- Total Prize Pool: $36,500 USDC
- HM awards: $24,750 USDC
- Analysis awards: $1,500 USDC
- QA awards: $750 USDC
- Bot Race awards: $2,250 USDC
- Gas awards: $750 USDC
- Judge awards: $3,600 USDC
- Lookout awards: $2,400 USDC
- Scout awards: $500 USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts January 19th, 2024 20:00 UTC
- Ends January 22, 2024 20:00 UTC
The 4naly3er report can be found here.
Automated findings output for the audit can be found here within 24 hours of audit opening.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Decent allows for single click transactions on any chain, paid for from any source chain / token. i.e. suppose I want to mint an NFT on optimism, but only have funds on Base, I can send that transaction, paying with DAI on Base, to receive my funds on Optimism.
The two libraries Decent uses to do so are UTB, which handles the routing of cross chain transactions and passes them through a selected bridge, and decent-bridge, which is decent's custom bridge built on top of layerzero's OFT standard.
UTB calls one of two functions, swapAndExecute, or bridgeAndExecute. As their names suggest, swapAndExecute performs same-chain txs for a user (from potentially diff payment tokens), and bridgeAndExecute performs cross-chain txs for a user.
In efforts of being generalizable, different swappers and bridgeAdapters can be added to UTB.
All swappers must implement ISwapper, as can be seen in UniSwapper.sol. Similarly, all bridgeAdapters must implement IBridgeAdapter, and examples can be seen with DecentBridgeAdapter and StargateBridgeAdapter.
UTBExecutor executes any additional logic for UTB (i.e. minting an nft)
The DecentBridge is built on top of layer zero's OFT contract, and additional implementation information can be found in the decent-bridge README.
This checklist in Notion provides some best practices for Code4rena audits.
- Documentation: docs.decent.xyz
- decent.xyz: decent.xyz
- Twitter: decentxyz
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| src/UTB.sol | 232 | Calls swapAndExeucte and bridgeAndExecute |
|
| src/UTBExecutor.sol | 52 | Calls the executor for esxternal contract calls | |
| src/UTBFeeCollector.sol | 50 | Collects fees on UTB contract calls | |
| src/bridge_adapters/BaseAdapter.sol | 16 | Standard functionality for each bridge adapter | |
| src/bridge_adapters/DecentBridgeAdapter.sol | 137 | adapter impl for decent bridge | |
| src/bridge_adapters/StargateBridgeAdapter.sol | 190 | adapter impl for stargate bridge | |
| src/swappers/SwapParams.sol | 13 | params for swapper files | |
| src/swappers/UniSwapper.sol | 145 | implementation of ISwapper for UniV3 | |
| lib/decent-bridge/src/DcntEth.sol | 27 | OFTV2 implementation for DcntEth | OFTV2 |
| lib/decent-bridge/src/DecentEthRouter.sol | 290 | Core bridge logic | |
| lib/decent-bridge/src/DecentBridgeExecutor.sol | 57 | makes external contract calls |
- All libs besides
decent-bridgeare out of scope
- Protocol is expected to interact with any erc20 with dex liquidity, as it can be potential payment token for
swapAndExecuteorbridgeAndExecute - Protocol is theoretically expected to interact with any erc721, such as through minting them in
swapAndExecuteorbridgeAndExecute - Will be deployed to most blockchains, can consider scope of blockchains to those supported by layerzero for now (listed on website)
DecentEth.sol: Should comply with theERC-20standard
- Arbitrary Calldata: The ability to send arbitrary calldata through the protocol is one area to focus on. Namely a user should not be able to interact with the protocol to perform a swap or transfer of funds on their behalf, unless they have sent or approved those funds for use.
- Fund Accumulation: Other than the UTBFeeCollector, and DcntEth, the contracts are not intended to hold on to any funds or unnecessary approvals. Any native value or erc20 flowing through the protocol should either get delivered or refunded.
- Destination Chain Failures: Transactions that revert on the destination chain can potentially place user’s funds at risk of being lost. Any edge cases should be properly handled such that the user is issued a refund on the destination chain.
- If you have a public code repo, please share it here: github.com/decentxyz/UTB, github.com/decentxyz/decent-bridge note that the UTB branch is `develop`
- How many contracts are in scope?: 11
- Total SLoC for these contracts?: 1193
- How many separate interfaces and struct definitions are there for the contracts within scope?: 11 interfaces
- What is the overall line coverage percentage provided by your tests?: 75
- Check all that apply: ERC20, Multi-Chain, Uses L2
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: knowledge of lz would be helpful
- Is this either a fork of or an alternate implementation of another project?: no
- Does it use a side-chain?: can be deployed to polygon
To setup the repo, first run forge install + pnpm i
To run the tests, simply add the relevant files to your .env, referencing .env.example, then run forge test.
Note: Many wardens run Slither as a first pass for testing. Please document any known errors with no workaround.
Employees of Decent.xyz and employees' family members are ineligible to participate in this audit.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent