Paribus

We express our gratitude to the Paribus team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Paribus is a cross-chain borrowing and lending protocol for NFTs, liquidity positions, synthetic assets and real world assets.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are present, but only at a high-level.

• • The project overview provides a basic understanding but lacks depth.

  • All roles in the system are described.

  • Requirements and System description can be found in Paribus Documentation →.

• Technical description is robust.

• • Run instructions are provided.

  • Technical specification is provided.

  • NatSpec is sufficient.

Code quality

• The development environment is configured.

• Solidity Style Guide violations.

• Best practice violations.

Test coverage

Code coverage of the project is 99.57% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• Negative coverage is provided.

• Interactions by several users are tested.

Paribus is a decentralized, cross-chain lending and borrowing protocol designed to leverage the value of digitizable assets. The protocol supports a wide range of asset types, including NFTs, liquidity positions (LP tokens), synthetics, and other yield-bearing assets. By representing the value of these assets on-chain, Paribus allows users to unlock their full potential and generate passive income.

Paribus aims to provide a flexible and innovative DeFi solution that taps into the value of both conventional and unconventional crypto-assets.

The files in the scope:

• ./contracts/ErrorReporter.sol -  defines an error reporting mechanism for the Comptroller and other related contracts. It includes an Error enum to categorize different error types and a fail function to emit failure events when errors occur.

• ./contracts/Comptroller/ComptrollerInterfaces.sol - defines several interfaces for the Comptroller, which is a key component in the Paribus protocol responsible for managing the markets, setting parameters, and ensuring the stability of the system. The interfaces include methods for managing assets, setting policies, and handling administrative functions.

• ./contracts/Comptroller/ComptrollerStorage.sol - defines the storage structures used by the Comptroller, which include parameters and mappings for managing markets, collateral factors, PBX distributions, and various administrative controls.

• ./contracts/PNFTToken/PNFTToken.sol - defines the base for Paribus Non-Fungible Tokens (PNFTs), implementing various functions to handle the initialization, transfers, minting, redemption, and liquidation of PNFTs. It integrates with external contracts such as the Comptroller, Price Oracle, and several interfaces for handling underlying assets.

• ./contracts/PNFTToken/PNFTTokenInterfaces.sol - contains several contract interfaces and storage structures for the Paribus Non-Fungible Token (PNFT) system. These interfaces define the core functionalities and storage layout for PNFT contracts, including delegation, admin controls, and ERC-721 compatibility.

• ./contracts/PToken/PToken.sol - defines the PToken contract, which is an abstract base for Paribus tokens (PTokens). PTokens are used within the Paribus protocol to represent assets and handle various financial operations such as minting, redeeming, borrowing, repaying, and liquidating assets.

• ./contracts/PToken/PTokenInterfaces.sol - defines various interfaces and storage structures for PTokens within the Paribus protocol. These interfaces are used to standardize and implement the functionality of PTokens, which represent assets and manage their respective operations such as transfers, minting, redeeming, borrowing, repaying, and liquidations.

• ./contracts/PToken/PErc20/PErc20.sol - is an implementation of the PToken interface for ERC-20 tokens. It extends the PToken base contract, providing functionality for interacting with an underlying ERC-20 token.

• ./contracts/PToken/PErc20/PErc20Delegate.sol - extends the PErc20 contract and implements the PTokenDelegateInterface. It is designed to be used with a delegator contract that can delegate function calls to this implementation.

• ./contracts/PToken/PErc20/PErc20DelegateV2.sol - extends the PErc20Delegate contract and adds a borrowable flag, which can be set during initialization. This flag determines if the market supports borrowing, specifically useful for LP token markets.

• ./contracts/PriceOracle/ArbitrumPriceOracle.sol - contains multiple contracts for handling price oracles on the Arbitrum network, both for the mainnet and testnet environments.

• ./contracts/PriceOracle/PriceOracleInterfaces.sol - contains several interfaces (IOracle, IOracleNFT, ISourceOracle, INFPOracle) for different types of price oracles used within the Paribus protocol. These interfaces are used to fetch and verify the prices of various types of assets, including tokens, NFTs, and specific positions:

• ./contracts/PriceOracle/Impl/AggregatorOracle.sol - aggregates multiple source price oracles along with an NFT oracle to provide a unified price feed.

