992D625B34c6) 9 | - Audit report(s): 10 | - [audits](https://docs.yield.fi/resources/audits) 11 | 12 | ## Context 13 | YToken Vaults form the foundation of the YieldFi protocol, offering users tokenized exposure to sophisticated yield-generating strategies. Each YToken represents a proportional claim on the underlying assets plus accumulated yield, enabling users to earn returns while maintaining liquidity. 14 | We've crafted two distinct implementations to serve different blockchain environments: 15 | YToken (L1) - Our flagship implementation designed for Ethereum Mainnet, featuring full ERC4626 compliance and our innovative yield vesting mechanism that helps protect users from yield volatility. 16 | YTokenL2 - Our streamlined implementation tailored specifically for Layer 2 networks, utilizing oracle-based pricing to minimize gas costs while maintaining the core benefits of YTokens. 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 20 | 21 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 22 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 26 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 27 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/9dc90206-7f4b-4072-a61e-6b742c33294a) 28 | 29 | ## Conclusion 30 | **Summary judgment: USABLE** 31 | 32 | ** upgradeable in this context means that: 33 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 34 | 35 | -------------------------------------------------------------------------------- /rate-providers/YieldFiyUSDRateProviderReview43cd.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: YieldFiyUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 02/05/2025. 6 | 7 | - Deployed at: 8 | - [Arbitrum One:0x5b988aacf8aD14ce4b50C19676C234410135696E](https://arbiscan.io/address/0x5b988aacf8aD14ce4b50C19676C234410135696E) 9 | - Audit report(s): 10 | - [audits](https://docs.yield.fi/resources/audits) 11 | 12 | ## Context 13 | YToken Vaults form the foundation of the YieldFi protocol, offering users tokenized exposure to sophisticated yield-generating strategies. Each YToken represents a proportional claim on the underlying assets plus accumulated yield, enabling users to earn returns while maintaining liquidity. 14 | We've crafted two distinct implementations to serve different blockchain environments: 15 | YToken (L1) - Our flagship implementation designed for Ethereum Mainnet, featuring full ERC4626 compliance and our innovative yield vesting mechanism that helps protect users from yield volatility. 16 | YTokenL2 - Our streamlined implementation tailored specifically for Layer 2 networks, utilizing oracle-based pricing to minimize gas costs while maintaining the core benefits of YTokens. 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 20 | 21 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 22 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 26 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 27 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/b9bfb722-0f29-4eb3-a3be-23c8d8ea441e) 28 | 29 | ## Conclusion 30 | **Summary judgment: USABLE** 31 | 32 | ** upgradeable in this context means that: 33 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 34 | 35 | -------------------------------------------------------------------------------- /rate-providers/YoVaultBTCRateProviderReviewfbc3.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: yoVaultBTC rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 29/04/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x47fc979C519fA6c07D4dB6ab7B7573e20d94C5F9](https://basescan.org/address/0x47fc979C519fA6c07D4dB6ab7B7573e20d94C5F9) 9 | - Audit report(s): 10 | - [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Hunter-Security-Audit-Report.pdf) & [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Offbeat-Security-Review.pdf) 11 | 12 | ## Context 13 | The yoVault protocol is a robust, secure, and efficient smart contract system designed to streamline asset management across blockchain platforms. Built on the widely recognized ERC4626 standard, yoVault automates the optimization of user assets across various decentralized finance (DeFi) strategies and chains. This vault eliminates manual management by intelligently reallocating funds to ensure users consistently achieve optimal returns. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/3757af6b-5d7c-4ba1-8715-eba38e65388e) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/YoVaultETHRateProviderReview3d7a.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: yoVaultETH rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 28/04/2025. 