DAO Reviews

Minimal proxy contract and a DSProxy alternative

  1. Who you are and a brief description of the feature/project

My name is Bryan Stitt and I am working on some smart contracts as a way to learn solidity. I find building things the best way to learn and so started working on atomic arbitrage between uniswap and curve (with freeing gas tokens).

While the initial use of these contracts was for atomic arbitrage, they can be used for combining all sorts of ethereum smart contract functions. I’m currently working on a script that automates moving funds around curve.fi.

This project was more to learn than to make money doing arbitrage. It’s given me a reason to read all the various DEX and money market contracts. And it’s also helped me uncover (and report and fix) multiple bugs in truffle, ganache-cli, and brownie. That’s the real value to me.

  1. What’s the scope of the review? (e.g. github link, code snippet, private sharing)

I always plan to have all my smart contracts 100% open source. GitHub - SatoshiAndKin/argobytes-contracts-brownie: Smart contracts for atomic trading

The (quickly written) readme has explanations for each contract, but there are a few that I would specifically like reviewed.

  • ArgobytesProxy: This is similar in functionality to Dapphub’s DSProxy. The contract itself is rather simple (it pretty much just does a delegatecall, or a deploy and then delegatecall). I’d like to be sure there aren’t any major security flaws or gas optimizations that I am missing.

  • ArgobytesAuth/ArgobytesAuthority: I handle authentication differently than DSProxy. This contract makes it easy to authorize an address to call an arbitrary function on a contract. It’s rather simple, but I need to be sure that unauthorized addresses can never make any calls. My plans for this are to make it easy to script actions. For example, I could make a bot that each week claims the CRV rewards for my hardware wallet, sells them for stablecoins on uniswap, and deposits them back into curve. Then if someone hacks into my server with my bot’s keys, they won’t be able to steal my funds since they only have permission to call one contract function (though they could steal my gas money).

  • ArgobytesFactory: This deploy contracts with salts (so that we can have addresses with a bunch of 0 bytes). This part is probably secure, but any gas optimizations would be nice. It also deploys a modified EIP-1167 minimal proxy contract for only 69k gas. I’d like to be sure that my modifications for setting and loading the owner for the proxy with bytecode (instead of state) is correct.

  • Actions: You can review the various actions if you want, but they aren’t yet finished. Most of them are just notes to remind me of all the various contracts that I’ve already read.

  • I also wrote some rust code for analyzing DEXs and detecting arbitrage opportunities, but that is out of the current scope.

  1. What kind of review do you need? (e.g. security, high level, gas optimization…)

Security is the most important to me right now, but really all of the above. I think my high level design is already pretty good, but I definitely could be doing something stupidly. I’ve spent a little bit of time doing gas optimizations, but I am sure there are more.

  1. What’s the deadline? (e.g. 2 weeks, a month)

There’s no hard deadline, but I’d like to get my curve rebalancing script running in the next 2 weeks. That script currently depends on a private library for interacting with curve, but I hope for them to open source that soon (and then I’ll open source my script).

  1. Optional skills/level required for the reviewers

Experience with solidity required. Experience with brownie would be helpful.

  1. Incentives/Rewards for reviewers

Since this has just been for learning more than making money, I don’t yet have any rewards to give. Once my curve rebalancing script is done and shared publicly, I plan on adding (an optional) donation at the end of the transaction. I would happily share these donations with people who have contributed their time with review. I’m not even sure what a fair amount to ask for is. Suggestions welcome. I personally charge between $200 and $300 an hour for my work. So I am thinking that I could send donations your way until I’ve paid you back for your time (maybe plus some percentage since I didn’t pay up-front).

If the arbitrage stuff is ever finished (it’s highly competitive and so might not be worth it), I planned on contributing 1% of all profits to gitcoin. If anyone helps me here, I will pay them back from this 1% before sending funds to gitcoin.

If paying for your review after I get to mainnet is not acceptable, we can discuss paying now. I’m just not sure how to value a review at this point. Suggestions welcome.

1 Like

Also, is there a style guide for comments? I’ve seen some things about natspec, but don’t know how to use it properly.

The style guide in the Solidity docs is pretty comprehensive Style Guide — Solidity 0.8.1 documentation. Solhint GitHub - protofire/solhint: Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code. is the best option for an up-to-date linter that I am aware of, though there aren’t really any options that compare to the hyper-opinionated linters available for other languages.

1 Like

Thank you! I somehow missed this natspec page in my searching.

https://docs.soliditylang.org/en/v0.8.1/natspec-format.html#natspec

Okay everyone. The last two week’s veCRV and yveCRV rewards have been much better than I had expected. I’m willing to pay for your time from my current rewards instead of once this project is live. Just let me know your rate. I have $2300 in 3crv right now and will have more once yveCRV rewards go out.

The offer to pay more if you wait until the project is live still stands.

1 Like