CurveV1 Integration Tips
0xB25C
December 6th, 2022

Greetings dear readers!

We continue our series of instructive posts with some special recommendations for developers using Curve.fi’s CurveV1 integration!

Wondering what is Curve.fi? Check out this resource, visit community-owned Curve’s blog on SubStackYouTube and official channels!

In short, this is one of the most used DeFi protocols; various Web3 teams utilize it to integrate it to their own projects, and if done incorrectly, it can lead to attacks and losses of user’s funds, which should never be allowed.

We understand and respect your limited time, therefore we created a specific cheat sheet with nothing superfluous only for you! Check it out!


I — Introduction

Looking at this month’s never-ending hacks, one wonders why they happen so frequently. Have audit firms actually gotten worse at what they do? This, in my opinion, is not the case; yet, the topic is rather tricky because you can, in certain ways, reduce the risks to yourself and your project!

When confronted with such an issue, the only thing left to do is address it logically — in other words, how can we affect this unfavorable situation?

Firstly, we might construct our metaphysical defense wall in such a way that it already responds to the ongoing attack. This concept is firmly associated with Threat Modeling.

By the way, we are working on such a solution within the team and hope to deliver it shortly!

Secondly, we can strive to construct a line of defense that will function even before the possible events, that is, create the code first and conduct all activities appropriately and safely. This is what we’ll cover in this post about using CurveV1 into your project!

In this article, we also present tips that we have acquired over the years of auditing such integrations, you will also find a list of tools and research for self-study, we strongly recommend that you read it separately for better understanding.

Read an original article via the link below:

First and foremost, we would like to express our heartfelt gratitude to the Curve.fi designers, everyone who supports it, the authors of all resource materials, and, of course, our in-team auditors who have assisted us by providing much-needed information and breaking the veil of secrecy!

Retrospective

I would also like to take this opportunity to thank the comrades of the LobsterDAO (this is the best chat in my list and Sov’s Compendium; Their Twitter), whose name came from Curve deployment during DeFi summer of 2020, read more about this story here and here.

I’d like to point out that the author of this post, your most humble servant, was astounded by how large the project has grown and that it began in the chat room where I happen to be an admin; It’s fantastic that history is becoming more tangible on Web3 these days!

Going back to our primary topic, this article will be focused only on those aspects that can be really useful for auditing and bug bounty hacking and that are not described anywhere. We can confidently say that such tips can be read publicly in a few places, and our blog is one of those places!

We also hope you find today’s article informative and helpful!

By the way, there are some vacant slots now so if your project needs an audit — feel free to write to us, visit our public reports page here.


II— We Recommend

Following the tips below can significantly improve the security of your integration:

  • It’s vital to keep in mind that component addresses (Swaps, Metapool factory, etc.) cannot be hardcoded; instead, you must always obtain them via an AddressProvider!

  • Registry.Swaps is a very gas-intensive component, in particular the functions get_best_rate and exchange_with_best_rate, therefore, you should not use them on-chain.

  • It is better to use Swaps.exchange in conjunction with Swaps.get_best_rate performed off-chain.

  • You can’t expect all the lending pools (and the corresponding DepositZaps contracts) to implement the same API. For example, there are old and new DepositZaps whose methods may differ in return values or argument types.

  • Also, the old lending pools (and their DepositZaps) do not implement some of the methods that the newer pools have (e.g. remove_liquidity_one_coin).

  • Try not to process Curve pools in a loop!

  • You also need to separately check ABI for each of the lending pools!

  • In both metapools and lending pools, swaps can be made in underlying tokens and wrapped versions (cTokens in a Compound pool). To swap underlying tokens use exchange_underlying!

Meta-Registry

MetaRegistry is essentially an ultimate aggregator of Curve pools on Ethereum main-net. It is the best way to retrieve information about pools.

MetaRegistry aggregates pools of its child registries:

  • (1) StableRegistry — for StableSwap pools, created by Curve

  • (2) StableFactory — for user-created StableSwap pools

  • (3) CryptoRegistry — for CryptoSwap pools, created by Curve

  • (4) CryptoFactory — for user-created CryptoSwap pools

Each of the child registries are accompanied by a RegistryHandler contract, which, in turn, implements the MetaRegistry ABI and interacts with its corresponding registry (for example, CryptoFactoryHandler with Crypto Factory Registry). This makes the integration process easier as you don’t have to think about edge cases of each registry.

MetaRegistry also knows about all pool types: meta, lending, stable-swap and crypto-swap, user-created (factory pools) as well as pools created by Curve itself. It implements a set of useful getters, such as: get_base_pool(pool), get_underlying_coins(pool), get_coins(pool), get_fees, etc.

Regular Registry contract has significantly less registered pools than MetaRegistry, so you should rely on the latter. You can find addresses of the deployed registries here!


III— Resources & Tools

We strongly advise you to review this list of fantastic tools and resources separately for a better understanding!

We understand and respect your limited time, therefore we created a specific cheat sheet with nothing superfluous for an easier access! Check it out!

The following is a collection of resources that the author of this page spent more than one hours collecting and verifying data link by link:


We hope that this article was informative and useful for you! Thank you for reading!

Check out our article with tips on gas optimization as well as other articles!

What instruments should we review? What would you be interested in reading about?

Please leave your comments, we will be happy to answer them, and the best answers and questions may be included in the next article!

Stay Safe!

Subscribe to Officer's Blog
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.
Author Address
0xB25C5E8fA1E53…9F6A66B786ED77A
Content Digest
83FZZWokJ63mewV…fgbo2ToM8IjL1fM