Ajna Protocol contest details

• Total Prize Pool: $60,500 USDC
  • HM awards: $37,500 USDC
  • QA report awards: $5,000 USDC
  • Gas report awards: $2,500 USDC
  • Bot race awards: $5,000 USDC
  • Judge awards: $6,000 USDC
  • Lookout awards: $4,000 USDC
  • Scout awards: $500 USDC
• Join C4 Discord to register
• Submit findings using the C4 form
• Read our guidelines for more details
• Starts May 03, 2023 20:00 UTC
• Ends May 11, 2023 20:00 UTC

Automated Findings / Publicly Known Issues

Automated findings output for the contest can be found here.

Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.

Overview

About Ajna

The Ajna protocol is a non-custodial, peer-to-peer, permissionless lending, borrowing and trading system that requires no governance or external price feeds to function. The protocol consists of pools: pairings of quote tokens provided by lenders and collateral tokens provided by borrowers. Ajna is capable of accepting fungible tokens as quote tokens and both fungible and non-fungible tokens as collateral tokens.

Resources

• Twitter
• Website
• Business Logic recording
• Whitepaper
• Ajna Technical Spec
• ELI5
• Technical Diagrams Pools
• Technical Diagrams Grants

On-chain context

Deployment (by contract)

Contract	Networks
RewardsManager.sol	Ethereum mainnet, Arbitrum, Optimism, Binance Smart Chain, Polygon, Fantom, Tron, Avalanche
PositionManager.sol	Ethereum mainnet, Arbitrum, Optimism, Binance Smart Chain, Polygon, Fantom, Tron, Avalanche
GrantFund.sol	Ethereum mainnet

Scope

Files in scope

File	SLOC	Description	Libraries
Contracts (3)
ajna-grants/src/grants/GrantFund.sol	32		@oz/*
ajna-core/src/PositionManager.sol 🖥 Σ	186	This contract holds the LP position of lenders and gives them an ERC721 token representing their position in exchange	@openzeppelin/*
ajna-core/src/RewardsManager.sol Σ	386	This contract provides rewards (in Ajna token) to Ajna lenders who lock up their ERC721 position from the PositionManager.sol contract	@openzeppelin/*
Abstracts (3)
ajna-grants/src/grants/base/Funding.sol 🖥 🧮 Σ	66		@oz/*
ajna-grants/src/grants/base/ExtraordinaryFunding.sol 🧮	102		@oz/*
ajna-grants/src/grants/base/StandardFunding.sol 🧮 Σ	372		@oz/*
Libraries (1)
ajna-grants/src/grants/libraries/Maths.sol	38
Interfaces (4)
ajna-grants/src/grants/interfaces/IGrantFund.sol	21
ajna-grants/src/grants/interfaces/IFunding.sol	35
ajna-grants/src/grants/interfaces/IExtraordinaryFunding.sol	41
ajna-grants/src/grants/interfaces/IStandardFunding.sol	112
Total (over 11 files):	1391

All other source contracts (out of scope)

