Skip to content

Commit

Permalink
adds audit report and updates readme (#57)
Browse files Browse the repository at this point in the history
  • Loading branch information
0xean authored Jun 3, 2024
1 parent f80376d commit 3c4a3b8
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 7 deletions.
10 changes: 3 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
- Rewards distribution script can be debugged locally with `cd scripts/rewards-distribution` and `NODE_OPTIONS="-r ts-node/register" node --inspect-brk index.ts` then going to `chrome://inspect` in Chrome to open the Node.JS debugging tools
- Ensure you CTRL + C anvil and restart it between run to clear your local blockchain state

# rFOX.wtf
## rFOX.wtf

rFOX is a novel staking mechanism ratified by FOX token holders in [SCP-166](https://snapshot.org/#/shapeshiftdao.eth/proposal/0x0bb84bdf838fb90da922ce62293336bf7c0c67a9a1d6fe451ffaa29284722f9f). Currently, the proposal is limited to single sided FOX staking but community members are expected to propose additional approval for FOX<>ETH Liquidity Tokens as well. The contracts expect that any token
will be fully ERC20 compliant and not a rebasing or fee on transfer type token. Stakers in contract lock their `stakingToken` and designate a Thorchain Rune address to associate with their staked balance. Each epoch, as designated in SCP-166, stakers then receive a percentage of the Shapeshift DAO's total RUNE that is accumulated through affiliate fees during that epoch. The distribution of these rewards is handled off chain by the DAO multisig and is not part of the rFOX contract. The rFOX contract is responsible for tracking the staked balances and an arbitrary unit of rewards that are due to each staker. These reward units (similar to points) allow for an easy way to calculate each participants starting balance and ending balance for each epoch. The delta between these two values represents the accumulated rewards for a user
Expand All @@ -37,10 +37,6 @@ The owner of these contracts will be the Shapeshift DAO multisig and the contrac

Their is no ability to verify that the RUNE address supplied by the user is correct on the EVM blockchain, we have added a basic length check and additional verification will be added into the UI to ensure that the user has entered a valid address. Users do have the ability to update this address as they please, however we plan to snapshot the rune address that is set at the end of each epoch for reward distribution purposes.

#### Audit area of focus
## Audits

1. Any ability for a user to remove funds from the contract that aren't theirs or are theirs but doesn't follow the typical unstaking flow and cool-down
2. Any ability for a user to game the system and earn more rewards than they should
3. Any escalation of owner privileges beyond what is explicitly defined (upgrading, pausing, etc)
4. Overflow or precision issues that could cause the onchain accounting of rewards to be incorrect (beyond dust), revert, or otherwise be exploitable
5. Any ability for the manipulation of a RUNE address by another user.
- [Trust Security Audit](./audits/rFOX_v02.pdf)
Binary file added audits/rFOX_v02.pdf
Binary file not shown.

0 comments on commit 3c4a3b8

Please sign in to comment.