If you notice some outdated information please let us know!
Process Quality Review (0.8)
Rari Capital
-25%(Penalty)
FAIL
Security Incidents
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the audit looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here is my smart contract on the blockchain
- You can see it matches a software repository used to develop the code
- Here is the documentation that explains what my smart contract does
- Here are the tests I ran to verify my smart contract
- Here are the audit(s) performed to review my code by third party experts
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Smart Contracts & Team
93%
This section looks at the code deployed on the relevant chain that gets reviewed and its corresponding software repository. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
They can be found at https://docs.rari.capital/contracts/#fuse, as indicated in the Appendix. -
2. How active is the primary contract? (%)
Contract Rari-USDC Pool is used more than 10 times a month, as indicated in the Appendix.
3. Does the protocol have a public software repository? (Y/N)
Location: https://github.com/Rari-Capital
4. Is there a development history visible? (%)
Their FUSE repository has some 330 contracts, making this tribe's history a well documented cave painting.
5. Is the team public (not anonymous)?
Multiple public team members are documented and they confirm their contributions to Rari.
Documentation
96%
This section looks at the software documentation. The document explaining these questions is here.
6. Is there a whitepaper? (Y/N)
Location: https://docs.rari.capital/
7. Is the protocol's software architecture documented? (Y/N)
This protocol's software architecture is documented in multiple locations, but the most complete diagram is in their repository.
8. Does the software documentation fully cover the deployed contracts' source code? (%)
There is full coverage of deployed contracts by software function documentation. The Fuse and Yield Aggregation modules are all well documented.
9. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
There is partial traceability between software documentation and implemented code. While Rari vaults are fully traceable, there is non-explicit traceability in their fuse documentation.
Testing
42%
10. Has the protocol tested their deployed code? (%)
Code examples are in the Appendix at the end of this report.. As per the SLOC, there is 65% testing to code (TtC). This score is guided by the Test to Code ratio (TtC). Generally a good test to code ratio is over 100%. However, the reviewer's best judgement is the final deciding factor.
11. How covered is the protocol's code? (%)
No tests for code coverage are documented in either their vault or fuse repositories. There is some evidence of testing given the TtC score nonetheless.
12. Does the protocol provide scripts and instructions to run their tests? (Y/N)
Scripts/Instructions location: https://github.com/Rari-Capital/vaults#run-tests
13. Is there a detailed report of the protocol's test results?(%)
There is no documented test report by Rari's developers. In addition, there is no code coverage report.
14. Has the protocol undergone Formal Verification? (Y/N)
Rari has not undergone formal verification.
15. Were the smart contracts deployed to a testnet? (Y/N)
Rari does not document whether or not they use testnets. However, other sources identify that they use internal testnets.
Security
91%
This section looks at the 3rd party software audits done. It is explained in this document.
16. Is the protocol sufficiently audited? (%)
All of Rari's strapiucts have been audited multiple times. Some were pre-deployment and some were post-deployment.
17. Is the bounty value acceptably high (%)
Rari's is covered by the Tribe's $2.2m bug bounty.
Admin Controls
0%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
18. Is the protocol's admin control information easy to find?
No admin control information is detailed in Rari's documentation.
19. Are relevant contracts clearly labelled as upgradeable or immutable? (%)
The relevant contracts are not identified as immutable / upgradeable.
20. Is the type of smart contract ownership clearly indicated? (%)
Ownership is not clearly indicated in Rari's documentation. There is a brief mention of a Rari governance token, but there is no explanation as to what it does.
21. Are the protocol's smart contract change capabilities described? (%)
Smart contract change capabilities are not identified in any of Rari's contracts.
22. Is the protocol's admin control information easy to understand? (%)
There is no information documented.
23. Is there sufficient Pause Control documentation? (%)
This protocol's pause control is not documented.
24. Is there sufficient Timelock documentation? (%)
Rari has no timelock documentation.
25. Is the Timelock of an adequate length? (Y/N)
There is no information documented. Rari does not mentioned a timelock.
Oracles
25%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
26. Is the protocol's Oracle sufficiently documented? (%)
The protocol's oracle source is documented at this location. The contracts dependent are not identified. There is no relevant software function documentation.
27. Is front running mitigated by this protocol? (Y/N)
This protocol documents no front running mitigation techniques.
28. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
Rari documents no flashloan countermeasures.
Appendices
1// SPDX-License-Identifier: AGPL-3.0-only
2pragma solidity 0.8.10;
3
4import {Auth} from "solmate/auth/Auth.sol";
5import {ERC4626} from "solmate/mixins/ERC4626.sol";
6
7import {SafeCastLib} from "solmate/utils/SafeCastLib.sol";
8import {SafeTransferLib} from "solmate/utils/SafeTransferLib.sol";
9import {FixedPointMathLib} from "solmate/utils/FixedPointMathLib.sol";
10
11import {WETH} from "solmate/tokens/WETH.sol";
12import {ERC20} from "solmate/tokens/ERC20.sol";
13import {Strategy, ERC20Strategy, ETHStrategy} from "./interfaces/Strategy.sol";
14
15/// @title Rari Vault (rvToken)
16/// @author Transmissions11 and JetJadeja
17/// @notice Flexible, minimalist, and gas-optimized yield
18/// aggregator for earning interest on any ERC20 token.
