Cian Protocol | Ethereum | Submission Review#180
Cian Protocol | Ethereum | Submission Review#180BowtiedRahman wants to merge 18 commits intodeficollective:mainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
yvesbou
changed the title
|
I you people are super busy but I'm still awaiting feedback on the draft submission to finalize the final review |
|
@BowtiedRahman yes I started, but havent finished my review yet. Thanks for your patience! |
|
Just checking in, I know you're super busy but it's been five days and no update whatsoever. Thanks for your understanding |
|
@BowtiedRahman sorry for the delay, I realised that a couple of contracts are missing - I want to come back with helpful advise how to continue further research. |
|
@yvesbou I only focused on Ethereum in this review. The contracts you mentioned I missed, are they on ethereum? |
|
Hi @BowtiedRahman sorry again for the delay I looked more into the report and noticed the report is scoped correctly for "Cian Automation" but misses contracts in the permissions section and explanations on protocol mechanism for "Cian Yield Layer". I think the confusion comes from the fact that this link https://docs.cian.app/resources/contracts/yield-layer lists the Yield layer contracts, but at the same time, in the very bottom, lists the "Cian Automation" and calls it 
Yield Layer has much more TVL than the single strategy on automation, so the report should focus on the Yield Layer only. In the original scope, it included for each vault
As it was already correctly pointed out in our discord, re-assessing the impact of the the common interfaces within the strategies is not necessary, but we do want the contracts section to show all the contracts that are assessed for a report. So please dont remove the contracts. In the Reviewer Notes a remark on Strategy contracts that share the same interface can be made. In terms of coverage we want the following vaults, alongside Strategies, Operator and Manager contracts to be covered
And to emphasize again, we dont want the permission table to have multiple rows for each strategies if they are the same, if it works the common denominator once + what each strategy has uniquely to them as centralization vector, but all contracts that are used in the protocol shall be listed in the contracts section. |
|
If you allow me to push the scanner output to your branch (did it locally already), you can focus on assessing impact + consolidating the unique permissions that exist. I also drew myself the Yield Layer architecture a bit, I copied it to the shared excalidraw. |
|
I'd very much like you to share the scanner output. Also can you elaborate more on which section(s) of the review I need to write again. |
yvesbou
left a comment
yvesbou
left a comment
There was a problem hiding this comment.
I will post scanner results of the remaining vaults later. I posted the results just at the bottom, feel free to re-use some of the impact you wrote already.
|
@BowtiedRahman focus first on the permissions and impact, and seeing differences between the strategies, before writing the overview rating section |
|
Well noted. Thanks for pushing the changes, give us some time and we'll get back to you |
1 similar comment
|
@emduc @brianmcmichael @yvesbou Can I have a date for the final submission? |
|
Is the submission still being reviewed? @emduc @yvesbou @brianmcmichael @nbundi |
|
By pinging us on all possible platforms, you're missing our replies... |
|
I understand the team is busy with multiple reviews but it's been a MONTH with no feedback since I submitted the final review which includes the fixes suggested in the draft submission, hence my multiple pings. I'm happy to wait |
yvesbou
left a comment
yvesbou
left a comment
There was a problem hiding this comment.
hi @BowtiedRahman - please fix the requested changes
src/content/protocols/Cian.md
Outdated
|
|
||
| | Name | Account | Type | ≥ 7 signers | ≥ 51% threshold | ≥ 50% non-insider | Signers public | | ||
| | ------------- | ------- | -------- | ----------- | --------------- | ----------------- | -------------- | | ||
| | Undeclared Multisig | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ✅ | ❌ | ❌ | ✅ | |
There was a problem hiding this comment.
| | Undeclared Multisig | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ✅ | ❌ | ❌ | ✅ | | |
| | Owner YlstETH (undeclared) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ❌ | ✅ | ❌ | ❌ | |
There was a problem hiding this comment.
the owner is a 3-of-4-multisig, first column is not a tick (✅) but a cross (❌)
There was a problem hiding this comment.
