Inception Arbitrum Rate Providers - inETH & instETH

Fixes #74
balancer · Jun 24, 2024 · 89e4a25 · 89e4a25
2 parents ce460f9 + 05ad894
commit 89e4a25
Show file tree

Hide file tree

Showing 3 changed files with 187 additions and 0 deletions.
diff --git a/rate-providers/TollgateChronicleRateProvider.md b/rate-providers/TollgateChronicleRateProvider.md
@@ -0,0 +1,60 @@
+# Rate Provider: `TollgateChronicleRateProvider`
+
+## Details
+- Reviewed by: @mkflow27
+- Checked by: @danielmkm
+- Deployed at:
+    - [gnosis:0xdc90e2680094314CEaB45CE15100F6e02cEB7ceD](https://gnosisscan.io/address/0xdc90e2680094314ceab45ce15100f6e02ceb7ced#code)
+    - [gnosis:0x92320D3C8Fd6BE59b22eB0eEe330901Fe4617f33](https://gnosisscan.io/address/0x92320D3C8Fd6BE59b22eB0eEe330901Fe4617f33#code)
+- Audit report(s):
+    - [Chronicle audits](https://github.com/chronicleprotocol/scribe/tree/main/audits)
+
+## Context
+This rate Provider bridges the eth/reth exchange rate & GBP/USD to gnosis chain. This is done via an oracle solution developed by chronicle. 
+
+## Review Checklist: Bare Minimum Compatibility
+Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use.
+
+- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface.
+- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals.
+
+## Review Checklist: Common Findings
+Each of the items below represents a common red flag found in Rate Provider contracts.
+
+If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider.
+
+### Administrative Privileges
+- [ ] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address).
+
+- [ ] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price).
+
+### Oracles
+- [x] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes).
+    - reth/eth:
+        - source: Chronicle protocol Oracle
+        - source address: [gnosis:0xE04a8f725b49c9D36C0fD3495F4a792056374847](https://gnosisscan.io/address/0xe04a8f725b49c9d36c0fd3495f4a792056374847)
+        - any protections? YES
+            - The rate data's supplied age must be greater than the timestamp of last successful update
+            - the rate data's age must not be greater than current time
+            - The rate data's integrity is verified by the supplied signature. Currently `bar` (7) signers verify the rate's integrity. For more information see `_poke` and `isAcceptableSchnorrSignatureNow` as part of the PriceFeed `Chronicle_RETH_ETH_1` contract deployed at [gnosis:0x7706A143c750aDfc2196c4Bf84e6BB012Aed1182](https://gnosisscan.io/address/0x7706a143c750adfc2196c4bf84e6bb012aed1182#code)
+    - GBP/USD:
+        - source: Chronicle protocol Oracle
+        - source address: [gnosis:0x0E418d54863a3fAfeC9e96a358795f0f236f5f66](https://gnosisscan.io/address/0x0E418d54863a3fAfeC9e96a358795f0f236f5f66)
+        - any protections? YES
+            - The rate data's supplied age must be greater than the timestamp of last successful update
+            - the rate data's age must not be greater than current time
+            - The rate data's integrity is verified by the supplied signature. Currently `bar` (7) signers verify the rate's integrity. For more information see `_poke` and `isAcceptableSchnorrSignatureNow` as part of the PriceFeed `Chronicle_GBP_USD_1` contract deployed at [gnosis:0x0E418d54863a3fAfeC9e96a358795f0f236f5f66](https://gnosisscan.io/address/0x0E418d54863a3fAfeC9e96a358795f0f236f5f66#code)
+
+- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price).
+
+### Common Manipulation Vectors
+- [ ] The Rate Provider is susceptible to donation attacks.
+
+## Additional Findings
+To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users.
+
+
+## Conclusion
+**Summary judgment: SAFE**
+
+This rate provider should work well with Balancer pools. The oracle providing the rate data has various guardrails in place ensuring the integrity of the rate being provided. The `owner` of the rate provider has the capability to revert the call to `getRate`. However this potential revert scenario is guarded behind a Multisig of [2/6] for reth and [2/6] for GBP.