19contract Vault is ERC4626, Auth {
20 using SafeCastLib for uint256;
21 using SafeTransferLib for ERC20;
22 using FixedPointMathLib for uint256;
23
24 /*///////////////////////////////////////////////////////////////
25 CONSTANTS
26 //////////////////////////////////////////////////////////////*/
27
28 /// @notice The maximum number of elements allowed on the withdrawal stack.
29 /// @dev Needed to prevent denial of service attacks by queue operators.
30 uint256 internal constant MAX_WITHDRAWAL_STACK_SIZE = 32;
31
32 /*///////////////////////////////////////////////////////////////
33 IMMUTABLES
34 //////////////////////////////////////////////////////////////*/
35
36 /// @notice The underlying token the Vault accepts.
37 ERC20 public immutable UNDERLYING;
38
39 /// @notice The base unit of the underlying token and hence rvToken.
40 /// @dev Equal to 10 ** decimals. Used for fixed point arithmetic.
41 uint256 internal immutable BASE_UNIT;
42
43 /// @notice Creates a new Vault that accepts a specific underlying token.
44 /// @param _UNDERLYING The ERC20 compliant token the Vault should accept.
45 constructor(ERC20 _UNDERLYING)
46 ERC4626(
47 // Underlying token
48 _UNDERLYING,
49 // ex: Rari Dai Stablecoin Vault
50 string(abi.encodePacked("Rari ", _UNDERLYING.name(), " Vault")),
51 // ex: rvDAI
52 string(abi.encodePacked("rv", _UNDERLYING.symbol()))
53 )
54 Auth(Auth(msg.sender).owner(), Auth(msg.sender).authority())
55 {
56 UNDERLYING = _UNDERLYING;
57
58 BASE_UNIT = 10**decimals;
59
60 // Prevent minting of rvTokens until
61 // the initialize function is called.
62 totalSupply = type(uint256).max;
63 }
64
65 /*///////////////////////////////////////////////////////////////
66 FEE CONFIGURATION
67 //////////////////////////////////////////////////////////////*/
68
69 /// @notice The percentage of profit recognized each harvest to reserve as fees.
70 /// @dev A fixed point number where 1e18 represents 100% and 0 represents 0%.
71 uint256 public feePercent;
72
73 /// @notice Emitted when the fee percentage is updated.
74 /// @param user The authorized user who triggered the update.
75 /// @param newFeePercent The new fee percentage.
76 event FeePercentUpdated(address indexed user, uint256 newFeePercent);
77
78 /// @notice Sets a new fee percentage.
79 /// @param newFeePercent The new fee percentage.
80 function setFeePercent(uint256 newFeePercent) external requiresAuth {
81 // A fee percentage over 100% doesn't make sense.
82 require(newFeePercent <= 1e18, "FEE_TOO_HIGH");
83
84 // Update the fee percentage.
85 feePercent = newFeePercent;
86
87 emit FeePercentUpdated(msg.sender, newFeePercent);
88 }
89
90 /*///////////////////////////////////////////////////////////////
91 HARVEST CONFIGURATION
92 //////////////////////////////////////////////////////////////*/
93
94 /// @notice Emitted when the harvest window is updated.
95 /// @param user The authorized user who triggered the update.
96 /// @param newHarvestWindow The new harvest window.
97 event HarvestWindowUpdated(address indexed user, uint128 newHarvestWindow);
98
99 /// @notice Emitted when the harvest delay is updated.
100 /// @param user The authorized user who triggered the update.
101 /// @param newHarvestDelay The new harvest delay.
102 event HarvestDelayUpdated(address indexed user, uint64 newHarvestDelay);
103
104 /// @notice Emitted when the harvest delay is scheduled to be updated next harvest.
105 /// @param user The authorized user who triggered the update.
106 /// @param newHarvestDelay The scheduled updated harvest delay.
107 event HarvestDelayUpdateScheduled(address indexed user, uint64 newHarvestDelay);
108
109 /// @notice The period in seconds during which multiple harvests can occur
110 /// regardless if they are taking place before the harvest delay has elapsed.
111 /// @dev Long harvest windows open the Vault up to profit distribution slowdown attacks.
112 uint128 public harvestWindow;
113
114 /// @notice The period in seconds over which locked profit is unlocked.
115 /// @dev Cannot be 0 as it opens harvests up to sandwich attacks.