6 | 7 | - Deployed at: 8 | - [Base:0xB0027C1C870573d5626Df1f049a12E39d3e613e9](https://basescan.org/address/0xB0027C1C870573d5626Df1f049a12E39d3e613e9) 9 | - Audit report(s): 10 | - [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Hunter-Security-Audit-Report.pdf) & [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Offbeat-Security-Review.pdf) 11 | 12 | ## Context 13 | The yoVault protocol is a robust, secure, and efficient smart contract system designed to streamline asset management across blockchain platforms. Built on the widely recognized ERC4626 standard, yoVault automates the optimization of user assets across various decentralized finance (DeFi) strategies and chains. This vault eliminates manual management by intelligently reallocating funds to ensure users consistently achieve optimal returns. 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/c9604c79-50ff-4178-9a99-fb503665f85b) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | -------------------------------------------------------------------------------- /rate-providers/YoVaultUSDRateProviderReview53ea.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: yoVaultUSD rate provider 3 | 4 | ## Details 5 | This report was autogenerated on 29/04/2025. 6 | 7 | - Deployed at: 8 | - [Base:0x8Cb017261719799f8b5A3762Ebe2b0e214F9a735](https://basescan.org/address/0x8Cb017261719799f8b5A3762Ebe2b0e214F9a735) 9 | - Audit report(s): 10 | - [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Hunter-Security-Audit-Report.pdf) & [Yo audits](https://www.yo.xyz/files/Yo-Protocol-Offbeat-Security-Review.pdf) 11 | 12 | 13 | ## Context 14 | The yoVault protocol is a robust, secure, and efficient smart contract system designed to streamline asset management across blockchain platforms. Built on the widely recognized ERC4626 standard, yoVault automates the optimization of user assets across various decentralized finance (DeFi) strategies and chains. This vault eliminates manual management by intelligently reallocating funds to ensure users consistently achieve optimal returns. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ### Administrative Privileges 23 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 24 | - [x] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 25 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/693d3544-0f3a-4c7b-9589-9f5b34fcc889) 26 | 27 | ## Conclusion 28 | **Summary judgment: USABLE** 29 | 30 | ** upgradeable in this context means that: 31 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 32 | 33 | -------------------------------------------------------------------------------- /rate-providers/sUSDERateProviderMainnet.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `EthenaBalancerRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [ethereum:0x3A244e6B3cfed21593a5E5B347B593C0B48C7dA1](https://etherscan.io/address/0x3a244e6b3cfed21593a5e5b347b593c0b48c7da1#code) 8 | - Audit report(s): 9 | - [Ethena Audits](https://ethena-labs.gitbook.io/ethena-labs/resources/audits) 10 | 11 | ## Context 12 | The sUSDE Rate Provider on Mainnet reports the exchangeRate of USDe per sUSDe. The chosen approach calculates the rate by dividing total assets over total Supply. 13 | ## Review Checklist: Bare Minimum Compatibility 14 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 15 | 16 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 17 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 18 | 19 | ## Review Checklist: Common Findings 20 | Each of the items below represents a common red flag found in Rate Provider contracts. 21 | 22 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 26 | 27 | - [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 28 | 29 | ### Oracles 30 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 31 | 32 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 33 | 34 | ### Common Manipulation Vectors 35 | - [x] The Rate Provider is susceptible to donation attacks. 36 | 37 | Technically, any entity can donate the `asset()` - in this case USDe - to the USDe staking contract (sUSDE) to increase its `totalAssets()`. Ethena uses a donation as well to increase `totalAssets`. However their approach is to smooth the rateIncrease by deducting the donation as a `unvestedAmount` (`getUnvestedAmount()`). 38 | 39 | ## Additional Findings 40 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 41 | 42 | ## Conclusion 43 | **Summary judgment: SAFE** 44 | 45 | This Rate Provider should work well with Balancer pools. It's approach towards handling protocol internal donations for rate increases has a smoothing effect. 