PlvGLP
Smart Contract Audit Report
AUDIT SUMMARY
Plutus DAO is creating a new staking platform which includes two new tokens.
For this audit, we reviewed Plutus DAO’s PlsGlpToken, PlvGlpToken, GlpDepositor, and GlpStaker contracts at commit 564ac32af9f2a867b70d3a1be68ad944f6c829ac on the team’s private GitHub repository.
Audit Summary
No Findings were identified, though centralized aspects are present.
Date: September 26th, 2022.
CONTRACTS OVERVIEW
- As the contracts are implemented with Solidity v0.8.x, they are safe from any possible overflows/underflows. PlvGlpToken Contract:
- This contract implements the ERC-4626 tokenized vault standard which allows users to deposit a specified token in exchange for minted shares.
- Shares represent a portion of the contract’s specified token balance and can be redeemed while redemption functionality is enabled and the GlpDepositor contract is not paused.
- Only the Operator, intended to be the GlpDepositor contract, can deposit, redeem, mint, and withdraw tokens.
- As a result, users must use the GlpDepositor contract in order to interact with this contract.
- The total supply of shares cannot exceed the specified supply cap.
- The owner can update the supply cap at any time.
- The owner can disable deposits, redemptions, mints, or withdrawals at any time.
- The owner can update the Operator address at any time.
- The Operator can mint any number of tokens to any address at any time.
- The Operator can burn any number of tokens from any address at any time.
- If “private transfer mode” is enabled, only “Handlers” can transfer tokens.
- The owner can update the Operator address at any time.
- The owner can toggle private transfer mode at any time.
- The owner can add or remove any address from the Handler list at any time.
- This contract can be used to deposit “sGLP” tokens into its associated staker address.
- Upon depositing, PlsGlp tokens are minted to this contract and deposited to the PlvGlpToken Vault on behalf of the depositor. The depositor is then minted PlvGlp tokens to represent their shares.
- PlvGlp tokens can be redeemed at any time for sGLP. This will first exchange the PlvGlp tokens for a portion of the vault’s PlsGlp token balance.
- A “rebate” percentage of the resulting PlsGlp token amount is transferred back into the vault; the remainder is burned.
- sGLP tokens are then transferred from the staker contract at a 1:1 ratio to the PlsGlp redemption amount.
- A default exit fee percentage is taken from this amount. A rebate percentage of this fee is kept in the staker contract, and the remainder of the fee is transferred to the Exit Fee Collector address.
- The remaining sGLP tokens after the exit fee is transferred to the redeemer.
- If a redeemer is a “Partner”, a custom exit fee and rebate percentage is used instead.
- Any address can donate sGLP to the staker contract through this contract at any time. This will also mint an equal amount of PlsGlp to the vault contract.
- Contracts cannot interact with this contract unless they have been added as a Partner or added to the Whitelist.
- As the sGLP and Whitelist contracts were not included in the scope of this audit, we are unable to provide an assessment with regards to security or functionality.
- The owner can update the default exit fee percentage and default vault rebate percentage to up to 100% each at any time.
- The owner can add or remove a Partner at any time.
- The owner can update a Partner’s custom exit fee and rebate percentages to any amounts at any time.
- The owner can update the Fee Collector address at any time.
- The owner can update the associated Whitelist address at any time.
- The owner can pause the contract at any time, disabling deposit and redemption functionality.
- The owner can withdraw any tokens or the blockchain’s native currency from this contract at any time.
- This contract is used to interact with external contracts in order to earn rewards on deposited funds.
- Any Operator can call the handleRewards() function at any time.
- This will collect any rewards earned from the associated RewardRouterV2 contract.
- A fee is taken from the resulting WETH balance of the contract. 80% of this fee is transferred to the Fee Collector address, and 20% is transferred to the caller in the form of ETH.
- The remaining WETH amount is transferred to the Compounder address. If compounding is enabled, additional functionality from the Compound address is executed.
- As the RewardRouterV2 and Compounder contracts were not included in the scope of this audit, we are unable to provide an assessment with regards to security or functionality.
- This contract can be upgraded by the owner at any time.
- The owner can update the fee to any amount less than 100% at any time.
- The owner can toggle compounding functionality at any time.
- The owner can update the Compounder, Depositor, and Fee Collector addresses at any time.
- The owner can add or remove any address from the Operator list at any time.
- The owner can withdraw any NFTs, ERC20 tokens, or the blockchain’s native currency from this contract at any time.