116 uint64 public harvestDelay;
117
118 /// @notice The value that will replace harvestDelay next harvest.
119 /// @dev In the case that the next delay is 0, no update will be applied.
120 uint64 public nextHarvestDelay;
121
122 /// @notice Sets a new harvest window.
123 /// @param newHarvestWindow The new harvest window.
124 /// @dev The Vault's harvestDelay must already be set before calling.
125 function setHarvestWindow(uint128 newHarvestWindow) external requiresAuth {
126 // A harvest window longer than the harvest delay doesn't make sense.
127 require(newHarvestWindow <= harvestDelay, "WINDOW_TOO_LONG");
128
129 // Update the harvest window.
130 harvestWindow = newHarvestWindow;
131
132 emit HarvestWindowUpdated(msg.sender, newHarvestWindow);
133 }
134
135 /// @notice Sets a new harvest delay.
136 /// @param newHarvestDelay The new harvest delay to set.
137 /// @dev If the current harvest delay is 0, meaning it has not
138 /// been set before, it will be updated immediately, otherwise
139 /// it will be scheduled to take effect after the next harvest.
140 function setHarvestDelay(uint64 newHarvestDelay) external requiresAuth {
141 // A harvest delay of 0 makes harvests vulnerable to sandwich attacks.
142 require(newHarvestDelay != 0, "DELAY_CANNOT_BE_ZERO");
143
144 // A harvest delay longer than 1 year doesn't make sense.
145 require(newHarvestDelay <= 365 days, "DELAY_TOO_LONG");
146
147 // If the harvest delay is 0, meaning it has not been set before:
148 if (harvestDelay == 0) {
149 // We'll apply the update immediately.
150 harvestDelay = newHarvestDelay;
151
152 emit HarvestDelayUpdated(msg.sender, newHarvestDelay);
153 } else {
154 // We'll apply the update next harvest.
155 nextHarvestDelay = newHarvestDelay;
156
157 emit HarvestDelayUpdateScheduled(msg.sender, newHarvestDelay);
158 }
159 }
160
161 /*///////////////////////////////////////////////////////////////
162 TARGET FLOAT CONFIGURATION
163 //////////////////////////////////////////////////////////////*/
164
165 /// @notice The desired percentage of the Vault's holdings to keep as float.
166 /// @dev A fixed point number where 1e18 represents 100% and 0 represents 0%.
167 uint256 public targetFloatPercent;
168
169 /// @notice Emitted when the target float percentage is updated.
170 /// @param user The authorized user who triggered the update.
171 /// @param newTargetFloatPercent The new target float percentage.
172 event TargetFloatPercentUpdated(address indexed user, uint256 newTargetFloatPercent);
173
174 /// @notice Set a new target float percentage.
175 /// @param newTargetFloatPercent The new target float percentage.
176 function setTargetFloatPercent(uint256 newTargetFloatPercent) external requiresAuth {
177 // A target float percentage over 100% doesn't make sense.
178 require(newTargetFloatPercent <= 1e18, "TARGET_TOO_HIGH");
179
180 // Update the target float percentage.
181 targetFloatPercent = newTargetFloatPercent;
182
183 emit TargetFloatPercentUpdated(msg.sender, newTargetFloatPercent);
184 }
185
186 /*///////////////////////////////////////////////////////////////
187 UNDERLYING IS WETH CONFIGURATION
188 //////////////////////////////////////////////////////////////*/
189
190 /// @notice Whether the Vault should treat the underlying token as WETH compatible.
191 /// @dev If enabled the Vault will allow trusting strategies that accept Ether.
192 bool public underlyingIsWETH;
193
194 /// @notice Emitted when whether the Vault should treat the underlying as WETH is updated.
195 /// @param user The authorized user who triggered the update.
196 /// @param newUnderlyingIsWETH Whether the Vault nows treats the underlying as WETH.
197 event UnderlyingIsWETHUpdated(address indexed user, bool newUnderlyingIsWETH);
198
199 /// @notice Sets whether the Vault treats the underlying as WETH.
200 /// @param newUnderlyingIsWETH Whether the Vault should treat the underlying as WETH.
201 /// @dev The underlying token must have 18 decimals, to match Ether's decimal scheme.
202 function setUnderlyingIsWETH(bool newUnderlyingIsWETH) external requiresAuth {
203 // Ensure the underlying token's decimals match ETH if is WETH being set to true.
204 require(!newUnderlyingIsWETH || UNDERLYING.decimals() == 18, "WRONG_DECIMALS");
205
206 // Update whether the Vault treats the underlying as WETH.
207 underlyingIsWETH = newUnderlyingIsWETH;
208
209 emit UnderlyingIsWETHUpdated(msg.sender, newUnderlyingIsWETH);
210 }
211
JavaScript Tests
Tests to Code: 188 / 288 = 65 %