• ./contracts/PriceOracle/Impl/AlgebraV1PriceOracle.sol - oracle for obtaining prices from Algebra V1.

• ./contracts/PriceOracle/Impl/Api3PriceOracle.sol - oracle for obtaining prices from the API3 data feed.

• ./contracts/PriceOracle/Impl/ChainlinkPriceOracle.sol - oracle for obtaining prices from Chainlink data feeds.

• ./contracts/PriceOracle/Impl/SourceOracle.sol - base and derived contract for oracles that provide price data for tokens and NFTs.

• ./contracts/PriceOracle/Impl/UniV2PriceOracle.sol - provides a price oracle for Uniswap V2 liquidity pool tokens.

• ./contracts/PriceOracle/Impl/UniV3PriceOracle.sol - provides a price oracle for Uniswap V3 non-fungible positions.

• ./contracts/InterestRateModels/InterestRateModelInterface.sol - defines the interface for the Interest Rate Model, which is responsible for calculating the current interest rates for borrowing and supplying assets within the Paribus protocol.

• ./contracts/Interfaces/AlgebraV1Interfaces.sol - defines interfaces for interacting with Algebra V1.

• ./contracts/Interfaces/Api3Interfaces.sol - defines interfaces for interacting with the API3 protoco.

• ./contracts/Interfaces/ChainlinkInterfaces.sol - defines interfaces for interacting with Chainlink's decentralized oracle network, which provides reliable and tamper-proof data feeds.

• ./contracts/Interfaces/LPInterfaces.sol - defines interfaces for interacting with liquidity pool (LP) tokens.

• ./contracts/Interfaces/NFTXInterfaces.sol - defines interfaces for interacting with NFTX.

• ./contracts/Interfaces/ParibusOracleInterface.sol - defines the interface for interacting with the Paribus Oracle, which provides price data.

• ./contracts/Interfaces/SudoswapInterfaces.sol - defines interfaces for interacting with Sudoswap.

• ./contracts/Interfaces/UniswapV2Interfaces.sol - contains interfaces for interacting with Uniswap V2.

• ./contracts/Interfaces/UniswapV3Interfaces.sol - contains interfaces for interacting with Uniswap V3.

• ./contracts/Utils/ExponentialNoError.sol - exponential module for storing fixed-precision decimals.

Privileged roles

• The admin of the PNFTToken can do the following:

• • initialize the contract using PNFTToken::initialize().

  • set the pending admin using PNFTToken::_setPendingAdmin().

  • change the address of the nft comptroller via PNFTToken::_setComptroller().

  • change the id of the NFTXioVault using PNFTToken::_setNFTXioVaultId().

  • change the address of the SudoswapLSSVM pair PNFTToken::_setSudoswapLSSVMPairAddress().

• The pendingAdmin of the PNFTToken can accept their admin role via PNFTToken::_acceptAdmin().

• The admin of the AggregatorOracle can do the following:

• • change the address of the pending admin via AggregatorOracle::_setPendingAdmin().

  • add a UniswapV2 pair using AggregatorOracle::setUniV2SupportedPair().

• The pendingAdmin of the AggregatorOracle can accept their admin role via AggregatorOracle::_acceptAdmin().

• The owner of the UniV2PriceOracle can add a new supported pair via UniV2PriceOracle::setSupportedPair().

• The admin of the PErc20Delegate and PErc20DelegateV2 is allowed to call _becomeImplementation() and _resignImplementation() functions.

• The admin of the PToken can do the following:

• • initialize the contract using PToken::initialize().

  • set the address of the pendingAdmin using PToken::_setPendingAdmin().

  • set the address of the comptroller via PToken::_setComptroller().

  • set the protocolSeizeShareMantissa via PToken::_setProtocolSeizeShareMantissa().

  • set the reserve factor via PToken::_setReserveFactor().

  • reduce the reserves by calling PToken::_reduceReserves().

  • set the address of the interest rate model using PToken::_setInterestRateModel().

• The pendingAdmin of the PToken can accept their admin role via PToken::_acceptAdmin().

The scope of the project includes the following smart contracts from the provided repository: