Audit Comp | Anvil: Letters of Credit-logo

Audit Comp | Anvil: Letters of Credit

|

Anvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. For more information about Anvil, please visit https://anvil.xyz/

Solidity

Evaluating

27d: 2h remaining
Rewards Pool
$30,000
Vault TVL
To be determined
Started
11 November 2024
Ended
22 November 2024
Rewards Token
USDT
nSLOC
1,622
  • Triaged by Immunefi

  • PoC required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - LetterOfCredit - 904 SLOC
Added on
11 November 2024
Target
Type
Smart Contract - CollateralVault - 606 SLOC
Added on
11 November 2024
Target
Type
Smart Contract - Pyth Price Oracle - 112
Added on
11 November 2024

Impacts in Scope

Is this an upgrade of an existing system? If so, which? And what are the main differences?

No. This is a new protocol.

Where do you suspect there may be bugs? Useful aspects of this question are:

Which parts of the code are you most concerned about?

  • Dynamic LOC calculations
  • Dynamic LOC liquidation mechanics
  • LOCs always being redeemable for their credited token value
    • Note: ignore adverse market conditions as a concern

What attack vectors are you most concerned about?

  • Tokens being stolen from the LetterOfCredit contract
  • Tokens being stuck in the LetterOfCredit contract
  • LOCs being created using an account’s collateral without that account’s permission

Which part(s) of the system do you want whitehats to attempt to break the most?

  • LOC operations

Are there any assumed invariants that you want whitehats to attempt to break?

  • LetterOfCredit
    • LOCs should always be redeemable for their credited token amount (ignoring adverse market condition cases)
    • Dynamic LOCs can only be converted by:
      • The creator
      • Any party presenting the creator’s signed authorization
      • Anyone if the LOCs current CollateralFactor based on oracle price meets the LOC’s stored collateralFactorBasisPoints
    • LOCs may only be redeemed by
      • The LOC.beneficiary
      • Any party presenting the beneficiary’s signed authorization
    • The following LOC operations should always fail after a LOC’s expiration timestamp passes:
      • redeemLOC()
      • convertLOC()
      • modifyLOCCollateral()
      • extendLOC()
    • A LOC may be canceled by:
      • The LOC.beneficiary
      • Any 3rd party presenting the beneficiary’s signed authorization
      • Any party after the LOC is expired
    • The result of cancelLOC() for a LOC with remaining collateral is always one of the following:
      • The CollateralReservation is released in the CollateralVault, making any reserved collateral associated with the LOC available within the LOC.creator’s vault account
      • The collateral stored within the LOC contract for the converted LOC is sent directly to the LOC.creator’s address

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

This project is not a chain of its own and does not have the ability to rewrite history, so no emergency actions should be possible as a way to mitigate an otherwise possible theft. The LetterOfCredit contract is meant to be referenced by upgradeable proxies, so bug reports of “frozen” tokens that may be mitigated by a contract upgrade are less of a concern. Anvil will likely pay those out as low severity bugs.

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

None to our knowledge.

There are possible admin actions in CollateralVault and LetterOfCredit, including contract upgrades for the latter, but those are only possible via governance, which is much slower than any attack and could not reasonably front-run an attack.

What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?

There are various roles defined in the CollateralVault and LetterOfCredit contracts that should be assumed to act in any way explicitly permitted by that role, and that is a valid non-bug use case. That is to say that if accounts with an Admin/Owner role, for instance, may withdraw tokens from the contract, registering an attack of the Admin/Owner stealing tokens is invalid because that is not theft – that is an explicitly permitted action.

That said, in the CollateralVault for instance, the design of the contract is such that the contract Owner should not be able to take tokens that are earmarked for an individual account (it may only take contract balance - SUM(user account balance). If an attack were to be found such that the owner could take funds that were earmarked for one or more accounts, that would be a valid bug because it undermines the trust assumptions of the contract.

What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?

None that we can think of.

What external dependencies are there?

There are external dependencies on ERC-20 tokens. Governance attacks, such as the approval of a malicious ERC-20 token is out of scope.

The LetterOfCredit contract depends on a PriceOracle to give it valid prices. Market-based oracle attacks are out of scope for this competition. If the LetterOfCredit contract’s logic incorrectly uses oracle data, though, that would be in scope.

There are also dependencies on open source contracts such as OpenZeppelin. While those are 3rd party contracts, they are referenced from within Anvil’s contracts, so any vulnerabilities in Anvil contracts made possible by issues in dependency contracts such as OZ are in scope.

Where might whitehats confuse out-of-scope code to be in-scope?

  • The code for the LetterOfCredit contract is meant to be referenced by proxies as their implementation. Any use case that requires deploying and directly using the LetterOfCredit contract rather than via a proxy would be out of scope.
  • Since the LetterOfCredit contract is meant to be referenced by upgradeable proxies, finding some loophole in contract logic such that tokens reserved by that contract become stuck would be a lower severity bug than it would be if the contract were not upgradeable. For that reason, token theft as a bug is very much in scope, whereas issues that could be solved via a successful contract upgrade are less critical and therefore low impact .
  • Precision loss is not a valid bug since it is impossible to divide without the possibility of precision loss.
  • Using a signature before someone else uses a signature (i.e. front-running) is not a valid bug. If the signature permits an operation, that operation is welcome and encouraged.
  • “If you were to upgrade the LetterOfCredit contract to a contract with a bug, then it would have a bug” is not a valid bug. If there is an issue with the upgrade process itself, that is valid, but simply using the proxy pattern is not a valid bug.
  • The ILiquidator interface is meant to be implemented by sophisticated liquidators external to the protocol / protocol team. An example implementation is included in the codebase as the “UniswapLiquidator” contract, but that contract is not in scope.
  • Avoiding the CollateralVault protocol fee by claiming / withdrawing extremely small amounts repeatedly is not a feasible attack on Ethereum mainnet so it is out of scope.

Are there any unusual points about your protocol that may confuse whitehats?

  • The concept of CollateralFactors is a bit nuanced. The same concept is used in Compound and other DeFi protocols. In the context of a LOC, a CollateralFactor is the percentage of the collateral token amount that would be necessary to liquidate to receive the LOC’s credited token amount, ignoring all fees and slippage.
  • The maximum CollateralFactor for LOC creation and the CollateralFactor at which point LOCs become liquidatable is stored for each distinct asset-pair that supports dynamic LOCs. It is assumed that all fees are baked into that configuration and that the CollateralFactor is padded to handle trading slippage, liquidator incentive, claim fee, etc.

What is the test suite setup information?

No tests have been made public at the moment.

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

  • The fee applied to CollateralVault claims and withdrawals is the same, but the amount the fee is relative to is different such that the absolute fee assessed via withdraw() is higher than claimCollateral() when the amount released by the CollateralVault is the same.
  • ERC165 calls within CollateralVault may prevent addition/removal of collateralizable contracts. Governance should verify this will not be an issue when collateralizable contact addition is proposed.

Previous Audits

Anvil’s completed audit reports can be found at https://docs.anvil.xyz/contracts/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Protocol insolvency

Severity
Critical
Title

Permanent freezing of funds (note: if a LetterOfCredit proxy update may fix the issue, it is temporary)

Severity
High
Title

Temporary freezing of funds within the CollateralVault for at least 48 hours

Severity
High
Title

Smart contract unable to operate due to lack of token funds

Severity
Medium
Title

Theft of gas

Severity
Medium
Title

Unbounded gas consumption

Severity
Low
Title

Temporary freezing of funds set to 48 hrs within the LetterOfCredit contract

Severity
Low
Title

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Out of scope

Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers