[Curve.fi-ETH-stETH] ERC20 Token Smart Contract Technical Assessment

General Information

Risk Summary

  • Does the contract implement the ERC20 token standards? Yes.
  • Risk analysis: HIGH.

Technical Information

  • Compiler version : vyper:0.2.8
  • Decimals : 18
  • Overflow checks : Yes. (Vyper comes with built-in integer overflow checks)
  • Mitigation against allowance race-condition : Yes. increaseAllowance, decreaseAllowance functions are implemented.
  • Upgradeable contract patterns : No.
  • Access control or restriction lists : Yes. set_name access restricted to StableSwapSTETH.owner and mint, burnFrom, set_minter access restricted to StableSwapSTETH

Formal Verification Considerations:

  • Does transfer have simple semantics? Yes.
  • Does transferFrom have simple semantics? Yes.
    • Can balances be arbitrarily modified by some actor? No.
  • Are there any external calls? No.

Testnet Information

N/A

Contract Logic Summary

Administrative Addresses

ownership_admin,future_ownership_admin:0x40907540d8a6c65c637785e8f8b742ae6b0b9968
parameter_admin,future_parameter_admin: 0x4eeb3ba4f221ca16ed4a0cc7254e2e32df948c5f
emergency_admin,future_emergency_admin: 0x467947ee34af926cf1dcac093870f613c96b1e0c

This is ERC20 compliant token with mint and burnFrom functions which are controlled by minter, an immutable contract, StableSwapSTETH, that has no logic to call set_minter, it can’t be changed, it also has a permissionless logic to add/remove liquidity. The set_name function, to set token name and symbol can be called only by the minter.owner, which is controlled by the listed admin addresses above.

Contract Risk Summary

This is a High Risk contract. The ERC20 functions are implemented to industry standard, there are built-in checks in Vyper to prevent over/underflows, and the contract is non-upgradeable. Curve Smart Contracts have been audited by Trail of Bits and Quantstamp. The Risk comes from the underlying tokens. ETH is safe, but stETH has centralized access controls. Overall the technical risk is derived from the risk of stETH.

Supporting Materials

Curve LP Token Tests

Steps to reproduce:

8 Likes