Swivel v3 Report: Integrations and Audit
Discover more from Swivel Finance
Swivel v3 Report: Integrations and Audit
A quick intro to Swivel v3 enhancements, integration partners and latest Code4rena audit
With the successful merge of the ETH2 beacon chain, it’s time to introduce Swivel v3 alongside our integration partners and review the recent Code4rena audit report of our new Swivel v3 codebase!
Swivel v3 TL;DR
Lido & Blockspace Capital Markets:
With the integration of Lido and upcoming integration of Rocketpool, Swivel v3 enables truly composable blockspace markets. Stakers can sleep sound with no slashing risks and no risk of a growing validator pool diluting their yield.
While other solutions might silo liquidity away from DeFi, Swivel’s partnership with Lido enables unique composability that our friends across FiatDAO, Contango, the Coop, and Illuminate (+ a few others in stealth) can harness.
Euler & Gauge Derivatives:
Further, Swivel v3 enables an extremely attractive opportunity for users to take advantage of the many benefits Euler offers over other money markets. With a composable UI, access to long tail assets, flexible interest rate models and optimized liquidations, Euler has established itself as an ideal venue for both borrowers and lenders making it an equally ideal venue for yield tokenization.
Moreover, Euler utilizes vote-based gauges that allocate Euler incentives to borrowers.
Swivel v3 then amplifies the opportunity that these gauges offer, providing EUL holders the ability to gain leverage on their gauge strategies.
Aave, Yearn & EIP-4626:
As contributors to EIP-4626, it only made sense for Swivel to be one of the first protocols to integrate with it, and the first in the fixed-rate space. This enables us to integrate any new liquidity source on launch with zero dev work, starting with FraxLend.
Further, with our additional new integrations, we are able to offer the highest rates possible with Yearn, while also widening our cross-chain scope with Aave.
Code4rena Audit Results
Swivel 3's recent audit found several readily addressed concerns.
For a full description of all findings, see the official audit report: Link
“High”-Risk Reports:
Yearn Integration Interface:
As defined in the docs for Euler, ERC4626, Compound and Aave, when withdrawing and depositing funds the amount specified corresponds exactly to how many of the underlying assets are deposited or withdrawn.
However, as specified byYearn, the yearn withdraw-amount parameter specifies how many shares are burnt instead of underlying assets retrieved.
While ERC4626 has standardized the inputs/outputs of various protocols, Yearn’s withdraw method had certain mis-matched interfaces which could have potentially led to a “stuck” market requiring recovery.
The fix for this was simple, and was implemented quickly – we aligned the interfaces correctly and everything was good to go.
“Medium”-Risk Reports:
Compounding Interest Generation:
VaultTracker neglects previously accrued interest while attempting to calculate new interest. This causes nToken holders to receive less yield than they should.
All functions within VaultTracker that calculate interest are affected, including addNotional, removeNotional, redeemInterest, transferNotionalFrom and transferNotionalFee.
While we considered this a design concern rather than an actual issue or risk report, we had previously reduced gas costs for users by assuming they would redeem any redeemable interest should it be significant enough to generate compounded yield.
With savings implemented elsewhere, we now generate that marginal compounded yield, and equally save gas through optimizations introduced in Swivel v3.
External Protocol Negative Yields:
Loss of funds in an underlying protocol would cause catastrophic loss of funds for Swivel
While this is generally the case for most protocols, the warden specifically identified issues that would allow the withdrawal of custodied funds and/or resulted in stuck funds should there have been an external protocol that has losses or negative yield.
This is not necessarily avoidable, however we implemented suggested ameliorations that significantly reduce our risk to acceptable levels.
EIP-5095 Allowances:
When creating ERC20.sol from Solmate, a require() in permit() was converted to a custom error incorrectly.
As the warden described, during the conversion of our 5095 to custom errors a comparison operator was incorrectly converted. This was ameliorated by changing one character and fixing the comparison.
Post-Maturity Interactions:
With most functions in VaultTracker.sol, users can call them only once after maturity has been reached.
So from the second call of any functions after maturity, it will revert and users might lose their funds or interests.
While users generally have no reason to interact with their vault multiple times after maturity (meaning one would have to intentionally go down this path), users could potentially lock their funds post maturity if using intentionally incorrect methods.
We ameliorated this by preventing these incorrect operations post-maturity.
Other:
Deprecated cToken Interfaces (Compound’s Bug):
Some Compound tokens will work with the current LibCompound, but some won't because they have a slightly different implementation.
Unknown to even most of the Compound team, their early cTokens have slightly different return interfaces. This would have led to the incorrect conversion of cTokens for early tokens such as cUSDC.
We implemented a fix that identifies which token type is returned before calculating any conversions, PRing this fix to other open-source projects likeLibCompound.
Whats Next
Swivel v3 Launch 🚀🚀🚀:
Stay tuned for the official launch date announcement this weekend!
Alongside the launch, we’re starting a new series to hype the world about all the different possibilities v3 enables, and introduce products that can truly “bank the bankless.”
With Swivel v3 and our upcoming integration partners, we will begin to truly provide users the products they need to escape traditional restrictions and crises, while providing 10x better user experiences to onboard these communities.
Ambassador Program 🎓:
Also stay tuned for more information on our upcoming ambassador program!
Becoming an ambassador is the easiest way to contribute, and we’re always looking to onboard more passionate people to the community!
Podcast Series — Index Coop 🦉:
We’re keeping it rolling with “The DeFi Fix”, so join in our next livestream and podcast with our friends from the Index Coop!
We’ll talk all things indexes as well as fixed-yields, and🚨 be sure to get a few more bits of alpha on some secret projects in the works across the DeFi space.
About Swivel Finance
Swivel is the protocol for fixed-rate lending and tokenized cash-flows.
Currently live on Mainnet, Swivel provides lenders the most efficient way to lock in a fixed rate as well as trade rates, and liquidity providers the most familiar and effective way to manage their capital.
Website | Substack | Discord | Twitter | Github | Gitcoin | Careers