diff --git a/rate-providers/registry.json b/rate-providers/registry.json
@@ -281,6 +281,36 @@
         }
       ]
     },
+    "0x3222d3De5A9a3aB884751828903044CC4ADC627e": {
+      "asset": "0x4186BFC76E2E237523CBC30FD220FE055156b41F",
+      "name": "RsETHRateProvider",
+      "summary": "safe",
+      "review": "./rsETHRateProviderArbitrum.md",
+      "warnings": ["donation"],
+      "factory": "",
+      "upgradeableComponents": [
+        {
+          "entrypoint": "0x349A73444b1a310BAe67ef67973022020d70020d",
+          "implementationReviewed": "0x8B9991f89Fc31600DCE064566ccE28dC174Fb8E4"
+        },
+        {
+          "entrypoint": "0x947Cb49334e6571ccBFEF1f1f1178d8469D65ec7",
+          "implementationReviewed": "0xc5cD38d47D0c2BD7Fe18c64a50c512063DC29700"
+        },
+        {
+          "entrypoint": "0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7",
+          "implementationReviewed": "0x60FF20BACD9A647e4025Ed8b17CE30e40095A1d2"
+        },
+        {
+          "entrypoint": "0x3D08ccb47ccCde84755924ED6B0642F9aB30dFd2",
+          "implementationReviewed": "0x0379E85188BC416A1D43Ab04b28F38B5c63F129E"
+        },
+        {
+          "entrypoint": "0x8546A7C8C3C537914C3De24811070334568eF427",
+          "implementationReviewed": "0xD7DB9604EF925aF96CDa6B45026Be64C691C7704"
+        }
+      ]
+    },
     "0x971b35225361535D04828F16442AAA54009efE1a": {
       "asset": "0x5A7a183B6B44Dc4EC2E3d2eF43F98C5152b1d76d",
       "name": "InceptionRatioFeed",
@@ -1193,6 +1223,24 @@
           "implementationReviewed": "0x5b522140fabeB6b6232336295581e63902e9b4ad"
         }
       ]
+    },
+    "0xdc90e2680094314CEaB45CE15100F6e02cEB7ceD": {
+      "asset": "0xc791240d1f2def5938e2031364ff4ed887133c3d",
+      "name": "TollgateChronicleRateProvider",
+      "summary": "",
+      "review": "./TollgateChronicleRateProvider.md",
+      "warnings": [],
+      "factory": "",
+      "upgradeableComponents": []
+    },
+    "0x92320D3C8Fd6BE59b22eB0eEe330901Fe4617f33": {
+      "asset": "0x5Cb9073902F2035222B9749F8fB0c9BFe5527108",
+      "name": "TollgateChronicleRateProvider",
+      "summary": "",
+      "review": "./TollgateChronicleRateProvider.md",
+      "warnings": [],
+      "factory": "",
+      "upgradeableComponents": []
     }
   },
   "mode": {

diff --git a/rate-providers/rsETHRateProviderArbitrum.md b/rate-providers/rsETHRateProviderArbitrum.md
@@ -0,0 +1,79 @@
+# Rate Provider: `RSETHRateReceiver`
+
+## Details
+- Reviewed by: @mkflow27
+- Checked by: @danielmkm
+- Deployed at:
+    - [arbitrum:0x3222d3De5A9a3aB884751828903044CC4ADC627e](https://arbiscan.io/address/0x3222d3de5a9a3ab884751828903044cc4adc627e#code)
+- Audit report(s):
+    - [Kelp audits](https://kelp.gitbook.io/kelp/audits)
+
+## Context
+rsETH is a Liquid Restaked Token (LRT) issued by Kelp DAO designed to offer liquidity to illiquid assets deposited into restaking platforms, such as EigenLayer. It aims to address the risks and challenges posed by the current offering of restaking. The Rate Provider reports the exchange Rate of rsETH - ETH. 
+
+## Review Checklist: Bare Minimum Compatibility
+Each of the items below represents an absolute requirement for the Rate Provider. If any of these is unchecked, the Rate Provider is unfit to use.
+
+- [x] Implements the [`IRateProvider`](https://github.com/balancer/balancer-v2-monorepo/blob/bc3b3fee6e13e01d2efe610ed8118fdb74dfc1f2/pkg/interfaces/contracts/pool-utils/IRateProvider.sol) interface.
+- [x] `getRate` returns an 18-decimal fixed point number (i.e., 1 == 1e18) regardless of underlying token decimals.
+
+## Review Checklist: Common Findings
+Each of the items below represents a common red flag found in Rate Provider contracts.
