The Omnichain Money Market & Unstoppable OmniDollar, Powered by LayerZero.
Scope
Contest Results
On what chains are the smart contracts going to be deployed?
Arbitrum, Mainnet, Optimism, Avalanche
Which ERC20 tokens do you expect will interact with the smart contracts?
USDC and others. We would like to support tokens that are pauseable (RWA), rebasing (WSTETH), upgradable, flash mintable, low decimal, and high decimal.
Which ERC721 tokens do you expect will interact with the smart contracts?
None
Do you plan to support ERC1155?
No
Which ERC777 tokens do you expect will interact with the smart contracts?
None
Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts?
None
Are there any REBASING tokens interacting with the smart contracts?
WSTETH
Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?
TRUSTED
Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED?
TRUSTED
Are there any additional protocol roles? If yes, please explain in detail:
None
Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?
No specific assumptions of EIP compliance. Though if it presents a reasonable problem, it should be considered.
Please list any known issues/acceptable risks that should not result in a valid finding.
Zero address check
Please provide links to previous audits (if any).
1 - Certora Yieldbox:
2 - Code4rena (full scope):
https://code4rena.com/reports/2023-07-tapioca
3 - (peripherals):
Pashov Auditing Group + 0xWeiss and Nisedo:
https://3014726245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfBay3bZwWmLdUX02P7Qc%2Fuploads%2FacpTKQyK9l2Yc61DQbch%2FTapiocaDAO-security-review-report.pdf?alt=media&token=6eedce9c-8ac8-4fa2-9605-05e4a96bddaa
4 - Spearbit (full scope)
Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?
mTOFT
contract has a function to allow rebalancing of assets, this is done off-chain by a Gelato bot. The caller address of mTOFT.extractUnderlying()
needs to be whitelisted to perform the action.
Penrose
contract has a withdrawAllMarketFees()
that is called periodically by a Gelato bot.
In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.
External issues/integrations that would affect Tapioca, should be considered.
Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
Not specifically, just make the case for tokens that are balance changing, rebasing (WSTETH), pauseable (RWA), upgradable, flash mintable, low decimal, and high decimal. Issues with specific 1 of 1 tokens with special traits should not be a valid medium as we will be checking any token introduced in the system. However, if you know of any token that would be incompatible and falls on one of the categories listed on top, it would be helpful to let us know (probably internally, as otherwise it would impact your valid issue threshold).
Add links to relevant protocol resources
Docs: https://docs.tapioca.xyz/tapioca/
Whitepaper: https://www.tapioca.xyz/docs/twAML.pdf
Pearl Club Academy videos(overall understanding of the protocol): https://www.youtube.com/watch?v=dCp-br2mImU&list=PLuyOXCNGGKVzNsFYCKq-627vC8cAPnzYp
Total Rewards
Contest Pool
Lead Senior Watson
Judging Pool
Lead Judge
88,700 USDC
37,500 USDC
3,100 USDC
3,900 USDC
Status
Scope
Start Time
End Time
Finished
4,884 nSLOC
Feb 23, 2024, 3:00 PM
Mar 15, 2024, 3:00 PM