sponsor logo

Beanstalk

Appeals Period

Beanstalk: Dive Into Basin

Basin is a composable EVM-native decentralized exchange protocol that allows for the composition of arbitrary exchange functions, network-native oracles and exchange implementations into a single liquidity pool known as a Well.

Start Date Apr 22nd, 2024 (12:00)
End Date Apr 29th, 2024 (12:00)
Time Left 0d/0h/0m
Rewards $12,000 USDC
view repo view submissions
Basin logo

Beanstalk: Dive into Basin

Contest Details

Prize Pool

  • Total Pool - 12,000
  • H/M - $10,000
  • Low - $1,000
  • Community Judging - $1,000
  • Starts: Monday, April 22, 2024
  • Ends: Monday, April 29, 2024

Stats

  • nSLOC: 479
  • Complexity Score: 945
  • /nSLOC: 25.05

About

Basin is a composable EVM-native decentralized exchange protocol that allows for the composition of arbitrary exchange functions, network-native oracles and exchange implementations into a single liquidity pool known as a Well. In practice, Basin lowers the friction for market makers to deploy liquidity with custom orders and allows their liquidity to be used by other network-native protocols without additional trust assumptions.

A Well is a constant function AMM that allows the provisioning of liquidity into a single pooled on-chain liquidity position. Each Well is defined by its Tokens, Well Function, and Pump:

  • The Tokens define the set of ERC-20 tokens that can be exchanged in the Well.
  • The Well Function defines an invariant relationship between the Well's reserves and the supply of LP tokens.
    • Pumps are on-chain oracles that are updated upon each interaction with the Well.

Multi Flow Pump is an inter-block MEV manipulation resistant network-native Pump implementation for arbitrary current data in an EVM for both instantaneous and time-weighted average values.

In particular, this audit is focused on changes to the ConstantProduct2 Well Function, the Multi Flow Pump (now v1.1.0) and library changes associated with each. You can read the full RFC of and diff for Multi Flow v1.1.0 here. Notably, the Well Implementation in src/Well.sol and the Well factory contract in src/Aquifer.sol is not in-scope of this audit.

More documentation on Basin and Multi Flow here:

Actors

The only "actors" in the context of Basin are traders (takers) and liquidity providers (makers), as with any decentralized exchange. In a sense, external protocols that consume data stored in Pumps (like Multi Flow) could be considered another actor.

Scope

The following contracts are in scope of this audit:

src/
└── contracts/
    ├── functions/
    │   ├── ConstantProduct2.sol
    │   └── ProportionalLPToken2.sol
    ├── libraries/
    │   ├── LibLastReserveBytes.sol
    │   └── LibMath.sol
    └── pumps/
        └── MultiFlowPump.sol

Compatibilities

Blockchains:

  • Ethereum

Tokens:

  • ERC-20 (Any ERC-20 tokens can be traded in Wells)

Setup

git clone https://github.com/Cyfrin/2024-04-Beanstalk-DIB
cd 2024-04-Beanstalk-DIB
code .

This repository uses Foundry as a smart contract development toolchain.

See the Foundry Docs for more info on installation and usage.

foundryup
forge install
forge build

Tests

Prior to running tests, you should set up your environment. At present this repository contains fork tests against ETH mainnet; your environment will need an MAINNET_RPC_URL key to run these tests. This is used in IntegrationTestGasComparisons.sol.

Additionally, the --ffi cheatcode is used to verify certain actions. Due to the arbitrary code execution nature of --ffi, it is advised to review the executed code prior to running.

To setup the python environment:

python3.10 -m venv env
source env/bin/activate
python3.10 -m pip install -r requirements.txt

The tests using -ffi are:

  • testFuzz_powu()
  • testSim_capReserve_decrease()
  • testSim_capReserve_increase()

If errors occur during python execution, follow the steps described here: https://stackoverflow.com/a/75399269.

The code being executed is:

  • test/pumps/simulate.py
  • test/differential/powu.py

The main command to run the tests is:

forge test --ffi

If the ffi tests are failing, you may need to add an output folder in the test directory.

To omit invariant tests:

forge test --ffi --no-match-test invariant

To run slither:

  • python3 -m pip install slither-analyzer
  • slither .

Known Issues

All findings in the following audit reports:

Please find additional Known Issues as Identified by LightChaser here.