Skip to content

code-423n4/2023-01-rabbithole

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RabbitHole contest details

  • Total Prize Pool: $36,500 USDC
    • HM awards: $25,500 USDC
    • QA report awards: $3,000 USDC
    • Gas report awards: $1,500 USDC
    • Judge + presort awards: $6,000 USDC
    • Scout awards: $500 USDC
  • Join C4 Discord to register
  • Submit findings using the C4 form
  • Read our guidelines for more details
  • Starts January 25, 2023 20:00 UTC
  • Ends January 30, 2023 20:00 UTC

C4udit / Publicly Known Issues

The C4audit output for the contest can be found here within an hour of contest opening.

Note for C4 wardens: Anything included in the C4udit output is considered a publicly known issue and is ineligible for awards.

Cloning the repo

Please note that the contest's code is hosted on an external repo. To fetch it, use one of the following methods:

  • Cloning using SSH:
git clone --recurse-submodules git@github.com:code-423n4/2023-01-rabbithole.git
  • Cloning using HTTPS:
git clone --recurse-submodules https://github.com/code-423n4/2023-01-rabbithole.git
  • Getting the submodules if cloning was done without --recurse-submodules:
git submodule update --init --recursive

Overview

Quests Protocol is a protocol to distribute token rewards for completing on-chain tasks.

We're releasing five new contracts that are in scope for the audit (more inherited contracts included below):

  • Quest Factory: An upgradable factory that creates a new ERC-20 or ERC-1155 Quest. This follows the factory method & factory creation patterns. This also houses logic on aggregating Quests & minting receipts
  • ERC-20 Quest: A Quest that rewards an on-chain action with an ERC-20 token. You must own an unclaimed receipt to be able to claim the reward.
  • ERC-1155 Quest: A Quest that rewards an on-chain action with an ERC-1155 token. You must own an unclaimed receipt to be able to claim the reward.
  • Receipt: An ERC-721 contract that is able to be claimed by a user once they have completed an on-chain task. This must be held (and unclaimed) to claim a reward.
  • Ticket: An ERC-1155 contract that is used by the RabbitHole team for ERC-1155 Quests. AKA this is an ERC-1155 Reward.

Create Quest Flow

image

Claim Flow

image

ERC-20 Money Flow

image

See higher resolution flow diagrams here

See our full suite of documentation here.

Scope

Contract Name SLOC Purpose
QuestFactory 162 This is the main factory where Quests get deployed from.
RabbitHoleReceipt 137 This is the receipt contract. An ERC-721 contract that a user has the ability to mint once they have completed an on-chain action. To claim a reward you must own a Receipt that has not claimed a reward yet.
Quest 100 This is the parent class for Quests. This encapsulates a lot of the shared logic in the Erc20Quest & Erc1155Quest
RabbitHoleTickets 82 This is an 1155 reward contract used by the RabbitHole team.
Erc20Quest 67 This is a Quest where the reward to be claimed is an ERC-20 token.
Erc1155Quest 45 This is a Quest where the reward to be claimed is an ERC-1155 token.
ReceiptRenderer 90 This is an on-chain renderer for our ERC-721 Receipt contract
TicketRenderer 34 This is an on-chain renderer for our ERC-1155 reward (RabbitHoleTickets) contract
IQuest 19 This is a Quest interface
IQuestFactory 16 This is a Quest Factory interface

We would like to call out extra attention to QuestFactory.mintReceipt (users should only be able to claim one receipt), Quest.claim - users should only be able to claim the amount of rewards for number of receipts they have. Note - users could claim a receipt, sell it on secondary (not claim reward) and a user could end up with multiple receipts that can claim multiple rewards. Also following funds flow lifecycle throughout the contracts.

Out of scope

  • /contracts/test/*
  • @openzeppelin/*

Additional Context

  • For protocol fee we use basis points (BPS). You can read more on it here but the TLDR; is 10_000 is 100%. So 2.5% fee would be 250 BPS.
  • Our QuestFactory will be an upgradeable proxy allowing us to add more features overtime. For an overview of the upgrade pattern, refer to the OpenZeppelin documentation.

Scoping Details

- If you have a public code repo, please share it here: https://github.com/rabbitholegg/quest-protocol
- How many contracts are in scope?: 10   
- Total SLoC for these contracts?:  752
- How many external imports are there?: 18 
- How many separate interfaces and struct definitions are there for the contracts within scope?: 11 
- Does most of your code generally use composition or inheritance?: Yes. Only inheritance is abstraction of Quest Types into a parent Quest  
- How many external calls?: 1   
- What is the overall line coverage percentage provided by your tests?: 89 
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: Yes  
- Please describe required context: There is an ECDSA signature that provides proof of action on chain from our own event indexer  
- Does it use an oracle?: Yes (sorta), described in previous question.
- Does the token conform to the ERC20 standard?: No
- Are there any novel or unique curve logic or mathematical models?: N/A
- Does it use a timelock function?: No
- Is it an NFT?: There are two NFT contracts as part of this. RabbitHoleReceipt is an ERC-721 contract that distributes receipts for on-chain usage. RabbitHoleTickets is an ERC-1155 that is a reward for an ERC-1155 Quest. 
- Does it have an AMM?: No
- Is it a fork of a popular project?: No  
- Does it use rollups?: No
- Is it multi-chain?: Yes (but currently just deployed to Goerli)
- Does it use a side-chain?: Yes (same note as above, will go on Polygon)

Tests

Setup

cd quest-protocol
yarn 
yarn compile

Run all tests

yarn test

Run test coverage report

yarn test:coverage

Run gas test:

yarn test:gas-stories

Slither

Slither works from the root directory. We also have a GitHub action you can find on our repo linked through in the docs.

slither .

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages