Aspis

We express our gratitude to the Aspis team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

ASPIS is a decentralized asset management protocol. It operates as a smart contract factory, deploying on-chain asset management vaults tailored to various strategies, such as mutual funds and liquidity pool (LP) management.

The system users should acknowledge all the risks summed up in the risks section of the report

{FindingsVulnSeverityStatusTable}

Documentation quality

• Functional requirements are covered.

• A technical description is provided.

Code quality

• Well-structured architecture with clearly separated modules.

• Smart contract interactions are cleanly designed and logically organized.

• Follows Solidity best practices, including:

• • Proper event emissions

  • Access control mechanisms

  • Reentrancy guards

  • Custom error handling.

• Mathematical computations are accurate and aligned with protocol requirements.

• Effective integration and utilization of multiple oracle sources.

• Access control logic is encapsulated in a separate contract, providing a clear and modular authorization layer.

• Pool creation follows the Factory pattern, improving extensibility and consistency.

• System configuration is well-isolated and delegated to dedicated modules.

• Gas-efficient implementation with minimal redundancy, however, some gas inefficiencies and redundant logic duplications were found.

• The development environment is configured.

Test coverage

Code coverage of the project couldn't be measured due to the “stack too deep” error.

• Simple user interactions are tested.

• Some of the contracts are not tested at all. For instance, RedstonePullAdapter, ChainlinkAdapter, OneInchV6Decoder, OdosV2Decoder, etc.

• Negative test cases or multi-user interactions are partly covered.

Aspis Finance is a decentralized fund management protocol that allows users to create and participate in investment DAOs with automated governance and trading capabilities. The system consists of the following core contracts:

AspisPool — main pool contract that serves as the core of each investment DAO

• This is the primary contract that handles all fund operations including deposits, withdrawals, trading execution, and governance integration.

• Deposit/Withdrawal System: Users can deposit supported tokens (including ETH) during fundraising periods and receive LP tokens representing their share

• Trading Integration: Executes trades through whitelisted DEX protocols (Uniswap, 1inch, Odos) with slippage protection

• Fee Collection: Automatically collects entrance fees, fund management fees, performance fees, and rage quit fees

• Emergency Controls: Guardian can activate emergency stop to halt all operations

• EIP-1271 Signature Validation: Supports smart contract wallet signatures for governance

• Supported operations:

• • Fundraising with configurable time windows and deposit limits

  • Asset management through trusted protocol integrations

  • Liquidity provision and yield farming strategies

  • Governance proposal execution

AspisConfiguration — Configuration contract storing pool-specific parameters including fees, limits, supported tokens, and operational settings.

OneInchV6Decoder — Validates and decodes transaction data for 1inch V6 router calls to ensure only approved operations.

AspisLiquidityCalculatorV3 — Price calculator that aggregates multiple oracle sources to determine USD values of tokens and portfolio holdings.

AspisPoolFactory — Factory contract that deploys complete DAO ecosystems including pool, governance token, voting contract, and configuration.

ACL — Access control list system managing role-based permissions across the protocol with support for oracles and conditional permissions.

UniswapUniversalDecoder — Validates Uniswap Universal Router transaction data to ensure compliance with pool trading restrictions.

AspisLibrary — Utility library containing mathematical functions for fee calculations, deposit validation, and slippage tolerance checks.

UniswapAdapter — Price adapter that fetches token prices from Uniswap V3 pools for portfolio valuation.

AspisRegistry — Central registry managing protocol-wide settings, supported protocols/tokens, and DAO registration with fee configuration.

V4decoder — Specialized decoder for Uniswap V4 operations ensuring transaction compliance with pool parameters.

OdosV2Decoder — Validates transaction data for Odos V2 router calls to prevent unauthorized trading operations.

RedstonePullAdapter — Pull-based price adapter that fetches real-time token prices from Redstone oracles on-demand.

ChainlinkAdapter — Price adapter integrating with Chainlink price feeds for reliable token valuation data.

BytesLib — Low-level utility library providing functions for bytes manipulation and data extraction operations.

Permit2Lib — Integration library for Uniswap's Permit2 system enabling gasless token approvals and transfers.

1inchProtocolLib — Protocol-specific library containing validation logic and utilities for 1inch V6 integration.

AspisGuardian — Multi-role guardian contract with emergency powers and protocol-wide administrative capabilities.

BaseAdapter — Abstract base contract defining the interface and common functionality for all price adapters.

TimeHelpers — Utility contract providing time-related functions with mockable block number and timestamp getters for testing.

PullAdapter — Base contract for pull-based price adapters that fetch data on-demand from external sources.

PushAdapter — Base contract for push-based price adapters that receive regularly updated price data.

ECDSAExternal — External library for ECDSA signature operations and EIP-1271 smart contract signature validation.

Uint256Helpers — Utility library providing safe type conversion functions, particularly for uint256 to smaller integer types.

IACLOracle — Interface defining oracle contracts that can provide additional conditional logic for access control decisions.

AspisProposal — Contract component handling proposal validation and execution logic for DAO governance operations.

Proxy — Utility contract for creating and managing proxy deployments with initialization data encoding.

Privileged roles

Aspis Guardian Role

The Guardian has protocol-wide administrative powers and can:

• Set protocol trading commission (up to 0.5%) and manager commission (up to 5%)

• Add/remove supported trading protocols and tokens across all DAOs

• Register exchange decoders for trade validation

• Execute emergency functions on any pool through the guardian contract

• Update the pool factory address in the registry

Pool Manager Role

Each pool has a designated manager who can:

• Execute trades through supported protocols within spending limits

• Update their address (if permitted by pool configuration)

• Collect accumulated management fees

• Perform direct transfers (if enabled in configuration)

Pool Access Control Roles

The ACL system defines several key roles:

• UPGRADE_ROLE: Can upgrade pool contract implementations

• DAO_CONFIG_ROLE: Can update pool configuration parameters

• EXEC_ROLE: Can execute validated proposals and transactions

The scope of the project includes the following smart contracts from the provided repository:

Deployed Contracts

BSC Mainnet

Polygon

Base

Arbitrum

Assets in Scope