From b2c0ac372b3466c3ae7829bbd7f4e662471937e7 Mon Sep 17 00:00:00 2001 From: Zen-Maxi <85650601+Zen-Maxi@users.noreply.github.com> Date: Mon, 25 Nov 2024 16:19:54 -0500 Subject: [PATCH 1/5] Aave-Mainnet-BasicERC4626RateProviders Adding support for USDC, DAI, wETH, USDe, pyUSD, and FRAX in the case of needing them for buffers or boosted pools. Not yet supported: Aave USDS, Lido instance GHO, wstETH, or wETH. --- rate-providers/registry.json | 108 +++++++++++++++++++++ rate-providers/statATokenLMRateProvider.md | 66 +++++++++++++ 2 files changed, 174 insertions(+) diff --git a/rate-providers/registry.json b/rate-providers/registry.json index f590a70..9a91e71 100644 --- a/rate-providers/registry.json +++ b/rate-providers/registry.json @@ -1675,6 +1675,114 @@ "warnings": [], "factory": "", "upgradeableComponents": [] + }, + "0x84DC1c08c184de4164764c5a4d627339567702F2": { + "asset": "0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] + }, + "0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933": { + "asset": "0xaf270C38fF895EA3f95Ed488CEACe2386F038249", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0xaf270C38fF895EA3f95Ed488CEACe2386F038249", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] + }, + "0xdf546c8669682d5C197787A747dd45C9F4e0589E": { + "asset": "0x252231882FB38481497f3C767469106297c8d93b", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0x252231882FB38481497f3C767469106297c8d93b", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] + }, + "0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B": { + "asset": "0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] + }, + "0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1": { + "asset": "0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] + }, + "0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514": { + "asset": "0xEE66abD4D0f9908A48E08AE354B0f425De3e237E", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenLMRateProvider.md", + "warnings": [""], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0xEE66abD4D0f9908A48E08AE354B0f425De3e237E", + "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + }, + { + "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", + "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + } + ] } }, "fantom": { diff --git a/rate-providers/statATokenLMRateProvider.md b/rate-providers/statATokenLMRateProvider.md index bb97e08..76b3600 100644 --- a/rate-providers/statATokenLMRateProvider.md +++ b/rate-providers/statATokenLMRateProvider.md @@ -7,6 +7,12 @@ - [ethereum:0xda3E8CD08753a05Ed4103aF28c69C47e35d6D8Da](https://etherscan.io/address/0xda3E8CD08753a05Ed4103aF28c69C47e35d6D8Da#code) - [ethereum:0x3fc2eada4FE8ecc835E74D295b9447B4A4475bAE](https://etherscan.io/address/0x3fc2eada4FE8ecc835E74D295b9447B4A4475bAE#code) - [ethereum:0x159aa33322918C12a08d8b83a215836781C2682F](https://etherscan.io/address/0x159aa33322918C12a08d8b83a215836781C2682F#code) + - [ethereum:0x84DC1c08c184de4164764c5a4d627339567702F2](https://etherscan.io/address/0x84DC1c08c184de4164764c5a4d627339567702F2#code) + - [ethereum:0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933](https://etherscan.io/address/0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933#code) + - [ethereum:0xdf546c8669682d5C197787A747dd45C9F4e0589E](https://etherscan.io/address/0xdf546c8669682d5C197787A747dd45C9F4e0589E#code) + - [ethereum:0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B](https://etherscan.io/address/0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B#code) + - [ethereum:0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1](https://etherscan.io/address/0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1#code) + - [ethereum:0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514](https://etherscan.io/address/0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514#code) - [polygon:0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531](https://polygonscan.com/address/0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531) - [polygon:0x9977a61a6aa950044d4dcD8aA0cAb76F84ea5aCd](https://polygonscan.com/address/0x9977a61a6aa950044d4dcD8aA0cAb76F84ea5aCd) - [arbitrum:0x87cD462A781c0ca843EAB131Bf368328848bB6fD](https://arbiscan.io/address/0x87cd462a781c0ca843eab131bf368328848bb6fd) @@ -72,6 +78,66 @@ If none of these is checked, then this might be a pretty great Rate Provider! If - admin type: Aave governance system. - multisig timelock? YES: 24 hours + - [ethereum:0x84DC1c08c184de4164764c5a4d627339567702F2](https://etherscan.io/address/0x84DC1c08c184de4164764c5a4d627339567702F2#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6](https://etherscan.io/address/0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933](https://etherscan.io/address/0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0xaf270C38fF895EA3f95Ed488CEACe2386F038249](https://etherscan.io/address/0xaf270C38fF895EA3f95Ed488CEACe2386F038249#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0xdf546c8669682d5C197787A747dd45C9F4e0589E](https://etherscan.io/address/0xdf546c8669682d5C197787A747dd45C9F4e0589E#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0x252231882FB38481497f3C767469106297c8d93b](https://etherscan.io/address/0x252231882FB38481497f3C767469106297c8d93b#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B](https://etherscan.io/address/0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99](https://etherscan.io/address/0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1](https://etherscan.io/address/0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152](https://etherscan.io/address/0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514](https://etherscan.io/address/0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514#code) + - upgradeable component: `StaticATokenLM` ([ethereum:0xEE66abD4D0f9908A48E08AE354B0f425De3e237E](https://etherscan.io/address/0xEE66abD4D0f9908A48E08AE354B0f425De3e237E#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + - [polygon:0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531](https://polygonscan.com/address/0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531) - upgradeable component: `StaticATokenLM` ([polygon:0x2dCa80061632f3F87c9cA28364d1d0c30cD79a19](https://polygonscan.com/address/0x2dCa80061632f3F87c9cA28364d1d0c30cD79a19#readProxyContract)) - admin address: [polygon:0xDf7d0e6454DB638881302729F5ba99936EaAB233](https://polygonscan.com/address/0xDf7d0e6454DB638881302729F5ba99936EaAB233#code) From 7fa824d4e780db453355cf3323ad3b22ae287445 Mon Sep 17 00:00:00 2001 From: Zen-Maxi <85650601+Zen-Maxi@users.noreply.github.com> Date: Wed, 27 Nov 2024 16:36:42 -0500 Subject: [PATCH 2/5] Morpho & Aave StavaV2 Rate Providers Please review the new Static-A-token implementation from Aave which just went live. In my findings the primary change is the rewards rescuer will be the ALC Multisig so the Balancer ecosystem will need to coordinate with the Aave ecosystem on any pass through LM incentives being used on the lending market to re-distribute them to the pool participants. This is not a major change from the previous design. MetaMorpho vaults are newer to me, however they seem to have far less upgradeable components. Overall the main concerns may arise around the curator or owner of the market being able to upgrade the fees which affect the convertToAssets accrual function to some degree based on how much fee is taken. The only cooldown noticeable is the time constraint for a curator to add new strategies to their vault, so LPs can decide to exit before they go into affect. Multisig management on these vaults is relatively standard to sub-standard. 3/7 and or 2/6 based on my reviews. In summary this includes: Aave v3 Mainnet: - USDC - USDT - wETH Aave Mainnet Lido Instance: - wETH Aave Gnosis v3: - wETH - GNO - USDC.e --- rate-providers/MorphoERC4626RateProviders.md | 48 +++++++ rate-providers/registry.json | 138 +++++++++++-------- rate-providers/statATokenLMRateProvider.md | 66 --------- rate-providers/statATokenv2RateProvider.md | 119 ++++++++++++++++ 4 files changed, 245 insertions(+), 126 deletions(-) create mode 100644 rate-providers/MorphoERC4626RateProviders.md create mode 100644 rate-providers/statATokenv2RateProvider.md diff --git a/rate-providers/MorphoERC4626RateProviders.md b/rate-providers/MorphoERC4626RateProviders.md new file mode 100644 index 0000000..d3100c6 --- /dev/null +++ b/rate-providers/MorphoERC4626RateProviders.md @@ -0,0 +1,48 @@ +# Rate Provider: `ERC4626RateProvider` + +## Details +- Reviewed by: +- Checked by: +- Deployed at: + - Steakhouse USDC [ethereum:0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf](https://etherscan.io/address/0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf#code) + - Steakhouse USDT [ethereum:0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF](https://etherscan.io/address/0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF#code) + - Gauntlet Prime wETH [ethereum:0x0A25a2C62e3bA90F1e6F08666862df50cdAAB1F5](https://etherscan.io/address/0x0A25a2C62e3bA90F1e6F08666862df50cdAAB1F5#code) + + +- Audit report(s): + - [Security Reviews & Formal Verifications](https://docs.morpho.org/security-reviews/) + - [MetaMorpho Spearbit Audit](https://github.com/morpho-org/metamorpho/blob/main/audits/2023-11-14-metamorpho-cantina-managed-review.pdf) + +## Context +The ERC4626 RateProvider fetches the rate of MetaMorpho Vault tokens in terms of the underlying asset. The exchange