Arcadia connects passive lenders and on-chain leverage strategists. Earn passive interest or 10x your liquidity to deploy across protocols.
Scope
Contest Results
On what chains are the smart contracts going to be deployed?
Base
If you are integrating tokens, are you allowing only whitelisted tokens to work with the codebase or any complying with the standard? Are they assumed to have certain properties, e.g. be non-reentrant? Are there any types of weird tokens you want to integrate?
Please raise issues regarding the underlying tokens that can currently be used: WETH, DAI, COMP, USDBC, USDC, CBETH, RETH, STG, wstETH
We also want to receive issues regarding minimal implementations of ERC20 Tokens, which besides a standard implementation have one of the following "weird behaviours":
Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED? If these integrations are trusted, should auditors also assume they are always responsive, for example, are oracles trusted to provide non-stale information, or VRF providers to respond within a designated timeframe?
The protocols we integrate with are:
AeroPool.sol:
Gauge.sol:
Slipstream (CLPool.sol and NonfungiblePositionManager.sol):
Although not directly in scope, Chainlink and admins of the contracts for primary assets are TRUSTED.
Are there any protocol roles? Please list them and provide whether they are TRUSTED or RESTRICTED, or provide a more comprehensive description of what a role can and can't do/impact.
Owner Protocol (core team):
Risk Manager
For permissioned functions, please list all checks and requirements that will be made before calling the function.
addAsset() of a stable AeroPool to AerodromePoolAM:
Owner will first check that the total supply of both tokens is smaller than 15511800964 * 10 ** decimals (and will always remain smaller).
Is the codebase expected to comply with any EIPs? Can there be/are there any deviations from the specification?
The WrappedAerodromeAM and StakedAerodromeAM are optionally compliant with ERC721. Any extension to ERC721 (enumerable, metadata, …) is not in scope.
Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, arbitrage bots, etc.)?
Not in scope of the asset modules of this audit.
(In the protocol there are off-chain mechanisms e.g. with arbitrage bots for the liquidations, but those where audited in our previous Sherlock audit).
Are there any hardcoded values that you intend to change before (some) deployments?
No, some addresses will be passed on deployment to the module (via deployscript, not in scope): registry, aerodromeFactory, aerodromeVoter, nonFungiblePositionManager. Risk variables can be changed in comparison to (out of scope) deployscripts.
If the codebase is to be deployed on an L2, what should be the behavior of the protocol in case of sequencer issues (if applicable)? Should Sherlock assume that the Sequencer won't misbehave, including going offline?
In the protocol there are mitigations implemented, but those where audited in our previous Sherlock audit.
For the asset modules in scope of this audit, there should be no direct consequences if the Sequencer goes down.
If there are additional issues, not covered by the current mitigations, that would be a valid issue.
Should potential issues, like broken assumptions about function behavior, be reported if they could pose risks in future integrations, even if they might not be an issue in the context of the scope? If yes, can you elaborate on properties/invariants that should hold?
Yes.
Please discuss any design choices you made.
AerodromePoolAM.sol:
WrappedAerodromeAM.sol:
Please list any known issues/acceptable risks that should not result in a valid finding.
We will report issues where the core protocol functionality is inaccessible for at least 7 days. Would you like to override this value?
No
Please provide links to previous audits (if any).
This is an Update Contest of our codebase (where we add additional asset modules):
https://audits.sherlock.xyz/contests/137
Other audits of the protocol (the asset modules of this contest were NOT in scope for these audits):
https://github.com/arcadia-finance/arcadia-finance-audits/tree/main/audits-v2
Please list any relevant protocol resources.
Docs: https://docs.arcadia.finance/
Whitepaper: https://github.com/arcadia-finance/whitepapers/blob/main/main.pdf
Website: https://arcadia.finance/
Twitter: https://twitter.com/ArcadiaFi
Additional audit information.
SlipstreamAM.sol is a fork of the already audited UniswapV3AM.sol (only 8 lines of code and 1 library difference).
To install a local repo:
Total Rewards
Contest Pool
Lead Senior Watson
Judging Pool
Lead Judge
9,000 USDC
4,500 USDC
400 USDC
600 USDC
Status
Scope
Start Time
End Time
Finished
657 nSLOC
Apr 22, 2024, 3:00 PM
Apr 25, 2024, 3:00 PM