In short, this is one of the most used DeFi protocols; various Web3 teams utilize it to integrate it to their own projects, and if done incorrectly, it can lead to attacks and losses of user’s funds, which should never be allowed.
Looking at this month’s never-ending hacks, one wonders why they happen so frequently. Have audit firms actually gotten worse at what they do? This, in my opinion, is not the case; yet, the topic is rather tricky because you can, in certain ways, reduce the risks to yourself and your project!
When confronted with such an issue, the only thing left to do is address it logically — in other words, how can we affect this unfavorable situation?
Secondly, we can strive to construct a line of defense that will function even before the possible events, that is, create the code first and conduct all activities appropriately and safely. This is what we’ll cover in this post about using CurveV1 into your project!
In this article, we also present tips that we have acquired over the years of auditing such integrations, you will also find a list of tools and research for self-study, we strongly recommend that you read it separately for better understanding.
First and foremost, we would like to express our heartfelt gratitude to the Curve.fi designers, everyone who supports it, the authors of all resource materials, and, of course, our in-team auditors who have assisted us by providing much-needed information and breaking the veil of secrecy!
I would also like to take this opportunity to thank the comrades of the LobsterDAO (this is the best chat in my list and Sov’s Compendium; Their Twitter), whose name came from Curve deployment during DeFi summer of 2020, read more about this story here and here.
I’d like to point out that the author of this post, your most humble servant, was astounded by how large the project has grown and that it began in the chat room where I happen to be an admin; It’s fantastic that history is becoming more tangible on Web3 these days!
Going back to our primary topic, this article will be focused only on those aspects that can be really useful for auditing and bug bounty hacking and that are not described anywhere. We can confidently say that such tips can be read publicly in a few places, and our blog is one of those places!
We also hope you find today’s article informative and helpful!
Following the tips below can significantly improve the security of your integration:
Registry.Swaps is a very gas-intensive component, in particular the functions get_best_rate and exchange_with_best_rate, therefore, you should not use them on-chain.
It is better to use Swaps.exchange in conjunction with Swaps.get_best_rate performed off-chain.
You can’t expect all the lending pools (and the corresponding DepositZaps contracts) to implement the same API. For example, there are old and new DepositZaps whose methods may differ in return values or argument types.
Try not to process Curve pools in a loop!
You also need to separately check ABI for each of the lending pools!
MetaRegistry is essentially an ultimate aggregator of Curve pools on Ethereum main-net. It is the best way to retrieve information about pools.
MetaRegistry aggregates pools of its child registries:
(1) StableRegistry — for StableSwap pools, created by Curve
(2) StableFactory — for user-created StableSwap pools
(3) CryptoRegistry — for CryptoSwap pools, created by Curve
(4) CryptoFactory — for user-created CryptoSwap pools
Each of the child registries are accompanied by a RegistryHandler contract, which, in turn, implements the MetaRegistry ABI and interacts with its corresponding registry (for example, CryptoFactoryHandler with Crypto Factory Registry). This makes the integration process easier as you don’t have to think about edge cases of each registry.
MetaRegistry also knows about all pool types: meta, lending, stable-swap and crypto-swap, user-created (factory pools) as well as pools created by Curve itself. It implements a set of useful getters, such as: get_base_pool(pool), get_underlying_coins(pool), get_coins(pool), get_fees, etc.
Regular Registry contract has significantly less registered pools than MetaRegistry, so you should rely on the latter. You can find addresses of the deployed registries here!
We strongly advise you to review this list of fantastic tools and resources separately for a better understanding!
The following is a collection of resources that the author of this page spent more than one hours collecting and verifying data link by link:
We hope that this article was informative and useful for you! Thank you for reading!
What instruments should we review? What would you be interested in reading about?
Please leave your comments, we will be happy to answer them, and the best answers and questions may be included in the next article!