rate is provided via the conversion between totalAssets and totalSupply. The Morpho contract only determines the potential market parameters, assets, collaterals, beneficiary, owner, fee, and cooldown periods related to the vault curator. There are no entry or exit fees, and no time locks for users to deposit and withdraw from this vault. + +## Review Checklist: Bare Minimum Compatibility +Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. + +- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. +- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. + +## Review Checklist: Common Findings +Each of the items below represents a common red flag found in Rate Provider contracts. + +If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. + +### Administrative Privileges +- [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). + +- [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). + + + +### Oracles +- [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). + +- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). + +### Common Manipulation Vectors +- [ ] The Rate Provider is susceptible to donation attacks. + +## Conclusion +**Summary judgment: ** + +The Rate Providers should work well with Balancer pools. The underlying contracts have been audited and been in production for an extended period of time. diff --git a/rate-providers/registry.json b/rate-providers/registry.json index 9a91e71..a3983d1 100644 --- a/rate-providers/registry.json +++ b/rate-providers/registry.json @@ -1676,111 +1676,75 @@ "factory": "", "upgradeableComponents": [] }, - "0x84DC1c08c184de4164764c5a4d627339567702F2": { - "asset": "0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6", + "0xBe7bE04807762Bc433911dD927fD54a385Fa91d6": { + "asset": "0x0bfc9d54Fc184518A81162F8fB99c2eACa081202", "name": "ERC4626RateProvider", "summary": "safe", - "review": "./statATokenLMRateProvider.md", + "review": "./statATokenv2RateProvider.md", "warnings": [""], "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", "upgradeableComponents": [ { - "entrypoint": "0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + "entrypoint": "0x0bfc9d54Fc184518A81162F8fB99c2eACa081202", + "implementationReviewed": "0x487c2C53c0866F0A73ae317bD1A28F63ADcD9aD1" }, { "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + "implementationReviewed": "0xeF434E4573b90b6ECd4a00f4888381e4D0CC5Ccd" } ] }, - "0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933": { - "asset": "0xaf270C38fF895EA3f95Ed488CEACe2386F038249", + "0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9": { + "asset": "0xD4fa2D31b7968E448877f69A96DE69f5de8cD23E", "name": "ERC4626RateProvider", "summary": "safe", - "review": "./statATokenLMRateProvider.md", + "review": "./statATokenv2RateProvider.md", "warnings": [""], "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", "upgradeableComponents": [ { - "entrypoint": "0xaf270C38fF895EA3f95Ed488CEACe2386F038249", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + "entrypoint": "0xD4fa2D31b7968E448877f69A96DE69f5de8cD23E", + "implementationReviewed": "0x487c2C53c0866F0A73ae317bD1A28F63ADcD9aD1" }, { "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + "implementationReviewed": "0xeF434E4573b90b6ECd4a00f4888381e4D0CC5Ccd" } ] }, - "0xdf546c8669682d5C197787A747dd45C9F4e0589E": { - "asset": "0x252231882FB38481497f3C767469106297c8d93b", + "0xEdf63cce4bA70cbE74064b7687882E71ebB0e988": { + "asset": "0x7Bc3485026Ac48b6cf9BaF0A377477Fff5703Af8", "name": "ERC4626RateProvider", "summary": "safe", - "review": "./statATokenLMRateProvider.md", + "review": "./statATokenv2RateProvider.md", "warnings": [""], "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", "upgradeableComponents": [ { - "entrypoint": "0x252231882FB38481497f3C767469106297c8d93b", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + "entrypoint": "0x7Bc3485026Ac48b6cf9BaF0A377477Fff5703Af8", + "implementationReviewed": "0x487c2C53c0866F0A73ae317bD1A28F63ADcD9aD1" }, { "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" - } - ] - }, - "0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B": { - "asset": "0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99", - "name": "ERC4626RateProvider", - "summary": "safe", - "review": "./statATokenLMRateProvider.md", - "warnings": [""], - "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", - "upgradeableComponents": [ - { - "entrypoint": "0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" - }, - { - "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" - } - ] - }, - "0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1": { - "asset": "0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152", - "name": "ERC4626RateProvider", - "summary": "safe", - "review": "./statATokenLMRateProvider.md", - "warnings": [""], - "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", - "upgradeableComponents": [ - { - "entrypoint": "0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" - }, - { - "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + "implementationReviewed": "0xeF434E4573b90b6ECd4a00f4888381e4D0CC5Ccd" } ] }, - "0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514": { - "asset": "0xEE66abD4D0f9908A48E08AE354B0f425De3e237E", + "0xf4b5D1C22F35a460b91edD7F33Cefe619E2fAaF4": { + "asset": "0x0FE906e030a44eF24CA8c7dC7B7c53A6C4F00ce9", "name": "ERC4626RateProvider", "summary": "safe", - "review": "./statATokenLMRateProvider.md", + "review": "./statATokenv2RateProvider.md", "warnings": [""], "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", "upgradeableComponents": [ { - "entrypoint": "0xEE66abD4D0f9908A48E08AE354B0f425De3e237E", - "implementationReviewed": "0xc026f5dd7869e0ddc44a759ea3dec6d5cd8d996b" + "entrypoint": "0x0FE906e030a44eF24CA8c7dC7B7c53A6C4F00ce9", + "implementationReviewed": "0x487c2C53c0866F0A73ae317bD1A28F63ADcD9aD1" }, { "entrypoint": "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2", - "implementationReviewed": "0x5faab9e1adbddad0a08734be8a52185fd6558e14" + "implementationReviewed": "0xeF434E4573b90b6ECd4a00f4888381e4D0CC5Ccd" } ] } @@ -1968,6 +1932,60 @@ "warnings": [], "factory": "0x15e86be6084c6a5a8c17732d398dfbc2ec574cec", "upgradeableComponents": [] + }, + "0x0008A59C1d2E5922790C929ea432ed02D4D3323A": { + "asset": "0x57f664882F762FA37903FC864e2B633D384B411A", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenv2RateProvider.md", + "warnings": [], + "factory": "", + "upgradeableComponents": [ + { + "entrypoint": "0x57f664882F762FA37903FC864e2B633D384B411A", + "implementationReviewed": "0x7CB7fdeEB5E71f322F8E39Be67959C32a6A3aAA3" + }, + { + "entrypoint": "0xb50201558B00496A145fE76f7424749556E326D8", + "implementationReviewed": "0xF2C312BfAF4CF0429DB4DA15a0cf5F770Ea3E770" + } + ] + }, + "0xbbb4966335677Ea24F7B86DC19a423412390e1fb": { + "asset": "0x7c16F0185A26Db0AE7a9377f23BC18ea7ce5d644", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenv2RateProvider.md", + "warnings": [], + "factory": "", + "upgradeableComponents": [ + { + "entrypoint": "0x7c16F0185A26Db0AE7a9377f23BC18ea7ce5d644", + "implementationReviewed": "0x7CB7fdeEB5E71f322F8E39Be67959C32a6A3aAA3" + }, + { + "entrypoint": "0xb50201558B00496A145fE76f7424749556E326D8", + "implementationReviewed": "0xF2C312BfAF4CF0429DB4DA15a0cf5F770Ea3E770" + } + ] + }, + "0x1529f6Af353E180867F257820843425B49B1b478": { + "asset": "0x51350d88c1bd32Cc6A79368c9Fb70373Fb71F375", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./statATokenv2RateProvider.md", + "warnings": [], + "factory": "", + "upgradeableComponents": [ + { + "entrypoint": "0x51350d88c1bd32Cc6A79368c9Fb70373Fb71F375", + "implementationReviewed": "0x7CB7fdeEB5E71f322F8E39Be67959C32a6A3aAA3" + }, + { + "entrypoint": "0xb50201558B00496A145fE76f7424749556E326D8", + "implementationReviewed": "0xF2C312BfAF4CF0429DB4DA15a0cf5F770Ea3E770" + } + ] } }, "mode": { diff --git a/rate-providers/statATokenLMRateProvider.md b/rate-providers/statATokenLMRateProvider.md index 76b3600..bb97e08 100644 --- a/rate-providers/statATokenLMRateProvider.md +++ b/rate-providers/statATokenLMRateProvider.md @@ -7,12 +7,6 @@ - [ethereum:0xda3E8CD08753a05Ed4103aF28c69C47e35d6D8Da](https://etherscan.io/address/0xda3E8CD08753a05Ed4103aF28c69C47e35d6D8Da#code) - [ethereum:0x3fc2eada4FE8ecc835E74D295b9447B4A4475bAE](https://etherscan.io/address/0x3fc2eada4FE8ecc835E74D295b9447B4A4475bAE#code) - [ethereum:0x159aa33322918C12a08d8b83a215836781C2682F](https://etherscan.io/address/0x159aa33322918C12a08d8b83a215836781C2682F#code) - - [ethereum:0x84DC1c08c184de4164764c5a4d627339567702F2](https://etherscan.io/address/0x84DC1c08c184de4164764c5a4d627339567702F2#code) - - [ethereum:0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933](https://etherscan.io/address/0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933#code) - - [ethereum:0xdf546c8669682d5C197787A747dd45C9F4e0589E](https://etherscan.io/address/0xdf546c8669682d5C197787A747dd45C9F4e0589E#code) - - [ethereum:0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B](https://etherscan.io/address/0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B#code) - - [ethereum:0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1](https://etherscan.io/address/0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1#code) - - [ethereum:0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514](https://etherscan.io/address/0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514#code) - [polygon:0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531](https://polygonscan.com/address/0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531) - [polygon:0x9977a61a6aa950044d4dcD8aA0cAb76F84ea5aCd](https://polygonscan.com/address/0x9977a61a6aa950044d4dcD8aA0cAb76F84ea5aCd) - [arbitrum:0x87cD462A781c0ca843EAB131Bf368328848bB6fD](https://arbiscan.io/address/0x87cd462a781c0ca843eab131bf368328848bb6fd) @@ -78,66 +72,6 @@ If none of these is checked, then this might be a pretty great Rate Provider! If - admin type: Aave governance system. - multisig timelock? YES: 24 hours - - [ethereum:0x84DC1c08c184de4164764c5a4d627339567702F2](https://etherscan.io/address/0x84DC1c08c184de4164764c5a4d627339567702F2#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6](https://etherscan.io/address/0x73edDFa87C71ADdC275c2b9890f5c3a8480bC9E6#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - - [ethereum:0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933](https://etherscan.io/address/0x72EaE42E2A70C2A9b5eFe2B7DF686B16b198e933#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0xaf270C38fF895EA3f95Ed488CEACe2386F038249](https://etherscan.io/address/0xaf270C38fF895EA3f95Ed488CEACe2386F038249#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - - [ethereum:0xdf546c8669682d5C197787A747dd45C9F4e0589E](https://etherscan.io/address/0xdf546c8669682d5C197787A747dd45C9F4e0589E#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0x252231882FB38481497f3C767469106297c8d93b](https://etherscan.io/address/0x252231882FB38481497f3C767469106297c8d93b#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - - [ethereum:0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B](https://etherscan.io/address/0xe3c401FFADb925ffE361A202E7e7B373d72aFB3B#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99](https://etherscan.io/address/0x46e5d6A33C8Bd8eD38F3c95991C78C9B2FF3bC99#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - - [ethereum:0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1](https://etherscan.io/address/0x98449Aa73Fb2c67D1AA78A1d4C9B9df5193d7fe1#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152](https://etherscan.io/address/0x00F2a835758B33f3aC53516Ebd69f3dc77B0D152#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - - [ethereum:0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514](https://etherscan.io/address/0x0d0668aFb616Edc3559C6aF9939deCd0fCB5B514#code) - - upgradeable component: `StaticATokenLM` ([ethereum:0xEE66abD4D0f9908A48E08AE354B0f425De3e237E](https://etherscan.io/address/0xEE66abD4D0f9908A48E08AE354B0f425De3e237E#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours. - - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) - - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) - - admin type: Aave governance system. - - multisig timelock? YES: 24 hours - - [polygon:0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531](https://polygonscan.com/address/0x7d10050F608c8EFFf118eDd1416D82a0EF2d7531) - upgradeable component: `StaticATokenLM` ([polygon:0x2dCa80061632f3F87c9cA28364d1d0c30cD79a19](https://polygonscan.com/address/0x2dCa80061632f3F87c9cA28364d1d0c30cD79a19#readProxyContract)) - admin address: [polygon:0xDf7d0e6454DB638881302729F5ba99936EaAB233](https://polygonscan.com/address/0xDf7d0e6454DB638881302729F5ba99936EaAB233#code) diff --git a/rate-providers/statATokenv2RateProvider.md b/rate-providers/statATokenv2RateProvider.md new file mode 100644 index 0000000..c1400d8 --- /dev/null +++ b/rate-providers/statATokenv2RateProvider.md @@ -0,0 +1,119 @@ +# Rate Provider: `ERC4626RateProvider` + +## Details +- Reviewed by: +- Checked by: +- Deployed at: + - wETH [ethereum:0xBe7bE04807762Bc433911dD927fD54a385Fa91d6](https://etherscan.io/address/0xBe7bE04807762Bc433911dD927fD54a385Fa91d6#code) + - USDC [ethereum:0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9](https://etherscan.io/address/0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9#code) + - USDT [ethereum:0xEdf63cce4bA70cbE74064b7687882E71ebB0e988](https://etherscan.io/address/0xEdf63cce4bA70cbE74064b7687882E71ebB0e988#code) + - Lido wETH [ethereum:0xf4b5D1C22F35a460b91edD7F33Cefe619E2fAaF4](https://etherscan.io/address/0xf4b5D1C22F35a460b91edD7F33Cefe619E2fAaF4#code) + + - wETH [gnosis:0x0008A59C1d2E5922790C929ea432ed02D4D3323A](https://gnosisscan.io/address/0x0008A59C1d2E5922790C929ea432ed02D4D3323A#readContract) + - GNO [gnosis:0xbbb4966335677Ea24F7B86DC19a423412390e1fb](https://gnosisscan.io/address/0xbbb4966335677Ea24F7B86DC19a423412390e1fb#code) + - USDC.e [gnosis:0x1529f6Af353E180867F257820843425B49B1b478](https://gnosisscan.io/address/0x1529f6Af353E180867F257820843425B49B1b478#code) + +- Audit report(s): + - [Formal Verification Report For