File	SLOC	Description	Libraries
Contracts (7)
ajna-grants/src/token/AjnaToken.sol	25		@oz/*
ajna-grants/src/token/BurnWrapper.sol	27		@oz/*
ajna-core/src/ERC20PoolFactory.sol 🧮 🌀	38		@clones/*
ajna-core/src/ERC721PoolFactory.sol 🧮 🌀 ♻️ Σ	59		@clones/* @openzeppelin/*
ajna-core/src/ERC20Pool.sol	261		@openzeppelin/*
ajna-core/src/PoolInfoUtils.sol	307
ajna-core/src/ERC721Pool.sol Σ	321
Abstracts (4)
ajna-core/src/base/PoolDeployer.sol	19
ajna-core/src/base/FlashloanablePool.sol 🧮	49		@openzeppelin/*
ajna-core/src/base/PermitERC721.sol 🖥 🧮 🔖	72		@openzeppelin/*
ajna-core/src/base/Pool.sol	458		@clones/* @openzeppelin/*
Libraries (12)
ajna-core/src/libraries/internal/Maths.sol	47
ajna-core/src/libraries/internal/Buckets.sol	69
ajna-core/src/libraries/external/PositionNFTSVG.sol	108		@openzeppelin/* @base64-sol/*
ajna-core/src/libraries/internal/Loans.sol	122
ajna-core/src/libraries/external/LPActions.sol Σ	140
ajna-core/src/libraries/internal/Deposits.sol	186
ajna-core/src/libraries/external/PoolCommons.sol	218		@prb-math/*
ajna-core/src/libraries/external/SettlerActions.sol	260
ajna-core/src/libraries/external/BorrowerActions.sol	261
ajna-core/src/libraries/external/KickerActions.sol	270
ajna-core/src/libraries/external/LenderActions.sol Σ	393
ajna-core/src/libraries/external/TakerActions.sol	423		@prb-math/*
Interfaces (43)
ajna-core/src/interfaces/pool/commons/IPoolBorrowerActions.sol	4
ajna-core/src/interfaces/pool/erc20/IERC20PoolImmutables.sol	4
ajna-core/src/interfaces/pool/erc721/IERC721PoolErrors.sol	4
ajna-core/src/interfaces/pool/erc721/IERC721PoolImmutables.sol	4
ajna-core/src/interfaces/pool/commons/IPoolSettlerActions.sol	7
ajna-core/src/interfaces/rewards/IRewardsManagerDerivedState.sol	7
ajna-core/src/interfaces/pool/IPoolFactory.sol	8
ajna-core/src/interfaces/pool/commons/IPoolImmutables.sol	8
ajna-core/src/interfaces/pool/erc20/IERC20PoolLenderActions.sol	8
ajna-core/src/interfaces/pool/erc20/IERC20Taker.sol	8
ajna-core/src/interfaces/pool/erc721/IERC721Taker.sol	8
ajna-core/src/interfaces/rewards/IRewardsManagerErrors.sol	8
ajna-core/src/interfaces/pool/erc20/IERC20PoolFactory.sol	9
ajna-core/src/interfaces/position/IPositionManagerErrors.sol	9
ajna-core/src/interfaces/pool/IERC3156FlashBorrower.sol	10
ajna-core/src/interfaces/position/IPositionManagerState.sol	10
ajna-core/src/interfaces/pool/erc721/IERC721PoolFactory.sol	12
ajna-core/src/interfaces/pool/erc721/IERC721PoolLenderActions.sol	13
ajna-core/src/interfaces/position/IPositionManager.sol	14
ajna-core/src/interfaces/rewards/IRewardsManager.sol	14
ajna-core/src/interfaces/pool/erc20/IERC20PoolEvents.sol	15
ajna-core/src/interfaces/pool/commons/IPoolKickerActions.sol	16
ajna-core/src/interfaces/pool/erc20/IERC20PoolBorrowerActions.sol	16
ajna-core/src/interfaces/pool/erc721/IERC721PoolBorrowerActions.sol	16
ajna-core/src/interfaces/pool/IERC3156FlashLender.sol	17
ajna-core/src/interfaces/pool/commons/IPoolDerivedState.sol	17
ajna-core/src/interfaces/pool/commons/IPoolTakerActions.sol	17
ajna-core/src/interfaces/pool/erc721/IERC721PoolState.sol	17
ajna-core/src/interfaces/pool/erc20/IERC20Pool.sol	18
ajna-core/src/interfaces/pool/erc721/IERC721PoolEvents.sol	20
ajna-core/src/interfaces/pool/erc721/IERC721Pool.sol	22
ajna-core/src/interfaces/pool/commons/IPoolLenderActions.sol	23
ajna-core/src/interfaces/rewards/IRewardsManagerOwnerActions.sol	23
ajna-core/src/interfaces/position/IPositionManagerDerivedState.sol	25
ajna-core/src/interfaces/pool/commons/IPoolLPActions.sol	28
ajna-core/src/interfaces/position/IPositionManagerEvents.sol	30
ajna-core/src/interfaces/rewards/IRewardsManagerEvents.sol	31
ajna-core/src/interfaces/rewards/IRewardsManagerState.sol	34
ajna-core/src/interfaces/position/IPositionManagerOwnerActions.sol	43
ajna-core/src/interfaces/pool/commons/IPoolErrors.sol	44
ajna-core/src/interfaces/pool/IPool.sol	47
ajna-core/src/interfaces/pool/commons/IPoolState.sol	142
ajna-core/src/interfaces/pool/commons/IPoolEvents.sol	145
Structs (1)
ajna-core/src/interfaces/pool/commons/IPoolInternals.sol	33
Constants (1)
ajna-core/src/libraries/helpers/PoolHelper.sol	199		@prb-math/*
Other (2)
ajna-core/src/libraries/helpers/SafeTokenNamer.sol	45
ajna-core/src/libraries/helpers/RevertsHelper.sol	64
Total (over 70 files):	5449

