- Join Sherlock Discord
- Submit findings using the issue page in your private contest repo (label issues as med or high)
- Read for more details
Eth, base, bnb, avalanche, polkadot, arbitrum
Q: If you are integrating tokens, are you allowing only whitelisted tokens to work with the codebase or any complying with the standard? Are they assumed to have certain properties, e.g. be non-reentrant? Are there any types of weird tokens you want to integrate?
Yes only certain ERC20 tokens (i.e. specific ERC20 such as USDC for investment, and another specific ERC20 for claims) will interact with the codebase. It's expected that none are "weird" and would have proper protections such as being non-reentrant.
In general, the contracts will facilitate transfer of ERC20 tokens. In the case of VVVVCInvestmentLedger.sol, the contract handles users' deposits of ERC20 tokens as well as permissioned withdrawal of these tokens. VVVVCTokenDistributor.sol handles the transfer of ERC20 tokens from approved wallets to callers of the claim() function, given all other checks are passed.
Q: Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?
No
Q: Are there any limitations on values set by admins (or other roles) in protocols you integrate with, including restrictions on array lengths?
No
Both VVVVCInvestmentLedger.sol and VVVVCTokenDistributor.sol define EIP-712 domain components and utilize EIP-712 structured data formats in validating signature used to validate calls to VVVVCInvestmentLedger:invest() and VVVVCTokenDistributor:claim().
Q: Are there any off-chain mechanisms involved in the protocol (e.g., keeper bots, arbitrage bots, etc.)? We assume these mechanisms will not misbehave, delay, or go offline unless otherwise specified.
Yes. A trusted off-chain centralized system handles creating the signatures which validate calls to VVVVCInvestmentLedger:invest() and VVVVCTokenDistributor:claim() and maintaining the wallet ERC20 token balances from which VVVVCTokenDistributor:claim() transfers. In the case of VVVVCInvestmentLedger:invest() the centralized system generates approved input parameters, and the contract ensures that these validated parameters aren't exceeded (see check for investment round start and end timestamp on line 151 of VVVVCInvestmentLedger.sol). In the case of VVVVCTokenDistributor:claim(), the centralized system is the sole source of approval for transactions/input parameters.
N/A
-
VVVVCInvestmentLedger:FEE_DENOMINATOR value of 10_000 was deemed to provide sufficient precision for any fees applied to deposit of ERC20 tokens to the VVVVCInvestmentLedger contract.
-
Successful function of VVVVCInvestmentLedger:invest() depends on the successful management of the centralized system for creating signatures.
-
Successful function of VVVVCTokenDistributor:claim() depends on successful management of the centralized system which handles both signature creation and ensuring all wallets from which tokens will be claimed have the expected balances to be withdrawn.
N/A
N/A
Prior audit in which VVVAuthorizationRegistry.sol and VVVAuthorizationRegistryChecker.sol were in scope: https://github.com/sherlock-audit/2024-03-vvv-vesting-staking
Additional prior Context Q&A answered/formatted here if helpful: https://gist.github.com/curi0n-s/b89d869d637e703bbdda8899bb8e978b
vvv-platform-smart-contracts @ 29fdceaeed9a4174039b66d85a5d4ce5d0ed14bf