StaticAToken](https://github.com/aave-dao/aave-v3-origin/blob/067d29eb75115179501edc4316d125d9773f7928/audits/11-09-2024_Certora_StataTokenV2.pdf) + +## Context +The ERC4626 RateProvider fetches the rate of Static Aave Tokens in terms of USDC or USDT. The exchange rate is provided by the Aave V3 `POOL` and fetched via `getReserveNormalizedIncome` from the pool and wrapped as part of the `convertToAsset` call to the `StataTokenV2`. + +## Review Checklist: Bare Minimum Compatibility +Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use. + +- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface. +- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals. + +## Review Checklist: Common Findings +Each of the items below represents a common red flag found in Rate Provider contracts. + +If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider. + +### Administrative Privileges +- [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). + +- [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). + - [ethereum:0xBe7bE04807762Bc433911dD927fD54a385Fa91d6](https://etherscan.io/address/0xBe7bE04807762Bc433911dD927fD54a385Fa91d6#code) + - upgradeable component: `StataTokenV2` ([ethereum:0x0bfc9d54Fc184518A81162F8fB99c2eACa081202](https://etherscan.io/address/0x0bfc9d54Fc184518A81162F8fB99c2eACa081202#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9](https://etherscan.io/address/0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9#code) + - upgradeable component: `StataTokenV2` ([ethereum:0xD4fa2D31b7968E448877f69A96DE69f5de8cD23E](https://etherscan.io/address/0xD4fa2D31b7968E448877f69A96DE69f5de8cD23E#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0xEdf63cce4bA70cbE74064b7687882E71ebB0e988](https://etherscan.io/address/0xEdf63cce4bA70cbE74064b7687882E71ebB0e988#code) + - upgradeable component: `StataTokenV2` ([ethereum:0x7Bc3485026Ac48b6cf9BaF0A377477Fff5703Af8](https://etherscan.io/address/0x7Bc3485026Ac48b6cf9BaF0A377477Fff5703Af8#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [ethereum:0xf4b5D1C22F35a460b91edD7F33Cefe619E2fAaF4](https://etherscan.io/address/0xf4b5D1C22F35a460b91edD7F33Cefe619E2fAaF4#code) + - upgradeable component: `StataTokenV2` ([ethereum:0x0FE906e030a44eF24CA8c7dC7B7c53A6C4F00ce9](https://etherscan.io/address/0x0FE906e030a44eF24CA8c7dC7B7c53A6C4F00ce9#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `Pool` ([ethereum:0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2](https://etherscan.io/address/0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2#readProxyContract)) + - admin address: [ethereum:0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A](https://etherscan.io/address/0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [gnosis:0x0008A59C1d2E5922790C929ea432ed02D4D3323A](https://gnosisscan.io/address/0x0008A59C1d2E5922790C929ea432ed02D4D3323A#readProxyContract) + - upgradeable component: `StataTokenV2` ([gnosis:0x57f664882F762FA37903FC864e2B633D384B411A](https://gnosisscan.io/address/0x57f664882F762FA37903FC864e2B633D384B411A#readProxyContract)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `L2Pool` ([gnosis:0xb50201558B00496A145fE76f7424749556E326D8](https://gnosisscan.io/address/0xb50201558B00496A145fE76f7424749556E326D8#code)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [gnosis:0xbbb4966335677Ea24F7B86DC19a423412390e1fb](https://gnosisscan.io/address/0xbbb4966335677Ea24F7B86DC19a423412390e1fb#readProxyContract) + - upgradeable component: `StataTokenV2` ([gnosis:0x7c16F0185A26Db0AE7a9377f23BC18ea7ce5d644](https://gnosisscan.io/address/0x7c16F0185A26Db0AE7a9377f23BC18ea7ce5d644#readProxyContract)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `L2Pool` ([gnosis:0xb50201558B00496A145fE76f7424749556E326D8](https://gnosisscan.io/address/0xb50201558B00496A145fE76f7424749556E326D8#code)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + - [gnosis:0x1529f6Af353E180867F257820843425B49B1b478](https://gnosisscan.io/address/0x1529f6Af353E180867F257820843425B49B1b478#readProxyContract) + - upgradeable component: `StataTokenV2` ([gnosis:0x51350d88c1bd32Cc6A79368c9Fb70373Fb71F375](https://gnosisscan.io/address/0x51350d88c1bd32Cc6A79368c9Fb70373Fb71F375.#readProxyContract)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours. + - upgradeable component: `L2Pool` ([gnosis:0xb50201558B00496A145fE76f7424749556E326D8](https://gnosisscan.io/address/0xb50201558B00496A145fE76f7424749556E326D8#code)) + - admin address: [gnosis:0x1dF462e2712496373A347f8ad10802a5E95f053D](https://gnosisscan.io/address/0x1dF462e2712496373A347f8ad10802a5E95f053D#code) + - admin type: Aave governance system. + - multisig timelock? YES: 24 hours + + +### Oracles +- [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). + +- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price). + +### Common Manipulation Vectors +- [ ] The Rate Provider is susceptible to donation attacks. + +## Conclusion +**Summary judgment: SAFE** + +The Rate Providers should work well with Balancer pools. The underlying contracts have been audited and been in production for an extended period of time. The upgradeability of the underlying Aave protocol is guarded behind decentralized governance and has a minimum execution delay of 24 hours. From 30b534ae39f0390beb7c6e92bbe84c07e0dac1ad Mon Sep 17 00:00:00 2001 From: Zen-Maxi <85650601+Zen-Maxi@users.noreply.github.com> Date: Thu, 5 Dec 2024 16:12:32 -0500 Subject: [PATCH 3/5] Adding csUSDL Morpho Vault Underling asset is Lift dollars wUSDL https://etherscan.io/address/0x7751E2F4b8ae93EF6B79d86419d42FE3295A4559 from Paxos. The curator is Steakhouse using their 2/4 multisig https://etherscan.io/address/0x255c7705e8BB334DfCae438197f7C4297988085a#readProxyContract The owner is a 3/5 Multisig https://etherscan.io/address/0xc01Ba42d4Bd241892B813FA8bD4589EAA4C60672#readProxyContract The only potential timelock is not corresponding to LPs or suppliers, there is only a 1 week timelock between when the risk curator can propose a strategy update and when it is executed. --- rate-providers/MorphoERC4626RateProviders.md | 1 + 1 file changed, 1 insertion(+) diff --git a/rate-providers/MorphoERC4626RateProviders.md b/rate-providers/MorphoERC4626RateProviders.md index d3100c6..ebb66a5 100644 --- a/rate-providers/MorphoERC4626RateProviders.md +++ b/rate-providers/MorphoERC4626RateProviders.md @@ -6,6 +6,7 @@ - Deployed at: - Steakhouse USDC [ethereum:0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf](https://etherscan.io/address/0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf#code) - Steakhouse USDT [ethereum:0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF](https://etherscan.io/address/0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF#code) + - Steakhouse wUSDL - csUSDL [ethereum:0xbEc8a14233e68C02e803B999DbA3D0f9C5076394](https://etherscan.io/address/0xbEc8a14233e68C02e803B999DbA3D0f9C5076394#code) - Gauntlet Prime wETH [ethereum:0x0A25a2C62e3bA90F1e6F08666862df50cdAAB1F5](https://etherscan.io/address/0x0A25a2C62e3bA90F1e6F08666862df50cdAAB1F5#code) From 5a10378106b00ba2a442520701e79c98213a5b51 Mon Sep 17 00:00:00 2001 From: mkflow27 Date: Fri, 6 Dec 2024 17:30:18 +0100 Subject: [PATCH 4/5] review: add morpho info --- rate-providers/MorphoERC4626RateProviders.md | 34 ++++++++++++---- rate-providers/registry.json | 42 ++++++++++++++++++++ rate-providers/statATokenv2RateProvider.md | 2 +- 3 files changed, 70 insertions(+), 8 deletions(-) diff --git a/rate-providers/MorphoERC4626RateProviders.md b/rate-providers/MorphoERC4626RateProviders.md index d3100c6..9134ea6 100644 --- a/rate-providers/MorphoERC4626RateProviders.md +++ b/rate-providers/MorphoERC4626RateProviders.md @@ -1,7 +1,7 @@ # Rate Provider: `ERC4626RateProvider` ## Details -- Reviewed by: +- Reviewed by: @mkflow27 - Checked by: - Deployed at: - Steakhouse USDC [ethereum:0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf](https://etherscan.io/address/0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf#code) @@ -30,10 +30,30 @@ If none of these is checked, then this might be a pretty great Rate Provider! If ### Administrative Privileges - [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address). -- [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). - - - +- [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price). + Part of the rate computation relies of `totalAssets` being calculated. This function iterates over a list of Ids. This list of Ids can be changed by the Allocator role. The potential impact has not been thoroughly investigated. There are however protections in place to protect against invalid changes such as + - `revert ErrorsLib.DuplicateMarket(id);` + - `revert ErrorsLib.InvalidMarketRemovalNonZeroCap(id);` + - `revert ErrorsLib.PendingCap(id);` + - `ErrorsLib.InvalidMarketRemovalNonZeroSupply(id);` + - `ErrorsLib.InvalidMarketRemovalTimelockNotElapsed(id);` + + #### Steakhouse USDC + For [Steakhouse USDC](https://etherscan.io/address/0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB) some allocators are eoas. + - 0x0D61C8b6CA9669A36F351De3AE335e9689dd9C5b + - 0xcC771952fdE840E30C6802734e5ad20479c2959f + - 0xfd32fA2ca22c76dD6E550706Ad913FC6CE91c75D + - 0xfeed46c11F57B7126a773EeC6ae9cA7aE1C03C9a + #### Steakhouse USDT + For [Steakhouse USDT](https://etherscan.io/address/0xbEef047a543E45807105E51A8BBEFCc5950fcfBa) some allocators are eoas. + - 0xfeed46c11F57B7126a773EeC6ae9cA7aE1C03C9a + - 0xfd32fA2ca22c76dD6E550706Ad913FC6CE91c75D + - 