Skip to content

Patch 1#2

Open
ananitai440 wants to merge 2 commits intocap-labs-dev:mainfrom
ananitai440:patch-1
Open

Patch 1#2
ananitai440 wants to merge 2 commits intocap-labs-dev:mainfrom
ananitai440:patch-1

Conversation

@ananitai440
Copy link

@ananitai440 ananitai440 commented Mar 22, 2025

Electisec CAP Pre-Mainnet Vault Review

Review Resources:

None beyond the code repositories

Auditors:

  • Spalen
  • HHK

Table of Contents

  1. Review Summary
  2. Scope
  3. Code Evaluation Matrix
  4. Findings Explanation
  5. Critical Findings
  6. High Findings
  7. Medium Findings
  8. Low Findings
  9. Gas Saving Findings
  10. Informational Findings

Review Summary

CAP Pre-Mainnet Vault

The CAP Pre-Mainnet Vault serves as the core codebase for the CAP Pre-Mainnet campaign, allowing users to deposit USDC in exchange for boosted cUSD on the MegaEth testnet using LayerZero. Once the campaign concludes, users can withdraw their USDC.

  • Audit Duration: 1.5 days, from March 4th to March 6th, 2025.
  • Commit under Review: 46b0dda18490f74c81204185a11bd36fe0e66647 of the cap-contracts repo.
  • Scope of Review: Contracts in contracts/testnetCampaign/OAppMessenger.sol and contracts/testnetCampaign/PreMainnetVault.sol.

Scope

The review focused on evaluating the security of two key contracts at a specific commit:

  • OAppMessenger.sol
  • PreMainnetVault.sol

The review was limited to the latest commit, as the repository was under active development. After presenting the findings to the TODO_protocol_name team, fixes were implemented and added to several PRs.

Code Evaluation Matrix

Category Mark Description
Access Control Good Proper access control mechanisms implemented.
Mathematics Good No complex calculations involved.
Complexity Good Codebase is simple and easy to understand.
Libraries Good Uses OpenZeppelin and LayerZero libraries for security and best practices.
Decentralization Good Users can withdraw funds even if the owner doesn’t unlock transfers.
Code stability Good Code was stable throughout the audit.
Documentation Good Well-documented with minor omissions in NatSpec.
Monitoring Good Events emitted within state-changing functions.
Testing and Verification Average Includes unit tests, lacks invariant testing and fuzzing.

Findings Explanation

Findings are categorized by their respective impact:

  • Critical Findings
  • High Findings
  • Medium Findings
  • Low Findings
  • Gas Saving Findings
  • Informational Findings

Critical Findings

None - No critical issues were identified.

High Findings

None - No high-priority issues were found.

Medium Findings

None - No medium-level issues were detected.

Low Findings

1. Smart contracts calling deposit can revert

Technical Details
The deposit() function can revert if smart contracts don’t implement the _lzSend() function with the receive() function as the last parameter.

Impact

  • Low: A smart contract calling deposit() with excess gas will revert if it doesn't implement the receive() function.

Recommendation

  • Add parameter refundAddress to the deposit() function to enable smart contracts to work without a receive() function, or explicitly state in NatSpec that smart contracts must implement receive().

Developer Response

2. Missing verification for _destReceiver

Technical Details
The deposit() function lacks verification for the input parameter _destReceiver. If address(0) is passed, no validation is performed before sending it to LayerZero.

Impact

  • Low: Users may deposit without receiving assets on the MegaETH testnet, but the collateral remains safe.

Recommendation

  • Validate that the input parameter _destReceiver is set.

Developer Response

3. Turn off the deposit when the campaign ends

Technical Details
The maxCampaignEnd variable stores the campaign's end date. After this date, deposits should be disabled.

Impact

  • Informational: It would prevent users from making deposits after the campaign ends, avoiding issues with infinite token minting on the testnet.

Recommendation

  • Turn off deposits when the campaign ends or when transfers are enabled.

Developer Response

Gas Saving Findings

1. Converting amount to shared decimals can be optimized

Technical Details
The _toSD() function calculates 10 ** (decimals - sharedDecimals()) every time it is called. This constant value can be pre-calculated to save gas.

Impact

  • Gas savings: Optimization can reduce gas usage for each deposit.

Recommendation

  • Update the function _toSD() to use a pre-calculated decimalConversionRate.
function _toSD(uint256 _amountLD) internal view virtual returns (uint64 amountSD) {
    return uint64(_amountLD / decimalConversionRate);
}

@ananitai440
Copy link
Author

ananitai440 commented Mar 22, 2025

I thought this would look more professional because it's in code format rather than text or PDF. If you like it, let me know. I have more ideas for you, both now and in the future. If something is wrong, please let me know, and I’ll correct it, as there’s always room for improvement."

Let me know if you'd like any further changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ananitai440