Audit Comp | Puffer Finance

Puffer Finance’s codebase can be found at https://github.com/PufferFinance/pufETH/tree/main

• There is a minor edit in PufferDepositor.sol github which doesn't match the deployed code. The code is basically the same functions, just the permit is moved to a separate file and the rest of the changes are related to that move. The deployed code is the determinator of whether a bug is valid.

Puffer Depositor swap functions are in scope, but due to them being paused bugs will only be considered if they can bypass the pause mechanism. They technically pause in 2 days from now (Feb 21 2024) but we will consider them to already be paused at the beginning of this program.

Whitehat Educational Resources & Technical Info:

• Documentation: https://docs.puffer.fi/

• Decoding Puffer: The Future of Ethereum Restaking

• Ethereum Restaking Redefined: A Deep Dive with Puffer’s CTO

• How Puffer’s Secure-Signer Reduces Slashing Risk

• Demystify the Access Control Mechanism in Puffer Protocol

Non-Technical Resources:

• Puffer Finance hits $850 million in TVL, now second-largest liquid restaking protocol
• The Crunchy Carrot Campaign and Beyond
• Puffer Finance Raises $5.5M to Redefine Liquid ETH Staking
• Securing Ethereum Through Slash-Resistant and Decentralized Liquid Staking
• Making a Splash in the LST Market

Is this an upgrade of an existing system? If so, which? And what are the main differences?

• No, this is the first deployment we have made as part of our product offering. Upgrades to come later.

Which parts of the code are you most concerned about?

• The vault logic of Open Zeppelin’s that we have overridden
  • We are not fully compliant with ERC 4626, because we have overridden some functionality. Namely, we have overriden the maxWithdraw() function, and we are not returning a value of 0, even though withdrawals are currently paused. The specs of ERC 4626 require global and user-specific limits to be factored into the result of this function, which we do not abide by. Similarly, maxRedeem() has the same non-compliance with ERC 4626 specs.
• withdraw() and redeem() are disabled
• EigenLayer integration

What attack vectors are you most concerned about?

• We’ve upgraded the logic dealing with the vault’s total assets, so perhaps the logic to calculate the shares each user has within the vault can be examined closely to ensure the vault still works as intended and there are no attacks to mess with the original accounting code of the vault

Which part(s) of the system do you want whitehats to attempt to break the most?

• Being able to steal, DoS, or lock up funds

Are there any assumed invariants that you want whitehats to attempt to break?

• No unauthorized parties should be able to move or withdraw funds from the vault

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

• Rebasing ERC20 (we will allow stETH and wstETH deposits into our vault)

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

Monitoring systems are only a valid reason to downgrade a bug if there is 100% certainty that the bug would be detected and fully prevented. Immunefi’s full policy and reasoning can be read here.

• We are implementing BlockSec Phalcon and Hexagate monitoring to pause the contracts in case of any hack attempts on the contracts. The monitoring criteria is a work in progress and we are setting up tests in place to make sure the monitoring works as intended.

What Roles are there, and what capacities do they have?

• We have 3 different multisigs, the Community multisig, the Operations multisig, and the Pauser multisig. You may review their capacities within the following doc: https://blocksec.com/blog/demystify-the-access-control-mechanism-in-puffer-protocol

Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?

• Since the multisig parties are trusted to behave honestly, we would consider bugs where multisig members can do malicious things as invalid

What external dependencies are there?

• Open Zeppelin Contracts and Open Zeppelin Upgradeable Contracts

Are there any unusual points about your protocol that may confuse whitehats?

• There is currently no way to withdraw or redeem assets from our vault. This is because that functionality will come later on in our product roadmap.

What is the test suite setup information?

• Use forge test
• See README: https://github.com/PufferFinance/pufETH/blob/main/README.md

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

• Inflation attack on erc4626 vaults: https://blog.openzeppelin.com/a-novel-defense-against-erc4626-inflation-attacks

Previous Audits

Puffer Finance’s completed audit reports can be found below. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

• Slow Mist: https://github.com/slowmist/Knowledge-Base/blob/master/open-report-V2/smart-contract/SlowMist%20Audit%20Report%20-%20pufETH_en-us.pdf
• BlockSec: https://github.com/blocksecteam/audit-reports/blob/main/solidity/blocksec_puffer_v1.0-signed.pdf
• QuantStamp: https://github.com/PufferFinance/pufETH/blob/main/audits/Quantstamp-pufETH-v1.pdf

Asset In Scope Policies

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are valid, but are downgraded one severity level.

Known Issue Assurance

Puffer Finance commits to providing Known Issue Assurance to bug submissions through their program. This means that Puffer Finance will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.

In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.

Primacy of Impact vs Primacy of Rules

Puffer Finance adheres to the Primacy of Impact for all impacts.

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact

When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.