- Total Prize Pool: $90,500 in USDC
- HM awards: $72,000 in USDC
- QA awards: $3,000 in USDC
- Judge awards: $9,000 in USDC
- Validator awards: $6,000 in USDC
- Scout awards: $500 in USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts May 28, 2024 20:00 UTC
- Ends June 18, 2024 20:00 UTC
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
The known issues (some of them intended by design) that are not in scope for this audit are outlined in the following:
- https://github.com/code-423n4/2024-05-olas/blob/main/governance/docs/Vulnerabilities_list_governance.pdf
- https://github.com/code-423n4/2024-05-olas/blob/main/registries/docs/Vulnerabilities_list_registries.pdf
- https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/docs/Vulnerabilities_list_tokenomics.pdf
Additionally, the following are not in scope for this audit.
- All vulnerabilities mentioned in governance audits folder, registries audits folder, tokenomics audits folder
- All vulnerabilities mentioned in governance docs folder, registries docs folder, tokenomics docs folder
- All vulnerabilities mentioned in governance test folder, registries test folder, tokenomics test folder
- All vulnerabilities mentioned in the comments on the contracts code governance contracts folder, registries contracts folder, tokenomics contracts folder
- All vulnerabilities found in the inherited source code from OpenZeppelin and Solmate
- All vulnerabilities found in the inherited source code for the bridging contracts.
- All vulnerabilities found in code based on or inspired by Maple Finance, Curve DAO, Uniswap Lab, PaulRBerg, Jeiwan, Safe Ecosystem and that are already reported to one of those projects.
This audit is focused on smart contracts related to Olas staking mechanism. Olas on-chain protocol can be divided in three main parts: governance, registries, and tokenomics. Here is an overview of these parts.
The governance is designed to assume various control points to steer the Olas protocol. The governance token, veOLAS is the virtualized representation of OLAS locked and used a similar approach to veCRV, where votes are weighted depending on the time OLAS is locked other than the amount of locked OLAS.
The VoteWeighting contract enables Olas DAO members (via veOLAS) to vote on staking programs, assigning weights according to their preferences. It adopts a model similar to the Curve Gauge Controller, maintains a list of gauges and their associated weights. Modifications from the original Curve Gauge Controller include granting anyone the ability to add staking contracts by removing ownership control on this functionality, and eliminating additional categorization by contract type. For more details on VotingWeight, see Olas staking smart contracts and Olas staking whitepaper.
The list of the governance contracts in scope for the current audit can be found in the Scope section below.
Registries allow developer of code in form of agents, components, or services to register and manage their code on-chain. The code existing off-chain will be uniquely represented on-chain by means of NFTs. A summary of registries is provided here. The registry contracts related to Olas staking collectively form a robust system for managing staking services within an Olas ecosystem. The StakingFactory serves as a gateway for deploying staking contracts, offering flexibility through customizable verification logic. Staking contracts, designed for compatibility, provide standardized functionalities while allowing variation in activity checks tailored to specific use cases. The StakingActivityCheck contract optimistically ensures that stakers meet predefined activity criteria, contributing to the fair distribution of rewards (see Olas staking smart contracts for more details).
The list of the registries contracts in scope for the current audit can be found in the Scope section below.
The tokenomics provides the following pimitives: Staking, developer rewards, and bonding (cf. Olas tokenomics paper and Olas staking whitepaper for more details).
Tokenomics contracts related to Olas staking introduce a robust and decentralized framework for allocating OLAS emissions to staking programs beyond the boundaries of Ethereum to various networks such as Gnosis, Polygon, Arbitrum, Solana, and more. More details can be found in Olas staking smart contracts.
- Previous audits:
- Documentation:
- Olas staking whitepaper
- Olas staking smart contracts.
- Autonolas whitepaper The following are relevant for governance related contracts:
- Summary of governance model
- Cross-chain governance design The following are relevant for registries related contracts:
- Summary of registries design
- Definitions and data structures The following are relevant for tokenomics related contract:
- Summary of tokenomics model
- Autonolas tokenomics paper
- Website: https://olas.network/
- Twitter: @autonolas
- Discord: https://discord.gg/Dh6UqUuV
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| governance/contracts/VoteWeighting.sol | 427 | The contract enables Olas DAO members (via veOLAS) to vote on staking programs, assigning weights according to their preferences. | |
| registries/contracts/staking/StakingBase.sol | 518 | Base abstract smart contract for staking a service by its owner | solmate/* |
| registries/contracts/staking/StakingFactory.sol | 159 | Smart contract for staking factory | |
| registries/contracts/staking/StakingNativeToken.sol | 22 | Smart contract for staking a service secured with the native network token | |
| registries/contracts/staking/StakingProxy.sol | 30 | Smart contract for staking proxy | |
| registries/contracts/staking/StakingToken.sol | 58 | Smart contract for staking a service secured with an ERC20 token | |
| registries/contracts/staking/StakingVerifier.sol | 133 | Smart contract for service staking contracts verification | |
| registries/contracts/staking/StakingActivityChecker.sol | 28 | Smart contract for performing a service staking activity check | |
| registries/contracts/utils/SafeTransferLib.sol | 41 | This contract provides a library with safe methods for transferring ERC-20 tokens | |
| tokenomics/contracts/staking/DefaultDepositProcessorL1.sol | 112 | Smart contract for sending tokens and data via arbitrary bridge from L1 to L2 and processing data received from L2 | |
| tokenomics/contracts/staking/DefaultTargetDispenserL2.sol | 253 | Smart contract for processing tokens and data received on L2, and data sent back to L1 | |
| tokenomics/contracts/staking/EthereumDepositProcessor.sol | 87 | Smart contract for processing tokens and data on L1 | |
| tokenomics/contracts/staking/ArbitrumDepositProcessorL1.sol | 98 | Smart contract for sending tokens and data via Arbitrum bridge from L1 to L2 and processing data received from L2 | |
| tokenomics/contracts/staking/ArbitrumTargetDispenserL2.sol | 33 | Smart contract for processing tokens and data received on Arbitrum L2, and data sent back to L1 | |
| tokenomics/contracts/staking/GnosisDepositProcessorL1.sol | 48 | Smart contract for sending tokens and data via Gnosis bridge from L1 to L2 and processing data received from L2 | |
| tokenomics/contracts/staking/GnosisTargetDispenserL2.sol | 50 | Smart contract for processing tokens and data received on Gnosis L2, and data sent back to L1 | |
| tokenomics/contracts/staking/OptimismDepositProcessorL1.sol | 69 | Smart contract for sending tokens and data via Optimism bridge from L1 to L2 and processing data received from L2 | |
| tokenomics/contracts/staking/OptimismTargetDispenserL2.sol | 45 | Smart contract for processing tokens and data received on Optimism L2, and data sent back to L1 | |
| tokenomics/contracts/staking/PolygonDepositProcessorL1.sol | 58 | Smart contract for sending tokens and data via Polygon bridge from L1 to L2 and processing data received from L2 | fx-portal/* |
| tokenomics/contracts/staking/PolygonTargetDispenserL2.sol | 34 | Smart contract for processing tokens and data received on Polygon L2, and data sent back to L1 | fx-portal/* |
| tokenomics/contracts/staking/WormholeDepositProcessorL1.sol | 78 | Smart contract for sending tokens and data via Wormhole bridge from L1 to L2 and processing data received from L2 | @wormhole-solidity-sdk/* |
| tokenomics/contracts/staking/WormholeTargetDispenserL2.sol | 88 | Smart contract for processing tokens and data received via Wormhole on L2, and data sent back to L1 | @wormhole-solidity-sdk/* |
| tokenomics/contracts/Tokenomics.sol | 733 | Smart contract implementing the tokenomics model for code incentives, discount factor bonding mechanism regulations, and staking points. | @prb-math/* |
| tokenomics/contracts/TokenomicsConstants.sol | 60 | Smart contract with tokenomics constants for annual inflation supplies | |
| tokenomics/contracts/Dispenser.sol | 644 | Smart contract for distributing dev rewards and claim staking emissions | |
| tokenomics/contracts/interfaces/IDonatorBlacklist.sol | 4 | DonatorBlacklist interface | |
| tokenomics/contracts/interfaces/IErrorsTokenomics.sol | 31 | Errors interface | |
| tokenomics/contracts/interfaces/IBridgeErrors.sol | 23 | Bridge Errors interface | |
| TOTAL | 3964 |
|
| Question | Answer |
|---|---|
| ERC20 used by the protocol | Any (all possible ERC20s) |
| Test coverage | Governance Functions: 99.43% - Registries Functions: 99.46% - Tokenomics Functions: 99.32% |
| ERC721 used by the protocol | Some contracts in scope interacts with Solmate ERC721, however such ERC721 contract is not scope. |
| ERC777 used by the protocol | None |
| ERC1155 used by the protocol | None |
| Chains the protocol will be deployed on | Ethereum, Arbitrum, Base, Optimism, Polygon, OtherGnosis, Celo, Solana |
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
None
Here some examples.