External imports

• @base64-sol/base64.sol
  • ajna-core/src/libraries/external/PositionNFTSVG.sol
• @clones/Clone.sol
  • ajna-core/src/base/Pool.sol
• @clones/ClonesWithImmutableArgs.sol
  • ajna-core/src/ERC20PoolFactory.sol
  • ajna-core/src/ERC721PoolFactory.sol
• @openzeppelin/contracts/interfaces/IERC1271.sol
  • ajna-core/src/base/PermitERC721.sol
• @openzeppelin/contracts/security/ReentrancyGuard.sol
  • ajna-core/src/PositionManager.sol
  • ajna-core/src/RewardsManager.sol
  • ajna-core/src/base/Pool.sol
• @openzeppelin/contracts/token/ERC20/ERC20.sol
  • ajna-core/src/PositionManager.sol
• @openzeppelin/contracts/token/ERC20/IERC20.sol
  • ajna-core/src/ERC20Pool.sol
  • ajna-core/src/PositionManager.sol
  • ajna-core/src/RewardsManager.sol
  • ajna-core/src/base/FlashloanablePool.sol
  • ajna-core/src/base/Pool.sol
• @openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol
  • ajna-core/src/ERC20Pool.sol
  • ajna-core/src/PositionManager.sol
  • ajna-core/src/RewardsManager.sol
  • ajna-core/src/base/FlashloanablePool.sol
  • ajna-core/src/base/Pool.sol
• @openzeppelin/contracts/token/ERC721/ERC721.sol
  • ajna-core/src/PositionManager.sol
  • ajna-core/src/base/PermitERC721.sol
• @openzeppelin/contracts/token/ERC721/IERC721.sol
  • ajna-core/src/RewardsManager.sol
• @openzeppelin/contracts/utils/Address.sol
  • ajna-core/src/base/PermitERC721.sol
• @openzeppelin/contracts/utils/introspection/IERC165.sol
  • ajna-core/src/ERC721PoolFactory.sol
• @openzeppelin/contracts/utils/Multicall.sol
  • ajna-core/src/PositionManager.sol
  • ajna-core/src/base/Pool.sol
• @openzeppelin/contracts/utils/Strings.sol
  • ajna-core/src/libraries/external/PositionNFTSVG.sol
• @openzeppelin/contracts/utils/structs/EnumerableSet.sol
  • ajna-core/src/PositionManager.sol
• @oz/governance/utils/IVotes.sol
  • ajna-grants/src/grants/base/Funding.sol
• @oz/security/ReentrancyGuard.sol
  • ajna-grants/src/grants/base/Funding.sol
• @oz/token/ERC20/ERC20.sol
  • ajna-grants/src/token/AjnaToken.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/extensions/draft-ERC20Permit.sol
  • ajna-grants/src/token/AjnaToken.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/extensions/ERC20Burnable.sol
  • ajna-grants/src/token/AjnaToken.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/extensions/ERC20Votes.sol
  • ajna-grants/src/token/AjnaToken.sol
• @oz/token/ERC20/extensions/ERC20Wrapper.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/extensions/IERC20Metadata.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/IERC20.sol
  • ajna-grants/src/grants/GrantFund.sol
  • ajna-grants/src/grants/base/ExtraordinaryFunding.sol
  • ajna-grants/src/grants/base/StandardFunding.sol
  • ajna-grants/src/token/BurnWrapper.sol
• @oz/token/ERC20/utils/SafeERC20.sol
  • ajna-grants/src/grants/GrantFund.sol
  • ajna-grants/src/grants/base/StandardFunding.sol
• @oz/utils/Address.sol
  • ajna-grants/src/grants/base/Funding.sol
• @oz/utils/math/SafeCast.sol
  • ajna-grants/src/grants/base/ExtraordinaryFunding.sol
  • ajna-grants/src/grants/base/Funding.sol
  • ajna-grants/src/grants/base/StandardFunding.sol
• @prb-math/contracts/PRBMathSD59x18.sol
  • ajna-core/src/libraries/external/PoolCommons.sol
  • ajna-core/src/libraries/external/TakerActions.sol
  • ajna-core/src/libraries/helpers/PoolHelper.sol
• @prb-math/contracts/PRBMathUD60x18.sol
  • ajna-core/src/libraries/external/PoolCommons.sol

Scoping Details

- If you have a public code repo, please share it here:
  - [grants](https://github.com/ajna-finance/ajna-grants)
  - [RewardsManager](https://github.com/ajna-finance/ajna-core/blob/main/src/RewardsManager.sol)
  - [PositionsManager](https://github.com/ajna-finance/ajna-core/blob/main/src/PositionsManager.sol)
- How many contracts are in scope?:   3
- Total SLoC for these contracts?:  1191
- How many external imports are there?: 22 
- How many separate interfaces and struct definitions are there for the contracts within scope?:  15 interfaces and 15 structs
- Does most of your code generally use composition or inheritance?:   Inheritance
- How many external calls?:   0
- What is the overall line coverage percentage provided by your tests?:  100
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?:   true
- Please describe required context:   It may be helpful for auditors to gain an understanding of how positions manifest themselves as LP inside of the core pool contracts via methods like `addQuoteToken()` to better understand `PositionManager.sol`. Additionally, an understanding of reserve auctions (`kickReserveAuction()` and `takeReserves()`) will assist auditors in understanding and auditing `RewardsManager.sol`. `ajna-grants/src/grants` is relatively self encapsulating.
- Does it use an oracle?:  No
- Does the token conform to the ERC20 standard?:  True -> the Ajna token
- Are there any novel or unique curve logic or mathematical models?: Listed in a whitepaper
- Does it use a timelock function?:  No
- Is it an NFT?: True -> in `PositionManager.sol` one is created of a user's position
- Does it have an AMM?: Swapping exists in the pool contracts but is out of scope for this audit
- Is it a fork of a popular project?:   False
- Does it use rollups?:   
- Is it multi-chain?:  True
- Does it use a side-chain?: False

Previous Audits

• Sherlock report
• Trail of Bits report

Tests

Quickstart command

export ETH_RPC_URL='<RPC_URL_HERE>' && export QUOTE_PRECISION=18 && export COLLATERAL_PRECISION=18 && export BUCKET_INDEX_ERC20=2570 && export BUCKET_INDEX_ERC721=850 && export NO_OF_BUCKETS=3 && rm -Rf 2023-05-ajna || true && git clone https://github.com/code-423n4/2023-05-ajna.git -j8 --recurse-submodules && cd 2023-05-ajna && foundryup -v nightly-87bc53fc6c874bd4c92d97ed180b949e3a36d78c && cd ajna-grants && make test-with-gas-report && cd .. && cd ajna-core && make test-with-gas-report && cd ..

NOTE:

• install foundry by running foundryup -v nightly-87bc53fc6c874bd4c92d97ed180b949e3a36d78c (this version is required due to breaking changes introduced in foundry-rs/foundry#4827)
• Follow instructions in each sub repo -> Make a copy of .env.example and name it .env add the values for
  • ETHERSCAN_TOKEN - required by brownie to verify contract sources
  • WEB3_INFURA_PROJECT_ID - required by brownie to fork chain
  • ETH_RPC_URL - required by forge to fork chain
  • QUOTE_PRECISION - required by invariant tests
  • COLLATERAL_PRECISION - required by invariant tests
  • BUCKET_INDEX_ERC20 - required by invariant tests
  • BUCKET_INDEX_ERC721 - required by invariant tests
  • NO_OF_BUCKETS - required by invariant tests

clone down and cd into the repo

git clone https://github.com/code-423n4/2023-05-ajna.git && cd 2023-05-ajna

Grants

cd into sub repo:

cd ajna-grants

To run unit tests:

make tests

To run unit tests with gas report:

make test-with-gas-report

PositionManager and RewardsManager

cd into sub repo:

cd ajna-core

To run unit tests:

make test

To run unit tests with gas report:

make test-with-gas-report

Known slither issues

Issue	File Effected	Reason / Explanation
Arbitrary from in transferFrom	src/base/FlashloanablePool.sol#48-52	Implemented as designed so auctions can be atomically swapped
Incorrect ERC20 function interface	src/interfaces/pool/IPool.sol#57-61	Non-issue believe to be slither related
Dangerous strict equalities	src/base/Pool.sol#384	Implemented as designed to restrict contract surface area
Dead code	src/base/FlashloanablePool.sol#89-93	dead code is from the abstract contract, implemented by concrete contracts
State variables that could be declared immutable	src/ERC20PoolFactory.sol#25	Limits Ajna to specific chain, no action
State variables that could be declared immutable	src/base/PoolDeployer.sol#19	Limits Ajna to specific chain, no action

Known Contracts That Exceed Spurious Dragon Req
src/ERC20PoolFactory.sol
src/ERC20Pool.sol
src/RewardsManager.sol
src/PositionManager.sol
src/ERC721PoolFactory.sol
src/ERC721Pool.sol