Ronin audit details

• Total Prize Pool: $50,000 in USDC
  • HM awards: $39,800 in USDC
  • QA awards: $1,700 in USDC
  • Judge awards: $4,800 in USDC
  • Scout awards: $500 in USDC
• Read our guidelines for more details
• Starts October 16, 2024 20:00 UTC
• Ends October 30, 2024 20:00 UTC

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.
The Slither outputs can be found here and here

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

• Centralization risk. Sky Mavis is responsible for maintaining the Katana V3 contracts and will able to upgrade the contract if necessary, as well as specify additional fee tiers.
• All public known issues, including public audit reports of Uniswap V3 that affect Katana V3
• If a liquidity pool (pair of tokens) is already open for liquidity provision on Katana V2, liquidity providers are expected to be able to migrate their liquidity to the corresponding pool on Katana V3 when it is created, without being restricted by the authorization function of the Governance.

Overview

Katana v3 is a decentralized exchange (DEX) protocol built on the foundations of Uniswap V3. It retains core features like concentrated liquidity, protocol fees, and the integrated price oracle mechanism. However, Katana v3 introduces key modifications to better align with specific project objectives.

Key Changes from Uniswap V3

• Customizable Protocol Fee Tiers: Katana v3 allows for flexible fee structures with multiple protocol fee tiers, improving adaptability across different market conditions and asset types.
• Authorized Protocol Actions: Certain actions within the protocol are managed more systematically through authorization, improving operational integrity and efficiency.
• Feature Simplification: Unused features from Uniswap V3, such as NFT trading and protocol fee collection, were removed to streamline functionality and reduce complexity.

Links

• Previous audits: None
• Documentation: docs.roninchain.com/apps/katana (Please note, this documentation is for the current version (Katana V2), not the version in scope for this audit. However, reading the docs is recommended for context.)
• Website: welcome.skymavis.com
• X/Twitter: AxieInfinity
• Discord: discord.com/invite/axie

---

Scope

Files in scope

If you discover a bug in any contract or library outside of the files listed above that impact following contracts, we will consider the issue valid:

• KatanaGovernance
• AggregateRouter
• KatanaV3Factory
• NonfungiblePositionManager
• V3Migrator
• KatanaV3PoolBeacon
• KatanaV3Pool

KatanaGovernance, KatanaV3Factory, NonfungiblePositionManager contracts are deployed with transparent proxy.

All vulnerabilities in the KatanaGovernance contract that do not affect user funds will have their severity downgraded by one level.

Priority files

katana-v3-contracts:

src/core/KatanaV3PoolProxy.sol
src/core/KatanaV3Pool.sol
src/core/KatanaV3Factory.sol
src/periphery/NonfungiblePositionManager.sol
src/periphery/V3Migrator.sol

katana-operation-contracts:

src/aggregate-router/AggregateRouter.sol
src/aggregate-router/modules/katana/v2/V2SwapRouter.sol
src/aggregate-router/modules/katana/v3/V3SwapRouter.sol

Files out of scope

These files are explicitly out of scope:

katana-v3-contracts/src/periphery/SwapRouter.sol
katana-v3-contracts/src/periphery/examples/PairFlash.sol
katana-v3-contracts/src/periphery/libraries/KatanaV2LibraryTestnet.sol
katana-v3-contracts/src/periphery/lens/MixedRouteQuoterV1Testnet.sol

Scoping Q & A

General questions

ERC20 token behaviors in scope

External integrations (e.g., Uniswap) behavior in scope

EIP compliance checklist

N/A

Additional context

Main invariants

• User can remove their provided liquidity
• Only owner can add fee tier as well as enable flash loan feature
• Protocol fees will be directly transferred to the treasury without fee-collecting operations needed

Attack ideas (where to focus for bugs)

• Funds blocking
• Stealing of funds
• Protocol insolvency
• Fee distribution logic
• Access control on pool contract
• Contract upgradability patterns

All trusted roles in the protocol

Describe any novel or unique curve logic or mathematical models implemented in the contracts

N/A

Assumptions

As Uniswap V3, Katana V3 was developed with the following assumptions, and thus any bug must also adhere to the following assumptions to be valid:

• The total supply of any token does not exceed 2¹²⁸ - 1, i.e. type(uint128).max.
• The transfer and transferFrom methods of any token strictly decrease the balance of the token sender by the transfer amount and increases the balance of token recipient by the transfer amount, i.e. fee on transfer tokens are excluded.
• The token balance of an address can only change due to a call to transfer by the sender or transferFrom by an approved address, i.e. rebase tokens and interest bearing tokens are excluded.
• If a liquidity pool (pair of tokens) is already open for liquidity provision on Katana V2, liquidity providers are expected to be able to migrate their liquidity to the corresponding pool on Katana V3 when it is created, without being restricted by the authorization function of the Governance.

Testnet deploy

All contracts are deployed on Saigon testnet. Note that these on-chain contracts are provided for testing purpose and not considered as in-scope assets.

• KatanaGovernance 0x247F12836A421CDC5e22B93Bf5A9AAa0f521f986
• KatanaV3PoolBeacon 0xCd198eaa03ffaB139c1350c91A8a9D8ce95354C5
• AggregateRouter 0x8Cd8F15E956636e6527d2EC2ea669675A74153CF
• KatanaV3Factory 0x4E7236ff45d69395DDEFE1445040A8f3C7CD8819
• NonfungiblePositionManager 0x7C2716803c09cd5eeD78Ba40117084af3c803565
• V3Migrator 0x8cF4743642acF849eff54873e24d46D0f3437593
• TickLens 0x812F9B77473D8847767cfFF087B49b628458fc65
• QuoterV2 0xB2Cc117Ed42cBE07710C90903bE46D2822bcde45
• KatanaInterfaceMulticall 0x5938EF96F0C7c75CED7132D083ff08362C7FF70a
• MixedRouteQuoterV1Testnet 0x9FC1eaBd6C8fCFbd2c43c3641DC612Ffa61fcACd
• Permit2 0xCcf4a457E775f317e0Cf306EFDda14Cc8084F82C

Running tests

katana-v3-contracts:

git clone https://github.com/ronin-chain/katana-v3-contracts --recurse
cd katana-v3-contracts && git checkout release/v1.0.0
forge build

katana-operation-contracts:

git clone https://github.com/ronin-chain/katana-operation-contracts --recurse
cd katana-operation-contracts && git checkout release/v1.0.0
forge build

Miscellaneous

Employees of Sky Mavis / Ronin and employees' family members are ineligible to participate in this audit.

Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.