- $47,500 USDC main award pot
- $2,500 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts October 18, 2022 20:00 UTC
- Ends October 23, 2022 20:00 UTC
The following changes makes up the scope of the 3xcalibur 10-2022 contest:
- Changed the whitelisting mechanism in Voter.sol
- Changed the fee rate for stable and variable swaps in SwapFactory.sol and SwapPair.sol
- Allow to change emission strategy every epoch (26 weeks) in Minter.sol
- Added an optional boost to the global weekly emission amount in Minter.sol
- Added the Multiswap.sol contract to allow for swaps targeting multiple tokens at once
- Corrected rewards calculation Bribe.sol and Gauge.sol
- @openzeppelin/contracts/token/ERC20/IERC20.sol
contracts/Core/SwapFees.sol- contracts/Core/SwapPair.sol
- contracts/periphery/Bribe.sol
- contracts/periphery/Gauge.sol
- contracts/periphery/Multiswap.sol
contracts/periphery/Router.sol- contracts/periphery/Voter.sol
contracts/periphery/VotingDist.solcontracts/periphery/VotingEscrow.solcontracts/periphery/interfaces/IWETH.sol
- @openzeppelin/contracts/token/ERC721/extensions/IERC721Metadata.sol
- @openzeppelin/contracts/token/ERC721/IERC721.sol
- @openzeppelin/contracts/token/ERC721/IERC721Receiver.sol
3xcalibur is a decentralized exchange and liquidity protocol on Arbitrum nitro.
It is a fork of the Solidly protocol, which notably introduced x3y + y3x = k pools for concentrated stable-swaps, and improved on the Curve's emission mechanism.
We further improved on Solidly by allowing to use more complex emisson schedule strategies, added modifications to the governance mechanism, added convenience contracts to improve user experience, correcting bugs and redesigned tokenomics.
The XCAL token is an ERC20 token with 18 decimals.
It is the main token of the protocol.
It can be locked in exchange for a VeNFT token that grants user voting power to direct the protocol's emissions, proportional to the locked amount and lock duration.
VeNFTs are ERC721 tokens.
They encode the amount and duration of the lock, and can be transferred to other users.
Can be used to direct emissions by voting for gauges (through the Voter contract).
LP tokens are ERC20 tokens.
They represent a share in a liquidity pool.
Set environment variables in a .env file:
$ export PRIVATE_KEY=<ur private key>
$ export ALCHEMY_API_KEY=<your alchemy api key>In root of repo:
$ yarn
$ npx hardhat run ./scripts/deploy.ts [--network <network>]Deployed addresses will be in ./scipts/config/<network>.json
The test suite uses the foundry framework.
to install foundry, run:
curl -L https://foundry.paradigm.xyz | bash
foundryupthe all-in-one command to clone, build the repo, test and get gas reports is the following:
rm -Rf 2022-10-3xcalibur || true && git clone https://github.com/code-423n4/2022-10-3xcalibur.git && cd 2022-10-3xcalibur && mv contracts/Core contracts/core && npm install && foundryup && forge install foundry-rs/forge-std --no-commit && forge install transmissions11/solmate --no-commit && forge test --gas-report --fork-url https://arb1.arbitrum.io/rpcnote: if you have an issue where Cloudflare intercepts the rpc URL, an Infura Ethereum mainnet url works as well.
run tests:
# example
forge test -f https://arb1.arbitrum.io/rpc --force --gas-reportTo get code coverage:
forge coverageNOTE: Slither does not currently work on the repo. If you find a workaround, please share in the discord.
- Your company/team/project's name? Do share a link if you have one: 3xcalibur (3xcalibur.com)
- Do you have a link to the repo that the contest will cover?: It is currently private.
- If you have a public code repo, please share it here: N/A
- How many core contracts are in scope?: 7
- Total SLoC for these contracts?: 1748
- How many external imports are there?: 4
- How many separate interfaces and struct definitions are there for the contracts within scope?: Interfaces: 29 and Structs: 6
- Does most of your code generally use composition or inheritance?: Composition
- How many external calls?: 0
- What is the overall line coverage percentage provided by your tests?: 71%
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: false
- Does it use an oracle?: false
- Does the token conform to the ERC20 standard?: Yes
- Are there any novel or unique curve logic or mathematical models?: Yes, the solidly stableswap invariant by Andre Cronje
- Does it use a timelock function?: No
- Is it an NFT?: No
- Does it have an AMM?: Yes
- Is it a fork of a popular project?: true
- If yes, please describe your customisations: Bribe: added functions to update rewards for all tokens at once and fixed bad rewards accounting. Pair: added a protocol fee tier. Gauge: remove hard-coded calculation in derivedBalance(), added functions to update rewards by batch, or for all tokens at once. Minter: added functions to update emissions state.
- Does it use rollups?: false
- Is it multi-chain?: false
- Does it use a side-chain?: false
Xen Discord: ๐ก็ฆ
๐ก#0369
Fly Discord: flyjgh#0741
Scam Discord: scamilcar#0983
Leez Discord: 0xLeez#7456
Rev Discord: RevolverOcelot#1548
7e1e Discord: ๐ก 0x7e1e ๐ก | 3six9 Core#4065