46 | -------------------------------------------------------------------------------- /rate-providers/sUSDSBaseRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `SavingsUSDSRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @\ 6 | - Deployed at: 7 | - [base:0x84394fa6a39bdff63b255622da362b113c690267](https://basescan.org/address/0x84394fa6a39bdff63b255622da362b113c690267#code) 8 | - Audit report(s): 9 | - [Chainsecurity audit](https://docs.spark.fi/assets/Chainsecurity-sUSDS.pdf) 10 | 11 | ## Context 12 | This rate Provider is providing a bridged rate from the L1 sUSDS contract. It briges the rate (`chi`) via the Base message bridge. 13 | 14 | ## Review Checklist: Bare Minimum Compatibility 15 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 16 | 17 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 18 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 19 | 20 | ## Review Checklist: Common Findings 21 | Each of the items below represents a common red flag found in Rate Provider contracts. 22 | 23 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 24 | 25 | ### Administrative Privileges 26 | - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). 27 | 28 | - [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). 29 | - upgradeable component: `SUsds` ([ethereum:0xa3931d71877C0E7a3148CB7Eb4463524FEc27fbD](https://etherscan.io/address/0xa3931d71877C0E7a3148CB7Eb4463524FEc27fbD#readProxyContract)) 30 | - admin address: [ethereum:0xbe8e3e3618f7474f8cb1d074a26affef007e98fb](https://etherscan.io/address/0xbe8e3e3618f7474f8cb1d074a26affef007e98fb#code) 31 | - admin type: Spark governance 32 | 33 | 34 | ### Oracles 35 | - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). 36 | 37 | - [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). 38 | 39 | ### Common Manipulation Vectors 40 | - [ ] The Rate Provider is susceptible to donation attacks. 41 | 42 | ## Additional Findings 43 | To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users. 44 | 45 | 46 | ## Conclusion 47 | **Summary judgment: USABLE** 48 | 49 | The reviewed rate provider should work well with Balancer pools. It works based on a bridged rate from the L1 sUSDS contract. 50 | -------------------------------------------------------------------------------- /rate-providers/sUSDXRateProvider.md: -------------------------------------------------------------------------------- 1 | 2 | # Rate Provider: sUSDXRateProvider.md 3 | 4 | ## Details 5 | This report was autogenerated on 26/03/2025. 6 | 7 | - Deployed at: 8 | - [Ethereum:0xA4c27E4Aa764312fD958345Ed683c6eeC4581A10](https://etherscan.io/address/0xA4c27E4Aa764312fD958345Ed683c6eeC4581A10) 9 | - Audit report(s): 10 | - [susdx audits](https://docs.usdx.money/informaiton/audit) 11 | 12 | ## Context 13 | Staking is controlled by the StakedUSDX smart contract. Stakers can interact with it directly or through https://usdx.money/stake. 14 | When staking, a user transfers USDX into the contract and receives sUSDX (staked USDX), another ERC20 token that represents a fractional interest in the USDX in the contract. 15 | Over time, a portion of protocol revenue accumulates in the staking contract as additional USDX is transferred in. 16 | When unstaking, sUSDX is burned in exchange for a proportionate USDX amount. For faster conversion into aforementioned stablecoins, users can swap sUSDX into USDX through liquidity pools (LPs). 17 | 18 | ## Review Checklist: Bare Minimum Compatibility 19 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 20 | 21 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 22 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 23 | 24 | ### Administrative Privileges 25 | - [ ] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 26 | - [ ] Other contracts which are part of the `getRate` callchain are upgradeable**. You can find more information 27 | about the involved contracts in this [tenderly simulation](https://www.tdly.co/shared/simulation/cf68cdb6-3b1a-4872-b4e0-079baf98781a) 28 | 29 | ## Conclusion 30 | **Summary judgment: USABLE** 31 | 32 | ** upgradeable in this context means that: 33 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 34 | 35 | -------------------------------------------------------------------------------- /rate-providers/wstethRateProvider.md: -------------------------------------------------------------------------------- 1 | # Rate Provider: `WstETHRateProvider` & `ChainlinkRateProvider` 2 | 3 | ## Details 4 | - Reviewed by: @mkflow27 5 | - Checked by: @danielmkm 6 | - Deployed at: 7 | - [ethereum:0x72D07D7DcA67b8A406aD1Ec34ce969c90bFEE768](https://etherscan.io/address/0x72D07D7DcA67b8A406aD1Ec34ce969c90bFEE768#code) 8 | - [arbitrum:0xf7c5c26B574063e7b098ed74fAd6779e65E3F836](https://arbiscan.io/address/0xf7c5c26b574063e7b098ed74fad6779e65e3f836#code) 9 | 10 | - Audit report(s): 11 | - [Lido audits](https://github.com/lidofinance/audits) 12 | 13 | ## Context 14 | The Rate Provider reports the value of wsteth in terms of steth. 15 | 16 | ## Review Checklist: Bare Minimum Compatibility 17 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 18 | 19 | - [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 20 | - [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 21 | 22 | ## Review Checklist: Common Findings 23 | Each of the items below represents a common red flag found in Rate Provider contracts. 24 | 25 | If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. 26 | 27 | ## Conclusion 28 | **Summary judgment: SAFE** 29 | 30 | This rateProvider has been operational since Aug-12-2021 (mainnet) & Aug-23-2022 (Arbitrum) and has passed the test of time. It is being added to this repo without a review being included. 31 | -------------------------------------------------------------------------------- /src/index.ts: -------------------------------------------------------------------------------- 1 | export * from './app' 2 | export * from './utils' 3 | export * from './services' 4 | export * from './types' 5 | -------------------------------------------------------------------------------- /src/services/etherscanApi.ts: -------------------------------------------------------------------------------- 1 | import { Address, Hex, Chain } from 'viem' 2 | import { TransactionData, GetContractSourceCodeResponse } from '../types/types' 3 | 4 | class EtherscanApi { 5 | public chain: Chain 6 | private apiKey: string 7 | 8 | constructor(chain: Chain, apiKey: string) { 9 | this.chain = chain 10 | this.apiKey = apiKey 11 | } 12 | 13 | private getApiUrl(): string { 14 | const blockExplorer = this.chain.blockExplorers?.default 15 | if (!blockExplorer || !blockExplorer.apiUrl) { 16 | throw new Error(`API URL not found for chain: ${this.chain.name}`) 17 | } 18 | return blockExplorer.apiUrl 19 | } 20 | 21 | private async fetchFromApi(url: string): Promise { 22 | const response = await fetch(url) 23 | if (!response.ok) { 24 | throw new Error(`Error fetching data from API: ${response.statusText} for ${url}`) 25 | } 26 | return response.json() 27 | } 28 | 29 | public async getDeploymentTxHashAndBlock( 30 | addresses: Address[], 31 | ): Promise<{ address: Address; deploymentTxHash: Hex }[]> { 32 | const apiUrl = this.getApiUrl() 33 | const fetchingUrl = `${apiUrl}?module=contract&action=getcontractcreation&contractaddresses=${addresses.join(',')}&apikey=${this.apiKey}` 34 | const data: TransactionData = await this.fetchFromApi(fetchingUrl) 35 | return data.result.map((entry, index) => ({ 36 | address: addresses[index], 37 | deploymentTxHash: entry.txHash, 38 | })) 39 | } 40 | 41 | public async getSourceCode( 42 | addresses: Address[], 43 | ): Promise<{ address: Address; Proxy: string; ContractName: string; ABI: string; Implementation: Address }[]> { 44 | const apiUrl = this.getApiUrl() 45 | const results = [] 46 | 47 | for (const address of addresses) { 48 | try { 49 | const fetchingUrl = `${apiUrl}?module=contract&action=getsourcecode&address=${address}&apikey=${this.apiKey}` 50 | const data: GetContractSourceCodeResponse = await this.fetchFromApi(fetchingUrl) 51 | 52 | if (data.status !== '1') { 53 | console.error(`Error fetching contract info for address ${address}: ${data.message}`) 54 | continue // Skip this address 55 | } 56 | if (!data.result[0].ABI) { 57 | console.error(`ABI is missing for address ${address}`) 58 | continue // Skip this address 59 | } 60 | 61 | const { Proxy, ContractName, ABI, Implementation } = data.result[0] 62 | results.push({ address, Proxy, ContractName, ABI, Implementation }) 63 | } catch (error) { 64 | console.error(`Error processing address ${address}:`, error) 65 | // Skip this address and continue with the next one 66 | } 67 | 68 | // Add a delay between API calls 69 | await this.delay(1000) 70 | } 71 | 72 | return results 73 | } 74 | 75 | private delay(ms: number): Promise { 76 | return new Promise((resolve) => setTimeout(resolve, ms)) 77 | } 78 | } 79 | 80 | export default EtherscanApi 81 | -------------------------------------------------------------------------------- /src/services/index.ts: -------------------------------------------------------------------------------- 1 | export * from './etherscanApi' 2 | export * from './hypernativeApi' 3 | -------------------------------------------------------------------------------- /src/types/index.ts: -------------------------------------------------------------------------------- 