please add all owners into this table that are not contracts
| Name | Account | Type |
|---|---|---|
| Vault Owner | 0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553 | EOA |
| Operator | 0x994Cc8Ef6aC289d0016dC28E691CF75eaE4e776b | Contract |
| Rebalancer 2 (YlstETH) | 0x7c0393F1CF1faf3106478960bEf21635Ff6182C4 | Multisig |
| Rebalancer 2 (YlrsETH) | 0x20E5737D4B888154c8220304310aBb8b63881D2a | Multisig |
| FeeReceiver | 0xc554747ffde2e378a562a09f2f72f4121C1d493D | EOA |
| Owner (YlrsETH) | 0x0b5d3121E144cf1410850c9608651a039BFd543e | Multisig |
| Owner (YlBTCLST) | 0x28784DbF1DA93da28873c9f4A8B471D64A11FCfd | Multisig |
There was a problem hiding this comment.
please add all owners into this table that are not contracts
Name Account Type
Vault Owner 0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553 EOA
Operator 0x994Cc8Ef6aC289d0016dC28E691CF75eaE4e776b Contract
Rebalancer 2 (YlstETH) 0x7c0393F1CF1faf3106478960bEf21635Ff6182C4 Multisig
Rebalancer 2 (YlrsETH) 0x20E5737D4B888154c8220304310aBb8b63881D2a Multisig
FeeReceiver 0xc554747ffde2e378a562a09f2f72f4121C1d493D EOA
Owner (YlrsETH) 0x0b5d3121E144cf1410850c9608651a039BFd543e Multisig
Owner (YlBTCLST) 0x28784DbF1DA93da28873c9f4A8B471D64A11FCfd Multisig
Do you mean in the permissions owner section? if so, none of them are contracts @yvesbou
There was a problem hiding this comment.
We have one table called Permission Owners, here permission owners are just listed without ✅/❌ qualifications of security council requirements - then we have a security council table where we list all multisigs and evaluate them in security council requirements. @BowtiedRahman
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
|
Is this the final review? |
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
Co-authored-by: Yves Boutellier <63062257+yvesbou@users.noreply.github.com>
|
@yvesbou I've pushed all fixes and corrections, kindly review it for any corrections. |
|
Hi @yvesbou, @emduc, @brianmcmichael, and @nbundi, I submitted my fixes for the Cian Yield layer review four days ago, yet I have received no response from the team. Could I please inquire when the fixes will be reviewed and finalized? I've been working on this report for three months now, and I'd really like it to be finalized. Thanks for your understanding. |
|
Hi @BowtiedRahman, |
|
Hi @yvesbou I'm yet again inquiring about the review of the recent fixes or if possible when you will be done reviewing it. |
| ## Upgradeability | ||
|
|
||
|
|
||
| The Cian Yield Layer is upgradable allowing for the updates of all vaults (`YlFBTC`, `YlBTCLst`, `YlrsETH`, `YlstETH`) and their associated strategy contracts which are adapters to the yield sources. This can result in the _loss of funds_ or _loss of unclaimed yield_ as well as lead to other changes in the expected performance of the protocol. |
There was a problem hiding this comment.
| The Cian Yield Layer is upgradable allowing for the updates of all vaults (`YlFBTC`, `YlBTCLst`, `YlrsETH`, `YlstETH`) and their associated strategy contracts which are adapters to the yield sources. This can result in the _loss of funds_ or _loss of unclaimed yield_ as well as lead to other changes in the expected performance of the protocol. | |
| The Cian Yield Layer is upgradable allowing for the updates of all vaults (`YlFBTC`, `YlBTCLst`, `YlrsETH`, `YlstETH`) and their associated strategy contracts which are adapters to 3rd party protocols such as Aave or Lido which serve as yield sources. This can result in the _loss of funds_ or _loss of unclaimed yield_ as well as lead to other changes in the expected performance of the protocol. |
|
|
||
| ## Security Council | ||
|
|
||
| New table with all the multisigs |
There was a problem hiding this comment.
| New table with all the multisigs |
|
|
||
| | Name | Account | Type | ≥ 7 signers | ≥ 51% threshold | ≥ 50% non-insider | Signers public | | ||
| | ------------- | ------- | -------- | ----------- | --------------- | ----------------- | -------------- | | ||
| | Owner YlstETH (undeclared) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ❌ | ❌ | ❌ | ✅ | |
There was a problem hiding this comment.