+
+If none of these is checked, then this might be a pretty great Rate Provider! If any of these is checked, we must thoroughly elaborate on the conditions that lead to the potential issue. Decision points are not binary; a Rate Provider can be safe despite these boxes being checked. A check simply indicates that thorough vetting is required in a specific area, and this vetting should be used to inform a holistic analysis of the Rate Provider.
+
+### Administrative Privileges
+- [x] The Rate Provider is upgradeable (e.g., via a proxy architecture or an `onlyOwner` function that updates the price source address).
+    - admin address: [arbitrum:0x96D97D66d4290C9182A09470a5775FF90DAf922c](https://arbiscan.io/address/0x96D97D66d4290C9182A09470a5775FF90DAf922c)
+    - admin type: multisig
+        - multisig threshold/signers: 2/4
+    - comment: The main access control check is done by comparing the `msg.sender` against the `layerZeroEndpoint`. The `layerZeroEndpoint` endpoint address can be upgraded by the RateProviders admin via: `updateLayerZeroEndpoint`.
+
+- [x] Some other portion of the price pipeline is upgradeable (e.g., the token itself, an oracle, or some piece of a larger system that tracks the price).
+    - upgradeable component: `LRTOracle` ([ethereum:0x349A73444b1a310BAe67ef67973022020d70020d](https://etherscan.io/address/0x349A73444b1a310BAe67ef67973022020d70020d))
+        - admin address: [ethereum:0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2](https://etherscan.io/address/0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2)
+        - admin type: multisig
+            - multisig threshold/signers: 3/5
+
+    - upgradeable component: `LRTConfig` ([ethereum:0x947Cb49334e6571ccBFEF1f1f1178d8469D65ec7](https://etherscan.io/address/0x947Cb49334e6571ccBFEF1f1f1178d8469D65ec7#code))
+        - admin address: [ethereum:0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2](https://etherscan.io/address/0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2)
+        - admin type: multisig
+            - multisig threshold/signers: 3/5
+
+    - upgradeable component: `RSETH` ([ethereum:0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7](https://etherscan.io/address/0xa1290d69c65a6fe4df752f95823fae25cb99e5a7))
+        - admin address: [ethereum:0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2](https://etherscan.io/address/0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2)
+        - admin type: multisig
+            - multisig threshold/signers: 3/5
+
+    - upgradeable component: `EthXPriceOracle` ([ethereum:0x3D08ccb47ccCde84755924ED6B0642F9aB30dFd2](https://etherscan.io/address/0x3D08ccb47ccCde84755924ED6B0642F9aB30dFd2#readProxyContract))
+        - admin address: [ethereum:0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2](https://etherscan.io/address/0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2)
+        - admin type: multisig
+            - multisig threshold/signers: 3/5
+
+    - upgradeable component: `SfrxETHPriceOracle` ([ethereum:0x8546A7C8C3C537914C3De24811070334568eF427](https://etherscan.io/address/0x8546A7C8C3C537914C3De24811070334568eF427#readProxyContract))
+        - admin address: [ethereum:0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2](https://etherscan.io/address/0xb9577E83a6d9A6DE35047aa066E3758221FE0DA2)
+        - admin type: multisig
+            - multisig threshold/signers: 3/5
+
+
+
+### Oracles
+- [ ] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes).
+
+- [ ] Price data is expected to be volatile (e.g., because it represents an open market price instead of a (mostly) monotonically increasing price).
+
+### Common Manipulation Vectors
+- [ ] The Rate Provider is susceptible to donation attacks.
+
+
+## Additional Findings
+To save time, we do not bother pointing out low-severity/informational issues or gas optimizations (unless the gas usage is particularly egregious). Instead, we focus only on high- and medium-severity findings which materially impact the contract's functionality and could harm users.
+
+### M-01: Hardcoded stETH price 
+The rsETH pricing logic loops over the involved assets pricing oracles. This includes the [pricing oracle for stETH](https://etherscan.io/address/0x4cB8d6DCd56d6b371210E70837753F2a835160c4#code). The price of stETH in the Rate Provider pricing system is set to 1e18 which can pose a risk depending on LIDOs operational staking integrity. 
+Recommendation: Consider replacing the hardcoded value to incorporate for example a stETH/ETH Chainlink price feed. 
+
+## Conclusion
+**Summary judgment: SAFE**
+
+This rate Provider can be considered fit for pool operations under the assumption that the stETH/ETH peg holds at 1:1. This should be made clear to users in the Balancer Pool.