1 | export * from './types' 2 | -------------------------------------------------------------------------------- /src/types/types.ts: -------------------------------------------------------------------------------- 1 | import { Address, Hex, Chain } from 'viem' 2 | 3 | export interface GetContractSourceCodeResult { 4 | SourceCode: string 5 | ABI: string 6 | ContractName: string 7 | CompilerVersion: string 8 | OptimizationUsed: string 9 | Runs: string 10 | ConstructorArguments: string 11 | EVMVersion: string 12 | Library: string 13 | LicenseType: string 14 | Proxy: string 15 | Implementation: Address 16 | SwarmSource: string 17 | } 18 | 19 | export interface GetContractSourceCodeResponse { 20 | status: string 21 | message: string 22 | result: GetContractSourceCodeResult[] 23 | } 24 | 25 | export interface TransactionData { 26 | result: Array<{ 27 | txHash: Hex 28 | blockNumber: string 29 | }> 30 | } 31 | 32 | export interface CustomAgentInput { 33 | chain: Chain 34 | ruleString: string 35 | contractAddress: string 36 | contractAlias: string 37 | rateProvider: string 38 | agentName: string 39 | operands?: string 40 | } 41 | 42 | export interface CustomAgentInputUpgrade { 43 | chain: Chain 44 | ruleString: string 45 | contractAddress: string[] 46 | contractAlias: string 47 | rateProvider: string 48 | agentName: string 49 | operands?: string 50 | } 51 | -------------------------------------------------------------------------------- /src/utils/abi/erc20.ts: -------------------------------------------------------------------------------- 1 | export const erc20Abi = [ 2 | { 3 | constant: true, 4 | inputs: [], 5 | name: 'name', 6 | outputs: [{ name: '', type: 'string' }], 7 | type: 'function', 8 | stateMutability: 'view', 9 | }, 10 | { 11 | constant: true, 12 | inputs: [], 13 | name: 'symbol', 14 | outputs: [{ name: '', type: 'string' }], 15 | type: 'function', 16 | stateMutability: 'view', 17 | }, 18 | { 19 | constant: true, 20 | inputs: [], 21 | name: 'decimals', 22 | outputs: [{ name: '', type: 'uint8' }], 23 | type: 'function', 24 | stateMutability: 'view', 25 | }, 26 | { 27 | constant: true, 28 | inputs: [], 29 | name: 'totalSupply', 30 | outputs: [{ name: '', type: 'uint256' }], 31 | type: 'function', 32 | stateMutability: 'view', 33 | }, 34 | { 35 | constant: true, 36 | inputs: [{ name: 'account', type: 'address' }], 37 | name: 'balanceOf', 38 | outputs: [{ name: '', type: 'uint256' }], 39 | type: 'function', 40 | stateMutability: 'view', 41 | }, 42 | { 43 | constant: false, 44 | inputs: [ 45 | { name: 'to', type: 'address' }, 46 | { name: 'amount', type: 'uint256' }, 47 | ], 48 | name: 'transfer', 49 | outputs: [{ name: '', type: 'bool' }], 50 | type: 'function', 51 | stateMutability: 'nonpayable', 52 | }, 53 | { 54 | constant: true, 55 | inputs: [ 56 | { name: 'owner', type: 'address' }, 57 | { name: 'spender', type: 'address' }, 58 | ], 59 | name: 'allowance', 60 | outputs: [{ name: '', type: 'uint256' }], 61 | type: 'function', 62 | stateMutability: 'view', 63 | }, 64 | { 65 | constant: false, 66 | inputs: [ 67 | { name: 'spender', type: 'address' }, 68 | { name: 'amount', type: 'uint256' }, 69 | ], 70 | name: 'approve', 71 | outputs: [{ name: '', type: 'bool' }], 72 | type: 'function', 73 | stateMutability: 'nonpayable', 74 | }, 75 | { 76 | constant: false, 77 | inputs: [ 78 | { name: 'from', type: 'address' }, 79 | { name: 'to', type: 'address' }, 80 | { name: 'amount', type: 'uint256' }, 81 | ], 82 | name: 'transferFrom', 83 | outputs: [{ name: '', type: 'bool' }], 84 | type: 'function', 85 | stateMutability: 'nonpayable', 86 | }, 87 | { 88 | anonymous: false, 89 | inputs: [ 90 | { indexed: true, name: 'from', type: 'address' }, 91 | { indexed: true, name: 'to', type: 'address' }, 92 | { indexed: false, name: 'value', type: 'uint256' }, 93 | ], 94 | name: 'Transfer', 95 | type: 'event', 96 | }, 97 | { 98 | anonymous: false, 99 | inputs: [ 100 | { indexed: true, name: 'owner', type: 'address' }, 101 | { indexed: true, name: 'spender', type: 'address' }, 102 | { indexed: false, name: 'value', type: 'uint256' }, 103 | ], 104 | name: 'Approval', 105 | type: 'event', 106 | }, 107 | ] 108 | -------------------------------------------------------------------------------- /src/utils/abi/index.ts: -------------------------------------------------------------------------------- 1 | export * from './rateProvider' 2 | export * from './erc4626' 3 | export * from './erc20' 4 | -------------------------------------------------------------------------------- /src/utils/abi/rateProvider.ts: -------------------------------------------------------------------------------- 