add to this table
- Operator
- Vault Owner
- FeeReceiver
each EOA deserves 4 ❌
|
|
||
| | Name | Account | Type | ≥ 7 signers | ≥ 51% threshold | ≥ 50% non-insider | Signers public | | ||
| | ------------- | ------- | -------- | ----------- | --------------- | ----------------- | -------------- | | ||
| | Owner YlstETH (undeclared) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ❌ | ❌ | ❌ | ✅ | |
There was a problem hiding this comment.
| | Owner YlstETH (undeclared) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ❌ | ❌ | ❌ | ✅ | | |
| | Owner YlstETH (undeclared) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | ❌ | ❌ | ❌ | ❌ | |
There was a problem hiding this comment.
signers public means according to our framework that the signer's addresses are linked to a well known pseudonym or a real name
| | Name | Account | Type | | ||
| | ---------------------- | --------------------------------------------------------------------------------------------------------------------- | -------- | | ||
| | Owner (YlstETH) | [0x261090afE1E7305474F4e3eEFCAca9964eBffFf5](https://etherscan.io/address/0x261090afE1E7305474F4e3eEFCAca9964eBffFf5) | Multisig | | ||
| | Vault Owner | [0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553](https://etherscan.io/address/0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553) | EOA | |
There was a problem hiding this comment.
| | Vault Owner | [0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553](https://etherscan.io/address/0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553) | EOA | | |
| | Owner (YlFBTC) | [0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553](https://etherscan.io/address/0x8FA9aa69a6e94c1cd49FbF214C833B2911D02553) | EOA | |
| | StrategyCompound (Implementation) | deleverage | Repays debt to decrease the strategy's exposure and risk either to secure profits or reduce risk in volatile conditions. | Manager (YlrsETH) | | ||
| | StrategyCompound (Implementation) | claimAndSwap | It claims rewards tokens and immediately swaps them for the vault's base asset. This automates the process of compounding yield. | Manager (YlrsETH) | | ||
| | StrategyAAVEV3RsETH (Proxy) | upgradeToAndCall | Updates the implementation of the `StrategyAAVEV3RsETH` contract. Can only be triggered by the Owner itself. A malicious `Owner` can replace `StrategyAAVEV3RsETH (Implementation)` and drain user funds. | Owner (YlrsETH) | | ||
| | VaultYieldRSETH (Proxy) | upgradeToAndCall | Updates the implementation of the `VaultYieldRSETH` contract. Can only be triggered by the Owner itself. A malicious `Vault Owner` can replace `VaultYieldRSETH (Implementation)` and drain user funds. | Vault Owner | |
There was a problem hiding this comment.
| | VaultYieldRSETH (Proxy) | upgradeToAndCall | Updates the implementation of the `VaultYieldRSETH` contract. Can only be triggered by the Owner itself. A malicious `Vault Owner` can replace `VaultYieldRSETH (Implementation)` and drain user funds. | Vault Owner | | |
| | VaultYieldRSETH (Proxy) | upgradeToAndCall | Updates the implementation of the `VaultYieldRSETH` contract. Can only be triggered by the Owner itself. A malicious `Vault Owner` can replace `VaultYieldRSETH (Implementation)` and drain user funds. | Owner (YlrsETH) | |
| Note: The permissions for all Manager contracts (YlFBTC, YlBTCLst, YlrsETH, YlstETH) are similar; therefore, only Manager (YlstETH) is shown on the permissions page. RedeemOperator contracts of (YlrsETH, YlstETH) have the same functions; only RedeemOperator (YlstETH) is shown on the permissions page. | ||
| The permissions for StrategyAAVEV3RsETH (Implementation) (YlstETH) and StrategyAAVEV3RsETH (Implementation) (YlrsETH) have similar functions; as a result, only one is shown on the permissions page. Likewise, StrategySolv (Implementation) (YlBTCLST) and StrategyPump (Implementation) have similar functions, so only StrategySolv is shown above. No newline at end of file |
There was a problem hiding this comment.