0x29d4CDFee8F533af8529A9e1517b580E022874f7 + #### Gauntlet Prime wETH + For [Gauntlet Prime wETH](https://etherscan.io/address/0x2371e134e3455e0593363cBF89d3b6cf53740618) some allocators are eoas. + - 0xfd32fA2ca22c76dD6E550706Ad913FC6CE91c75D + - 0x959d73CB5a1C1ad7EbCE3eC93FAD3b2f9a25432E + ### Oracles - [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). @@ -43,6 +63,6 @@ If none of these is checked, then this might be a pretty great Rate Provider! If - [ ] The Rate Provider is susceptible to donation attacks. ## Conclusion -**Summary judgment: ** +**Summary judgment: USABLE** -The Rate Providers should work well with Balancer pools. The underlying contracts have been audited and been in production for an extended period of time. +The Rate Providers should work well with Balancer pools. The underlying contracts have been audited and been in production for an extended period of time. diff --git a/rate-providers/registry.json b/rate-providers/registry.json index d09e5e0..8fdc53d 100644 --- a/rate-providers/registry.json +++ b/rate-providers/registry.json @@ -1756,6 +1756,48 @@ "warnings": [""], "factory": "0x467665D4ae90e7A99c9C9AF785791058426d6eA0", "upgradeableComponents": [] + }, + "0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf": { + "asset": "0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./MorphoERC4626RateProviders.md", + "warnings": ["eoaUpgradeable"], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB", + "implementationReviewed": "0xBEEF01735c132Ada46AA9aA4c54623cAA92A64CB" + } + ] + }, + "0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF": { + "asset": "0xbEef047a543E45807105E51A8BBEFCc5950fcfBa", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./MorphoERC4626RateProviders.md", + "warnings": ["eoaUpgradeable"], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0xbEef047a543E45807105E51A8BBEFCc5950fcfBa", + "implementationReviewed": "0xbEef047a543E45807105E51A8BBEFCc5950fcfBa" + } + ] + }, + "0x0A25a2C62e3bA90F1e6F08666862df50cdAAB1F5": { + "asset": "0x2371e134e3455e0593363cBF89d3b6cf53740618", + "name": "ERC4626RateProvider", + "summary": "safe", + "review": "./MorphoERC4626RateProviders.md", + "warnings": ["eoaUpgradeable"], + "factory": "0xFC541f8d8c5e907E236C8931F0Df9F58e0C259Ec", + "upgradeableComponents": [ + { + "entrypoint": "0x2371e134e3455e0593363cBF89d3b6cf53740618", + "implementationReviewed": "0x2371e134e3455e0593363cBF89d3b6cf53740618" + } + ] } }, "fantom": { diff --git a/rate-providers/statATokenv2RateProvider.md b/rate-providers/statATokenv2RateProvider.md index c1400d8..cd17644 100644 --- a/rate-providers/statATokenv2RateProvider.md +++ b/rate-providers/statATokenv2RateProvider.md @@ -2,7 +2,7 @@ ## Details - Reviewed by: -- Checked by: +- Checked by: @mkflow27 - Deployed at: - wETH [ethereum:0xBe7bE04807762Bc433911dD927fD54a385Fa91d6](https://etherscan.io/address/0xBe7bE04807762Bc433911dD927fD54a385Fa91d6#code) - USDC [ethereum:0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9](https://etherscan.io/address/0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9#code) From fba7c0e7fa398c749ff8eaf4fee24b992265583f Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 9 Dec 2024 19:39:23 +0800 Subject: [PATCH 5/5] Add checked by --- rate-providers/MorphoERC4626RateProviders.md | 2 +- rate-providers/statATokenv2RateProvider.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rate-providers/MorphoERC4626RateProviders.md b/rate-providers/MorphoERC4626RateProviders.md index f30e00f..20a4472 100644 --- a/rate-providers/MorphoERC4626RateProviders.md +++ b/rate-providers/MorphoERC4626RateProviders.md @@ -2,7 +2,7 @@ ## Details - Reviewed by: @mkflow27 -- Checked by: +- Checked by: @danielmkm - Deployed at: - Steakhouse USDC [ethereum:0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf](https://etherscan.io/address/0xc81D60E39e065146c6dE186fFC5B39e4CA2189Cf#code) - Steakhouse USDT [ethereum:0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF](https://etherscan.io/address/0x50A72232c5370321aa78036BaDe8e9d5eB89cbAF#code) diff --git a/rate-providers/statATokenv2RateProvider.md b/rate-providers/statATokenv2RateProvider.md index cd17644..54c8e58 100644 --- a/rate-providers/statATokenv2RateProvider.md +++ b/rate-providers/statATokenv2RateProvider.md @@ -1,8 +1,8 @@ # Rate Provider: `ERC4626RateProvider` ## Details -- Reviewed by: -- Checked by: @mkflow27 +- Reviewed by: @mkflow27 +- Checked by: @danielmkm - Deployed at: - wETH [ethereum:0xBe7bE04807762Bc433911dD927fD54a385Fa91d6](https://etherscan.io/address/0xBe7bE04807762Bc433911dD927fD54a385Fa91d6#code) - USDC [ethereum:0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9](https://etherscan.io/address/0x8f4E8439b970363648421C692dd897Fb9c0Bd1D9#code)