[Completed] Idle Finance aave v2 wrapper review Ask

bugduino · February 22, 2021, 10:32am

Who you are and a brief description of the feature/project
I’m William from https://idle.finance, yield aggregator and rebalancing protocol
What’s the scope of the review? (e.g. github link, code snippet, private sharing)
Our community would love to test the dao.reviews model by requesting a review for our new aave v2 wrapper idle-contracts/IdleAaveV2.sol at develop · Idle-Labs/idle-contracts · GitHub + the diff (here | here | here) from our old IdleCompound wrapper to our new IdleCompoundETH wrapper. The aave wrapper contract is used as a proxy to mint and redeem from Aave v2 (You can find the current running version for aave v1 here) while the IdleCompoundETH (which is a copy of the audited IdleCompound wrapper with around 5 lines changed) is used as a proxy to mint and redeem ETH in Compound (while we only support WETH). The code for this wrapper it’s already used in one of our beta strategy, more info here
What kind of review do you need? (e.g. security, high level, gas optimization…)
We need a security review
What’s the deadline? (e.g. 2 weeks, a month)
The sooner the better The review should not take long btw ideally, given that’s around ~100 LOC
Optional skills/level required for the reviewers
Medium level, code for the 2 wrappers is self-contained
Incentives/Rewards for reviewers
30-60 IDLE per reviewer depending on the report and findings (max 2-3 reviewers for this review)

AlexTheEntreprenerd · February 24, 2021, 1:18pm

I’d say the biggest thing is ensuring that onlyIdle is an address that can be trusted

This pattern seems to be present in other wrappers so it may be fine

Hope this helps!

AlexTheEntreprenerd · February 24, 2021, 2:03pm

Link is now public, if you had issues accessing try again

bugduino · February 24, 2021, 3:13pm

Hi @AlexTheEntreprenerd , thanks for posting this, these are my comments

Double Check Please → this is the intended behaviour. This contract never holds funds
at the end of txs, mint and redeem are called only from the main idleToken contract (and should only be called by this contract).
IdleToken contract sends funds to the wrapper, the wrapper forward them to the lending protocol
and then it receives interest bearing assets (eg aDAI, cDAI, …) which are then sent back to the idleToken contract, all in the same tx.
"Initialized" is set but never used → it’s actually used to ensure that _approveProvider wont be called more than once
Addresses are set in the constructor → we are using solidity 0.5.16 so immutable is not available
Inconsistent return → this should return 0 if the minted amount is 0, which is the current behaviour, so not sure why it’s considered inconsistent

AlexTheEntreprenerd · February 24, 2021, 6:41pm

Wouldn’t you want to return the amount also when it’s greater than 0?

AlexTheEntreprenerd · February 24, 2021, 6:43pm

Makes sense

Makes sense, any specific reason why you are using 0.5.16 over more recent?

bugduino · February 25, 2021, 8:46am

It’s already implicitly returning aTokens given that it’s defined in the function signature (there are tests for this too).

All the repo and contracts are set to 0.5.16 (it’s a 1y and half old repo) so for now we have to keep this version.

AlexTheEntreprenerd · February 25, 2021, 2:38pm

Makes sense
Also, I’ve seen you already went through an audit and implemented all fixes.

Would love to see a second review to see how they’d do it

emilianobonassi · February 27, 2021, 3:03pm

Taking a look to it…

emilianobonassi · February 27, 2021, 4:27pm

First review for the Aave2 connector

Going ahead with IdleCompoundETH upgrade

emilianobonassi · February 28, 2021, 3:14pm

First review for the CompoundETH connector

Looking forward @bugduino

bugduino · February 28, 2021, 3:47pm

bugduino · February 28, 2021, 4:04pm

emilianobonassi · February 28, 2021, 8:09pm

Checked the fixes and comments, LGTM, closed the issue

emilianobonassi · February 28, 2021, 8:09pm

Checked the fixes, LGTM, closed the issue

Anyway I’ve appended an optional comment for consistency with the other fix you applied for Aave connector

bugduino · March 1, 2021, 9:47am

emilianobonassi · March 1, 2021, 12:38pm

Great LGTM!

bugduino · March 2, 2021, 9:22am

I think that the review can be considered concluded now and we can proceede with the payment of the bounties.

@emilianobonassi 60 IDLE: the review was accurate and with lots of implementable fixes and improvements. This is the overall quality expected for reviews imo
@AlexTheEntreprenerd 10 IDLE: the review should have been definetely more detailed and it lacked of actionable insights and fixes, given that no comment was incorporated, so that’s why I would reward it below 30 IDLE, but I would still want to grant Alex something for the time spent on this

I think you guys can post an address here and then the Idle Treasury Committee will proceede with the bounties

AlexTheEntreprenerd · March 2, 2021, 12:59pm

You live and you learn I appreciate the tip:
0xF9B2819B90697BE4f5D7AEF7AD9Cffe1f65e3d29

emilianobonassi · March 2, 2021, 8:49pm

Feel free to send the reward at 0x394495a3800d1504b5686d398836baefebd0c5b7

@AlexTheEntreprenerd, thanks for your help! If you want we can discuss off-line via tg how to improve your next reviews, feel free to ping me