1 | export const rateProviderAbi = [ 2 | { 3 | inputs: [{ internalType: 'address', name: 'pool_', type: 'address' }], 4 | stateMutability: 'nonpayable', 5 | type: 'constructor', 6 | }, 7 | { 8 | inputs: [], 9 | name: 'FIXED_POINT_ONE', 10 | outputs: [{ internalType: 'uint256', name: '', type: 'uint256' }], 11 | stateMutability: 'view', 12 | type: 'function', 13 | }, 14 | { 15 | inputs: [], 16 | name: 'getRate', 17 | outputs: [{ internalType: 'uint256', name: '', type: 'uint256' }], 18 | stateMutability: 'view', 19 | type: 'function', 20 | }, 21 | { 22 | inputs: [], 23 | name: 'pool', 24 | outputs: [{ internalType: 'address', name: '', type: 'address' }], 25 | stateMutability: 'view', 26 | type: 'function', 27 | }, 28 | ] 29 | -------------------------------------------------------------------------------- /src/utils/erc4626Template.ts: -------------------------------------------------------------------------------- 1 | export const erc4626Template = ` 2 | # Rate Provider: {{erc4626}} rate provider 3 | 4 | ## Details 5 | This report was autogenerated on {{date}}. 6 | 7 | - Deployed at: 8 | - [{{network}}:{{erc4626Address}}]({{chainExplorer}}) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [ ] Tests based on the [balancer-v3-monorepo](https://github.com/balancer/balancer-v3-monorepo/tree/main/pkg/vault/test/foundry/fork) pass for the given ERC4626 vaults, which can be found [here](https://github.com/balancer/balancer-v3-erc4626-tests/tree/main/test). 19 | - [{{hasRequiredFunctionsImplemented}}] The required Vault implements the required operational ERC4626 Interface 20 | 21 | ### Administrative Privileges 22 | - [{{isUpgradeable}}] The ERC4626 Vault is upgradeable** (e.g., via a proxy architecture). 23 | - [{{hasUpgradeableElements}}] Other contracts which are part of the \`mint\` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation]({{tenderlySimUrl}}) 25 | 26 | ## Conclusion 27 | **Summary judgment: USABLE/UNUSABLE** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan. 31 | 32 | ` 33 | -------------------------------------------------------------------------------- /src/utils/hypernative/rate-provider-rate-deviation.ts: -------------------------------------------------------------------------------- 1 | export const rateProviderRateDeviationRule = { 2 | agentType: 'genericNodeQuery', 3 | agentName: 'rate provider rate deviation', 4 | state: 'enabled', 5 | rule: { 6 | chain: 'base', 7 | input: [], 8 | period: 10, 9 | funcSig: 'getRate()', 10 | operands: ['10'], 11 | operator: 'changed_by', 12 | conditions: [], 13 | periodUnit: 'blocks', 14 | ruleString: 15 | 'On Base: when 0x98..8282: getRate().uint256 changed by 10% in less than 10 blocks.\nSample every 5 blocks', 16 | outputIndex: 0, 17 | inputDataType: [], 18 | thresholdType: 'relative', 19 | outputDataType: ['uint256'], 20 | samplingPeriod: 5, 21 | contractAddress: '0x98feb82591069e793a5f76a6fe78d97b03418282', 22 | operandsExponent: [0], 23 | isReminderEnabled: false, 24 | samplingPeriodUnit: 'blocks', 25 | contractAddressAlias: '0x98..8282', 26 | contractFunctionObject: { 27 | name: 'getRate', 28 | type: 'function', 29 | inputs: [], 30 | funcSig: 'getRate()', 31 | outputs: [ 32 | { 33 | name: '', 34 | type: 'uint256', 35 | internalType: 'uint256', 36 | }, 37 | ], 38 | stateMutability: 'view', 39 | }, 40 | }, 41 | severity: 'Medium', 42 | muteDuration: 0, 43 | channelsConfigurations: [ 44 | { 45 | id: 2451, 46 | name: 'rate-provider-alerts', 47 | }, 48 | ], 49 | securitySuitIds: [1373], 50 | remindersConfigurations: [], 51 | delay: 600, 52 | } 53 | -------------------------------------------------------------------------------- /src/utils/hypernative/rate-provider-upgrade.ts: -------------------------------------------------------------------------------- 1 | export const rateProviderUpgradeRule = { 2 | agentType: 'genericEventDetection', 3 | agentName: 'rate provider upgrade', 4 | state: 'enabled', 5 | rule: { 6 | chain: 'base', 7 | funcSig: 'Upgraded(indexed address implementation)', 8 | fileName: 'abi.json', 9 | operator: 'compare_exact', 10 | conditions: [], 11 | ruleString: 12 | 'On Base: when event is Upgraded(indexed address implementation) (based on ABI of 0xe9..8dbb) is emitted\nand address emitting_contract is 0xe9..8dbb', 13 | inputDataType: [], 14 | outputDataType: ['address'], 15 | contractAddress: '0xe995168d9924d72a4fe45af18edc06b498cb8dbb', 16 | isReminderEnabled: false, 17 | transactionParams: [ 18 | { 19 | operands: ['0xe995168d9924d72a4fe45af18edc06b498cb8dbb'], 20 | operator: 'one_of', 21 | output_index: 'emitting_contract', 22 | operandsExponent: [], 23 | }, 24 | ], 25 | contractAddressAlias: '0xe9..8dbb', 26 | contractFunctionObject: { 27 | name: 'Upgraded', 28 | type: 'event', 29 | inputs: [ 30 | { 31 | name: 'implementation', 32 | type: 'address', 33 | indexed: true, 34 | internalType: 'address', 35 | }, 36 | ], 37 | funcSig: 'Upgraded(indexed address implementation)', 38 | outputs: [], 39 | anonymous: false, 40 | }, 41 | }, 42 | severity: 'Medium', 43 | muteDuration: 0, 44 | securitySuitIds: [1373], 45 | channelsConfigurations: [ 46 | { 47 | id: 2451, 48 | name: 'rate-provider-alerts', 49 | }, 50 | ], 51 | remindersConfigurations: [], 52 | delay: 600, 53 | } 54 | -------------------------------------------------------------------------------- /src/utils/index.ts: -------------------------------------------------------------------------------- 1 | export * from './abi' 2 | export * from './template' 3 | export * from './erc4626Template' 4 | export * from './onchainCallHelpers' 5 | -------------------------------------------------------------------------------- /src/utils/onchainCallHelpers.ts: -------------------------------------------------------------------------------- 1 | import { createPublicClient, http, erc20Abi, erc4626Abi } from 'viem' 2 | import { Address, Chain } from 'viem' 3 | import { mainnet } from 'viem/chains' 4 | 5 | /** 6 | * Fetches the name of an ERC20 contract by making an on-chain call. 7 | * @param contractAddress - The address of the ERC20 contract. 8 | * @param chain - The blockchain network (default is mainnet). 9 | * @returns The name of the ERC20 contract. 10 | */ 11 | export async function doOnchainCallGetName(contractAddress: Address, chain: Chain, rpcUrl: string): Promise { 12 | const publicClient = createPublicClient({ 13 | chain, 14 | transport: http(rpcUrl), 15 | }) 16 | 17 | // Call the "name" function on the ERC20 contract 18 | const name = (await publicClient.readContract({ 19 | address: contractAddress, 20 | abi: erc20Abi, 21 | functionName: 'name', 22 | })) as string 23 | 24 | return name.replace(' ', '') 25 | } 26 | 27 | export async function doOnchainCallGetAsset(contractAddress: Address, chain: Chain, rpcUrl: string): Promise { 28 | const publicClient = createPublicClient({ 29 | chain, 30 | transport: http(rpcUrl), 31 | }) 32 | 33 | // Call the "asset" function on the ERC4626 contract 34 | const name = (await publicClient.readContract({ 35 | address: contractAddress, 36 | abi: erc4626Abi, 37 | functionName: 'asset', 38 | })) as string 39 | 40 | return name.replace(' ', '') 41 | } 42 | -------------------------------------------------------------------------------- /src/utils/template.ts: -------------------------------------------------------------------------------- 1 | export const template = ` 2 | # Rate Provider: {{rateProvider}} rate provider 3 | 4 | ## Details 5 | This report was autogenerated on {{date}}. 6 | 7 | - Deployed at: 8 | - [{{network}}:{{rateProviderAddress}}]({{chainExplorer}}) 9 | - Audit report(s): 10 | - []() 11 | 12 | ## Context 13 | 14 | 15 | ## Review Checklist: Bare Minimum Compatibility 16 | Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. 17 | 18 | - [{{hasInterface}}] Implements the [\`IRateProvider\`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. 19 | - [{{isScale18}}] \`getRate\` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. 20 | 21 | ### Administrative Privileges 22 | - [{{isUpgradeable}}] The Rate Provider is upgradeable** (e.g., via a proxy architecture). 23 | - [{{hasUpgradeableElements}}] Other contracts which are part of the \`getRate\` callchain are upgradeable**. You can find more information 24 | about the involved contracts in this [tenderly simulation]({{tenderlySimUrl}}) 25 | 26 | ## Conclusion 27 | **Summary judgment: {{isUsable}}** 28 | 29 | ** upgradeable in this context means that: 30 | - The contract is a proxy contract with an implementation sourced from Etherscan and the proxy emitted an "Upgraded" event. 31 | 32 | ` 33 | -------------------------------------------------------------------------------- /test/erc4626schema.test.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs").promises 2 | const path = require("path") 3 | const Ajv = require("ajv") 4 | const ajv = new Ajv() 5 | 6 | // Define the schema for the ERC4626 registry 7 | const schema = { 8 | type: "object", 9 | patternProperties: { 10 | "^[a-z]+$": { 11 | type: "object", 12 | patternProperties: { 13 | "^0x[a-fA-F0-9]{40}$": { 14 | type: "object", 15 | properties: { 16 | asset: { type: "string", pattern: "^0x[a-fA-F0-9]{40}$" }, 17 | name: { type: "string", minLength: 1 }, 18 | summary: { type: "string", enum: ["safe", "unsafe"] }, 19 | review: { type: "string", minLength: 1 }, 20 | warnings: { type: "array", items: { type: "string" } }, 21 | canUseBufferForSwaps: { type: "boolean" }, 22 | useUnderlyingForAddRemove: { 23 | type: "boolean", 24 | }, 25 | useWrappedForAddRemove: { type: "boolean" }, 26 | }, 27 | required: [ 28 | "asset", 29 | "name", 30 | "summary", 31 | "review", 32 | "warnings", 33 | "canUseBufferForSwaps", 34 | "useUnderlyingForAddRemove", 35 | "useWrappedForAddRemove", 36 | ], 37 | }, 38 | }, 39 | }, 40 | }, 41 | additionalProperties: false, 42 | } 43 | 44 | const validate = ajv.compile(schema) 45 | 46 | describe("ERC4626 Schema validation", () => { 47 | test("should validate the ERC4626 registry", async () => { 48 | const data = await fs.readFile("erc4626/registry.json", "utf8") 49 | const registry = JSON.parse(data) 50 | const valid = validate(registry) 51 | if (!valid) { 52 | console.log(validate.errors) 53 | } 54 | expect(valid).toBe(true) 55 | }) 56 | }) 57 | 58 | describe("ERC4626 Review files exist", () => { 59 | test("should check that all reviews exist", async () => { 60 | const data = await fs.readFile("erc4626/registry.json", "utf8") 61 | const registry = JSON.parse(data) 62 | const reviews = [] 63 | 64 | for (const network in registry) { 65 | for (const address in registry[network]) { 66 | const reviewPath = path.join( 67 | __dirname, 68 | "..", 69 | "erc4626", 70 | registry[network][address].review, 71 | ) 72 | reviews.push(reviewPath) 73 | } 74 | } 75 | 76 | const missingReviews = [] 77 | for (const review of reviews) { 78 | try { 79 | await fs.access(review) 80 | } catch (error) { 81 | console.log(`Missing file: ${review}`) 82 | missingReviews.push(review) 83 | } 84 | } 85 | 86 | expect(missingReviews.length).toBe(0) 87 | }) 88 | }) 89 | -------------------------------------------------------------------------------- /test/schema.test.js: -------------------------------------------------------------------------------- 1 | const Ajv = require("ajv") 2 | const ajv = new Ajv({ allErrors: true }) 3 | const fs = require("fs").promises 4 | const path = require("path") 5 | 6 | // registry.json schema definition 7 | const schema = { 8 | type: "object", 9 | patternProperties: { 10 | "^[a-z]+$": { 11 | type: "object", 12 | patternProperties: { 13 | "^0x[a-fA-F0-9]{40}$": { 14 | type: "object", 15 | properties: { 16 | asset: { type: "string", pattern: "^0x[a-fA-F0-9]{40}$" }, 17 | name: { type: "string", minLength: 1 }, 18 | summary: { type: "string", enum: ["safe", "unsafe"] }, 19 | review: { type: "string", minLength: 1}, 20 | warnings: { type: "array", items: { type: "string" } }, 21 | factory: { type: "string" }, 22 | upgradeableComponents: { 23 | type: "array", 24 | items: { 25 | type: "object", 26 | properties: { 27 | entrypoint: { 28 | type: "string", 29 | pattern: "^0x[a-fA-F0-9]{40}$", 30 | }, 31 | implementationReviewed: { 32 | type: "string", 33 | pattern: "^0x[a-fA-F0-9]{40}$", 34 | }, 35 | }, 36 | required: ["entrypoint", "implementationReviewed"], 37 | additionalProperties: false, 38 | }, 39 | }, 40 | }, 41 | required: [ 42 | "asset", 43 | "name", 44 | "summary", 45 | "review", 46 | "warnings", 47 | "factory", 48 | "upgradeableComponents", 49 | ], 50 | additionalProperties: false, 51 | }, 52 | }, 53 | additionalProperties: false, 54 | }, 55 | }, 56 | additionalProperties: false, 57 | } 58 | 59 | const validate = ajv.compile(schema) 60 | 61 | describe("Schema validation", () => { 62 | test("should validate the registry", async () => { 63 | const data = await fs.readFile("rate-providers/registry.json", "utf8") 64 | const registry = JSON.parse(data) 65 | const valid = validate(registry) 66 | if (!valid) { 67 | console.log(validate.errors) 68 | } 69 | expect(valid).toBe(true) 70 | }) 71 | }) 72 | 73 | describe("Review files exist", () => { 74 | test("should check that all reviews exist", async () => { 75 | const data = await fs.readFile("rate-providers/registry.json", "utf8") 76 | const registry = JSON.parse(data) 77 | const reviews = [] 78 | 79 | for (const network in registry) { 80 | for (const address in registry[network]) { 81 | const reviewPath = path.join( 82 | __dirname, 83 | "..", 84 | "rate-providers", 85 | registry[network][address].review.replace("./", ""), 86 | ) 87 | reviews.push(reviewPath) 88 | } 89 | } 90 | 91 | const missingReviews = [] 92 | for (const review of reviews) { 93 | try { 94 | await fs.access(review) 95 | } catch (error) { 96 | console.log(`Missing file: ${review}`) 97 | missingReviews.push(review) 98 | } 99 | } 100 | 101 | expect(missingReviews.length).toBe(0) 102 | }) 103 | }) 104 | --------------------------------------------------------------------------------