- Total Prize Pool: $100,000 in USDC
- HM awards: $78,162.50 in USDC
- Analysis awards: $4,225 in USDC
- QA awards: $2,112.50 in USDC
- Judge awards: $9,000 in USDC
- Lookout awards: $6,000 in USDC
- Scout awards: $500 in USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts February 02, 2024 20:00 UTC
- Ends March 1, 2024 20:00 UTC
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
HydraDX is a next-gen DeFi protocol which is designed to bring an ocean of liquidity to Polkadot. Our tool for the job the HydraDX Omnipool - an innovative Automated Market Maker (AMM) which unlocks unparalleled efficiencies by combining all assets in a single trading pool.
- Omnipool
- Omnipool is type of AMM where all assets are pooled together into one single pool.
- Stableswap
- Curve style AMM, designed to provide highly efficient and low-slippage trades for stablecoins.
- Oracle
- This pallet provides exponential moving average (EMA) oracles of different periods for price, volume and liquidity for a combination of source and asset pair based on data coming in from different sources.
- Circuit breaker
- Provides tracking and limiting the percentage of the liquidity of a pool that can be traded (net volume), added or removed in a single block.
- Previous audits: Details can be found here
- Documentation: HydraDX Docs
- Website: hydradx.io
- Twitter: hydra_dx
- Discord:
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
| Omnipool | Omnipool pallet | ||
| omnipool/src/lib.rs | 1367 | Omnipool pallet - main pallet's file | |
| omnipool/src/types.rs | 233 | Omnipool pallet - types | |
| omnipool/src/traits.rs | 162 | Omnipool pallet - traits | |
| Omnipool Math | Omnipool math | ||
| math/src/omnipool/math.rs | 409 | Omnipool math - math implementation | |
| math/src/omnipool/types.rs | 226 | Omnipool math - types | |
| Stableswap | Stableswap pallet | ||
| stableswap/src/lib.rs | 871 | Stableswap pallet - main pallet's file | |
| stableswap/src/types.rs | 136 | Stableswap pallet - types | |
| Stableswap Math | Stableswap Math | ||
| math/src/stableswap/math.rs | 670 | Stableswap Math - math implementation | |
| math/src/stableswap/types.rs | 25 | Stableswap Math - types | |
| EMA Oracle | Ema on-chain oracle | ||
| ema-oracle/src/lib.rs | 395 | Ema oracle pallet - main pallet's file | |
| ema-oracle/src/types.rs | 154 | Ema oracle pallet - types | |
| Ema Oracle Math | Omnipool math | ||
| math/src/ema/math.rs | 174 | Omnipool math - math implementation | |
| Circuit breaker | Circuit breaker | ||
| circuit-breaker/src/lib.rs | 451 | Circuit breaker- main pallet's file |
Total SLOC: 5273
Only files listed above are in scope. Everything else is out of scope.
Refer to documentation in each pallet for further details.
Note that each pallet is integrated into HydraDX runtime and can interact with other pallets. Each pallet is configured in runtime and this configuration should be taken into account.
Wardens can assume that runtime is configured correctly and that pallets are configured correctly.
Example:
Omnipool has AuthorityOrigin parameter which allows only configured origin to perform certain actions.
That means reports such as if origin is not configured correctly, it can lead to ... are not valid.
However, findings on possible misconfiguration of pallets in scope will be considered.
Refer to HydraDX security repository for possible attack vectors Here
Refer to HydraDX security repository that describes omnipool's and stableswap invariants Here
Refer to HydraDX-node readme for details.
Details in readme
Clone this repository
git clone https://github.com/code-423n4/2024-02-hydradx/Enter into the directory
cd HydraDX-nodeOmnipool
cargo test -p pallet-omnipool Stableswap
cargo test -p pallet-stableswap EMA Oracle
cargo test -p pallet-ema-oracle Circuit breaker
cargo test -p pallet-circuit-breaker You can focus on math for each pallet separately.
Omnipool math
cargo test omnipool -p hydra-dx-mathStableswap math
cargo test stableswap -p hydra-dx-mathEMA Oracle math
cargo test ema -p hydra-dx-mathThese tests focus on integration of a pallet in HydraDX runtime, interactions with other pallets and configuration.
cargo test -p runtime-integration-testsEmployees of HydraDX and employees' family members are ineligible to participate in this audit.