Asymetrix Protocol

We express our gratitude to the Asymetrix Protocol team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Asymetrix protocol is a decentralized, non-custodial protocol for asymmetric yield distribution generated from staking.

The system users should acknowledge all the risks summed up in the risks section of the report

Asymetrix protocol is the decentralized, non-custodial protocol for asymmetric yield distribution generated from staking. The files in the scope:

• PrizePool.sol - Escrows assets and deposits them into a yield source. Exposes interest to Prize Flush. Users deposit and withdraw from this contract to participate in the Prize Pool.

• Ticket.sol - The Ticket extends the standard ERC20 and ControlledToken interfaces with time-weighted average balance functionality. The average balance held by a user between two timestamps can be calculated, as well as the historic balance. The historic total supply is available, as well as the average total supply between two timestamps.

• TwabRewards.sol - Reward distributing contract. Distributes rewards to depositors in a pool.

• TWABDelegator.sol - Delegator contract allows accounts to easily delegate a portion of their tickets to multiple delegates.

• TwabLib.sol - Adds on-chain historical lookups to a user(s) time-weighted average balance.

• PrizeDistributor.sol - Holds Tickets (captured interest) and distributes tickets to users with winning draw claims.

• DrawBeacon.sol - Manages pushing Draws onto DrawBuffer.

• Reserve.sol - Provides historical lookups of a token balance increase during a target time range.

• PrizeDistributionFactory.sol - Populates a Prize Distribution Buffer for a prize pool.

• PrizeFlush.sol - The PrizeFlush contract helps capture interest from the PrizePool and move collected funds to a designated PrizeDistributor contract.

• DrawBuffer.sol - Provides historical lookups of Draws via a circular ring buffer. Historical Draws can be accessed on-chain using a drawId to calculate ring buffer storage slot.

• DrawCalculator.sol - Calculates the amount of user picks based on the user average weighted balance (during each draw period).

• EIP2612PermitAndDeposit.sol – Allows users to approve and deposit EIP-2612 compatible tokens into a prize pool in a single transaction.

• ControlledToken.sol - ERC20 contract with a controller for minting & burning.

• ASX.sol - ERC20 contract with voting and burning feature.

• PermitAndMulticall.sol - Allows a user to permit token spend and then call multiple functions on a contract.

• DrawRingBufferLib.sol - Library for creating and managing a draw ring buffer.

• ObservationLib.sol - Library allows one to store an array of timestamped values and efficiently binary search them.

• BeaconTimelockTrigger.sol - Passes the information about the current draw to the prizeDistributionFactory for the creation of a prizeDistribution.

• DrawCalculatorTimelock.sol - Pushes Draws to a DrawBuffer and routing claim requests from a PrizeDistributor to a DrawCalculator.

• Ownable.sol - Provides a basic access control mechanism, where there is an account (an owner) that can be granted exclusive access to specific functions.

• StakePrizePool.sol \- The Stake Prize Pool is a prize pool in which users can deposit an ERC20 token.

• Delegation.sol - A Delegation allows his owner to execute calls on behalf of the contract.

• Manageable.sol - Abstract manageable contract which provides a basic access control mechanism.

• BinarySearchLib.sol - BinarySearchLib uses binary search to find a parent contract struct with the drawId parameter.

• LowLevelDelegator.sol - Allows users to create delegations very cheaply.

• OverflowSafeComparatorLib.sol - OverflowSafeComparatorLib library to share comparator functions between contracts.

• RingBufferLib.sol - Library for managing the TWAB index.

• ExtendedSafeCastLib.sol - Downcasting from uint256/uint224, uint256/uint208, uint256/uint104

• ICompLike.sol - An interface contract for CompLike token.

• IPrizePool.sol - An interface contract for PrizePool.sol.

• ITicket.sol - An interface contract for Ticket.sol.

• IPrizeDistributor.sol - An interface contract for PrizeDistributor.sol.

• IPrizeDistributionBuffer.sol - An interface contract for PrizeDistributionBuffer.sol.

• IDrawBeacon.sol - An interface contract for DrawBeacon.sol.

• IPrizeFlush.sol - An interface contract for PrizeFlush.sol.

• IDrawCalculator.sol - An interface contract for DrawCalculator.sol.

• IDrawBuffer.sol - An interface contract for DrawBuffer.sol.

• IBeaconTimelockTrigger.sol - An interface contract for BeaconTimelockTrigger.sol.

• IDrawCalculatorTimelock.sol - An interface contract for DrawCalculatorTimelock.sol.

• IReserve.sol - An interface contract for Reserve.sol.

• IControlledToken.sol - An interface contract for ControlledToken.sol.

• IPrizeDistributionSource.sol - An interface contract for PrizeDistributionSource.sol.

• IPrizeDistributionFactory.sol \- An interface contract for PrizeDistributionFactory.sol.

Privileged roles

Owner:

• The PrizePool and StakePrizePool owner has the authority to set balance and liquidity caps, reward per second, claim interval, free exit duration, Lido APR, as well as set Ticket, DrawBeacon, and PrizeFlush addresses.

• The DrawBeacon owner can set a new DrawBuffer address and adjust the beaconPeriodSeconds.

• The DrawBuffer owner can create and set a new Draw, and can also set a new prizeDistributor address.

• The PrizeDistributionBuffer owner can create and set a new prizeDistribution.

• The PrizeDistributor owner can distribute rewards to winner addresses, withdraw ERC20 token from the contract, and set new DrawBuffer and prizeDistributionBuffer addresses and distribution percentages.

• The Reserve owner can withdraw ERC20 token from the contract.

• The Manageable owner can set a new manager address.

• The Ownable owner can renounce or transfer ownership.

• The PrizeDistributionFactory owner can create and set a prize distribution, as well as set minimum pick cost and end timestamps offset.

• The PrizeFlush owner can set destination, reserve, prizePool, protocolFeeRecipient addresses, and ProtocolFeePercentage. The owner can withdraw the reserve balance to the destination address.

• The BeaconTimelockTrigger owner can lock and push new prize distribution.

• The DrawCalculatorTimelock owner can set and edit the timelock.

• The Delegation owner can set delegation lock timestamp and execute low-level calls.

• The TWABDelegator owner can set minimum and maximum lock durations.

PendingOwner:

• The Ownable pendingOwner can claim ownership.

OnlyController:

• The controller address for the ControlledToken contract can mint and burn tokens.

Manager:

• The DrawBuffer manager can push a new Draw.

• The PrizeDistributionBuffer manager can create and set a new prizeDistribution.

• The PrizeDistributor manager can distribute rewards to winner addresses.

• The Reserve manager can withdraw ERC20 token from the contract.

• The PrizeDistributionFactory manager can create and set a new prize distribution.

• The PrizeFlush manager can withdraw the reserve balance to the destination address.

• The BeaconTimelockTrigger manager can lock and push a new prize distribution.

• The DrawCalculatorTimelock manager can set a new timelock.

The total Documentation quality score is 10 out of 10.

• Functional requirements are provided.

• Technical description is provided.

The total Code quality score is 9 out of 10.

• The code is heavily based on the following project: pool together →.

• The project follows style guidelines and best practices.

• The development environment is configured.

Code coverage of the project is 99.17% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• PrizeDistributor.sol throws exceptions in draws and randomness.

• Two tests throw an “TypeError: ethers.getContract is not a function” exception.

Upon auditing, the code was found to contain 1 critical, 1 high, 12 medium, and 2 low severity issues. Out of these, 13 issues have been addressed and resolved, leading to a security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

The comprehensive audit of the customer's smart contract yields an overall score of 9.7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository:

Contracts in Scope