bring this to the Reviewer's Notes section
| | VaultYieldETH (Implementation) | updateRebalancer | Updates the address authorized to perform rebalancing operations. A malicious `Owner` could set the rebalancer to an attacker's address, allowing them to drain funds through malicious strategies. | Owner (YlstETH) | | ||
| | VaultYieldETH (Implementation) | updateFeeReceiver | This function updates the address that receives collected fees. A malicious `Owner` could set the fee receiver to their own address redirecting all vault fees. | Owner (YlstETH) | | ||
| | VaultYieldETH (Implementation) | updateRedeemOperator | This function updates the address authorized to process user withdrawal requests. A malicious redeem operator can stop user withrawal requests. | Owner (YlstETH) | | ||
| | VaultYieldETH (Implementation) | updateExchangePrice | Updates the internal exchange rate between assets and shares, reflecting vault performance. A malicious `Owner` could manipulate the exchange price, causing accounting issues. | Owner (YlstETH) | |
There was a problem hiding this comment.
| | VaultYieldETH (Implementation) | updateExchangePrice | Updates the internal exchange rate between assets and shares, reflecting vault performance. A malicious `Owner` could manipulate the exchange price, causing accounting issues. | Owner (YlstETH) | | |
| | VaultYieldETH (Implementation) | updateExchangePrice | Updates the internal exchange rate between assets and shares, reflecting vault performance. A malicious `Owner` could manipulate the exchange price, causing accounting issues. | Manager (YlstETH) | |
|
|
||
| ## Autonomy | ||
|
|
||
| As a yield aggregator protocol, Cian sources its yield from multiple protocols. These are divided into three main categories depending on the yield source: staking yield, restaking yield, and lending yield sources. Examples include Lido Protocol for staking yield, Symbiotic, Mellow Protocol and Renzo Protocol for restaking yield, and Aave and Sparklend for lending yield sources. Dependence on multiple protocols that are at stage 0 on their decentralzation score increases dependecy failure and complexity. A failure on any of these protocols could result in loss or thefts of user fund or degraded protocol experience for users. |
There was a problem hiding this comment.
| As a yield aggregator protocol, Cian sources its yield from multiple protocols. These are divided into three main categories depending on the yield source: staking yield, restaking yield, and lending yield sources. Examples include Lido Protocol for staking yield, Symbiotic, Mellow Protocol and Renzo Protocol for restaking yield, and Aave and Sparklend for lending yield sources. Dependence on multiple protocols that are at stage 0 on their decentralzation score increases dependecy failure and complexity. A failure on any of these protocols could result in loss or thefts of user fund or degraded protocol experience for users. | |
| As a yield aggregator protocol, Cian sources its yield from multiple protocols. These are divided into three main categories depending on the yield source: staking yield, restaking yield, and lending yield sources. Examples include Lido Protocol for staking yield, Symbiotic, Mellow Protocol and Renzo Protocol for restaking yield, and Aave and Sparklend for lending yield sources. Aave and Lido were classified as _Stage 0_, the other mentioned protocols are not yet classified. Since user funds are invested into these protocols centralization risks are inherited through the dependencies. Exploitation through centralization vectors in the 3rd party protocols would lead to _loss of funds_ or _loss of unclaimed yield_ for users. |
|
|
||
| ## Exit Window | ||
|
|
||
| The multisig can arbitrarily upgrade the Cian Yield layer contracts without a timelock mechanism, and likewise, the strategy and manager contracts can also be arbitrarily updated. Additionally, the EOA can make arbitrary changes to positions. This makes the Cian Yield layer achieve a high exit score. |
There was a problem hiding this comment.
| The multisig can arbitrarily upgrade the Cian Yield layer contracts without a timelock mechanism, and likewise, the strategy and manager contracts can also be arbitrarily updated. Additionally, the EOA can make arbitrary changes to positions. This makes the Cian Yield layer achieve a high exit score. | |
| There are no existing timelocks that create an exit window for contract upgrades through listed multisigs and EOAs in the permission owners table. All permissioned function calls are enforced immediately. This makes the Cian Yield layer achieve a _High_ Exit Window score. |
3 participants
This is my first draft submission, This is a draft so things may need ironing out