- Only DAO members can cast their vote on votingWeigh
- Only executed DAO vote allow to sync information form L1 to L2 and vice-versa
- In the contract in scope, only dispenser contracts has the manager rights to mint OLAS via Treasury
- OLAS token transfer can happen only from L1 to L2
Here some examples.
- Issues arising from cross-chain interactions
- Issues arising from incorrect tokenomics calculation
- Minting that exceeds the global inflation curve
- Attack to distribute more rewards than expected
- Issues arising from ability to abuse staking factory contracts
- DAO members decisions are always assumed to be honest
- DAO executed vote are always assumed to be honest
Olas staking is a novel staking mechanism that can spawn desirable autonomous AI agent economies in crypto and beyond. The smart contracts in scope of this audit are essential to enable Olas staking. Details on Olas staking can be found in https://staking.olas.network/poaa-whitepaper.pdf.
A brief overview of the tokenomics model can be found here https://github.com/valory-xyz/autonolas-tokenomics/blob/pre-c4a/docs/Autonolas_tokenomics_audit.pdf. For more details, see the tokenomics paper https://www.autonolas.network/documents/whitepaper/Autonolas_Tokenomics_Core_Technical_Document.pdf. Details on
An overview of the governance process can be found here https://github.com/valory-xyz/autonolas-governance/blob/pre-c4a/docs/Governance_process.pdf.
A brief overview of registries can be found here https://github.com/valory-xyz/autonolas-registries/blob/pre-c4a/docs/AgentServicesFunctionality.pdf . Here, the protocol withepaper https://www.autonolas.network/documents/whitepaper/Whitepaper%20v1.0.pdf.
This repository will follows the standard Hardhat development process.
- The code is written on Solidity starting from version
0.8.15. - The standard versions of Node.js along with Yarn are required to proceed further (confirmed to work with Yarn
1.22.19and npm10.1.0and nodev18.6.0); Foundryis required to run the foundry tests.
Each relevant directory has the package.json file managing dependencies, and the setup parameters are stored in the corresponding hardhat.config.js file.
Simply run the following command to install each of the projects (cd governance / registries / tokenomics):
yarn install
The contracts, deploy scripts, regular scripts and tests are located in the following folders respectively:
contracts
scripts
test
cd governance
Compile the code:
npx hardhat compile
Run tests with Hardhat:
npx hardhat test
cd registries
Compile the code:
npx hardhat compile
Run tests with Hardhat:
npx hardhat test
Run tests with Foundry:
forge test --hh -vv
cd tokenomics
Compile the code:
npm run compile
Run tests with Hardhat:
npx hardhat test
Run tests with Foundry:
forge test --hh -vv
Note
Forge tests don't run by default!
For them to run in the corresponding folder (registries / tokenomics) one needs to go in the folder and initialize an empty
git repo with the git init command, i.e. for registries:
cd registries
git init
forge test --hh -vvvRun tests coverage for each of the corresponding folder (governance / registries / tokenomics)
npx hardhat coverage
Employees of OLAS and employees' family members are ineligible to participate in this audit.