Merlin Protocol

We express our gratitude to the Merlin Protocol team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

The Merlin protocol is a leading DeFi solution, integrating advanced blockchain tech with sophisticated investment strategies. It offers decentralized governance, admin tools, token allocation control, and automated rebalancing for dynamic adaptation to market conditions and investment goals

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are partially missed.

• The technical requirements are provided.

• NatSpec is provided.

Code quality

• Some best practices were violated.

• The naming conventions can be improved

• The development environment is configured.

Test coverage

Code coverage of the project is 0% (branch coverage).

• All of the tests provided were commented out.

Merlin Protocol is a decentralized market that provides several features like decentralized governance, administrative management of the fund, token allocation control, and an automatic rebalancing process with the following contracts:

Lock — a simple lock mechanism that enables an owner to lock funds until a specified future time. After this time has passed, the owner can withdraw the funds.

MerlinERC20 — an ERC20 token contract that mints all the supply to msg.sender.

It has the following attributes:

• Name: Merlin

• Symbol: MRN

• Decimals: 18

• Total supply: 50.000.000

MerlinFaucet — is designed to distribute free tokens on a testnet for testing purposes. Users can request tokens from the faucet contract by calling the faucet() function.

MerlinFund — an ERC20 token contract with advanced fund management features. Users can deposit funds to receive Merlin Fund tokens, request withdrawals, and claim pending withdrawals. The contract maintains a basket of funds and periodically rebalances it based on withdrawal requests and market conditions. Fees are applied to deposits, and price calculations are performed to ensure accurate asset valuations. Overall, the contract facilitates decentralized fund management and asset allocation.

The price of Merlin Fund token is calculated based on the following formula:

• Price of Merlin Fund token = (Total USD value of all different funds in the basket/platform + USDC balance of the contract) / total supply of Merlin Fund tokens

MerlinFundAdministrative — an admin contract that extends administrative functionalities for the Merlin Fund protocol. It allows setting addresses, managing whitelists, configuring fees, and facilitating ownership transfers.

MerlinFundModifier — a contract serves as the modifier storage of platform, defining key roles and restrictions. It manages access control for administrators, swap managers, and fee managers, while also enforcing conditions such as ensuring the fund's percentage allocation equals 100% and preventing swap processes from occurring simultaneously.

MerlinGovernor — a governance contract implements a governance system for the Merlin protocol, integrating various features such as voting, proposal execution, and timelock control. It extends several predefined contracts from the OpenZeppelin library to establish governance functionalities, including vote counting, quorum calculation, and timelock management.

RebalanceController — a contract that manages the automated rebalancing of token allocations within the Merlin protocol. It ensures timely rebalancing intervals, calculates token amounts for swaps 6 based on preset percentages, and executes swaps between different assets using external swap routers. This process helps maintain the desired portfolio composition within the protocol.

SwapController — a contract that facilitates token swaps within the Merlin protocol using Uniswap V3 routers. It includes functions to execute token swaps based on specified input parameters, such as token addresses and amounts.

TimeLock — is an implementation of a timelock mechanism using OpenZeppelin's TimelockController. It allows for the scheduling of transactions that can only be executed after a specified delay period, as set by the minDelay parameter.

TokenAllocationController — a contract that manages token allocations within a fund. It allows adding tokens, setting their percentages, adjusting percentages, and discarding tokens. Key features include adding tokens with associated addresses, adjusting percentages, and discarding tokens based on their current price.

Privileged roles

• The owner of the Lock contract can withdraw the contract balance when the lock period is over.

• The owner of MerlinFund contract can set the admin, add a new owner and transfer ownership.

• The admin of MerlinFund contract can set the swap manager address, set the USDC address, set swap internal durations, set protocol fee, add funds to platform, set aggregator and router addresses of funds, specify percentages of system funds, discard funds from the contract and, set fee manager address.

• The fee manager of MerlinFund contract can claim the accumulated protocol fees.

• The swap manager of Merlin Fund contract can execute the swap operation to rebalance the funds.

The scope of the project includes the following smart contracts from the provided repository:

Contracts in Scope