- $100,000 USDC main award pot
- $5,000 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Preview starts September 30, 2021 00:00 UTC (no submissions accepted)
- Preview ends October 6, 2021 23:59 UTC
- Contest Starts October 7, 2021 00:00 UTC
- Contest Ends October 13, 2021 23:59 UTC
This contest is open for two weeks to give wardens time to understand the protocol properly. Submissions can only be made in the second week of the contest. Representatives from PoolTogether will be available in the Code Arena Discord to answer any questions during the contest period. The focus for the contest is to try and find any logic errors or ways to drain funds from the protocol in a way that is advantageous for an attacker at the expense of users with funds invested in the protocol. Wardens should assume that governance variables are set sensibly (unless they can find a way to change the value of a governance variable, and not counting social engineering approaches for this).
PoolTogether promotes financial security by making it fun to save.
PoolTogether V4 is unique as it enables a Prize Pool Network. A Prize Pool Network allows users across chains, with different assets, or different yield sources to combine their interest and share a single pool of prize liquidity.
- 🏦 Users deposit into the network
- 📈 Yield accrues on deposits
- 🏆 The yield is randomly awarded as prizes to the users.
The protocol turns your interest into fun prizes! You never lose your principal, and have a chance to win big.
For a deeper look at the protocol, refer to the PoolTogether V4 Documentation
The contracts under audit are those listed below. Any other contract can be ignored.
There are two repos you should clone:
v4-core:
git clone [email protected]:pooltogether/v4-core.git
v4-timelocks:
git clone [email protected]:pooltogether/v4-timelocks.git
Both repos should be easy to setup:
nvm use; yarn; yarn test
The v4-core contracts repo includes the contracts required for the protocol to function.
The v4-periphery contracts repo includes contracts outside of the core business logic.
| Contract | sloc |
|---|---|
| PrizeFlush.sol | 80 |
The v4-timelocks contracts repo includes the contracts that manage oracle timelocks.
| Contract | sloc |
|---|---|
| L1TimelockTrigger.sol | 40 |
| L2TimelockTrigger.sol | 40 |
| DrawCalculatorTimelock.sol | 80 |
- The Time-Weighted Average Balance is a cornerstone of the V4 design. The concept (and some code!) was borrowed from Uniswap, but still requires heavy scrutiny.
- The Draw Calculator implements the Tsunami prize algorithm.
- The codebase uses ring buffers heavily. You should be familiar with them.
- Does our approach to generating "Picks" (pseudo-random numbers) have any flaws?
- Is our analysis correct for the estimated number of winners for a degree?
i.e. (2^bitRange)^degree - (2^bitRange)^(degree-1) - (2^bitRange)^(degree-2) ... - Does the implementation match the theory behind the Tsunami algorithm? Are there errors or assumptions in the theory?
- This design relies heavily on timestamps. We highlight a few ways we've mitigated possible front-running at the bottom of this page. Have we missed anything?
- v4-testnet repo deploys the contracts in a very similar way to how we will do it in production, if you wish to see.
- Prize Pool Network
- Smart Contracts Overview
- Launch Architecture