Quantum Set Dollar - Smart Contract Audit Report
Summary
Quantum Set Dollar is a new algorithmic stablecoin with an elastic supply, forked from ESD with some improvements.
We audited Quantum Set Dollar's contracts at commit 197d76f2e533626c039bf0923168648313e984c3 on GitHub. The contracts are also deployed to mainnet at the addresses below.
Audit Findings:
Bootstrapping Rewards:
- There is an inital bootstrapping period which will last 72 epochs (~4 hours each). For each epoch in this period, 108 QSD tokens shall be minted to the project team.
- From epoch 73 onward, the QSD tokens minted in each epoch shall be allocated to the QSG rewards contract.
- Users will be rewarded at a rate of .09 QSG per block and is paid out each epoch.
- When the oracle (Uniswap's TWAP) indicates the QSD price is below $1, users can to stake QSD tokens to generate expansion rewards as the price returns to its intended peg.
- Upon staking in the contract, users recieve a QSD-Stake token, representing their staked tokens in the pool.
- The stake token is issued along a bonding curve, depending on how much QSD has been staked and the supply of the stake token. The stake token is an ERC20 token which is also part of this contract.
- The Governance address (owner, essentially) has been properly set to the QSG contract.
- Note that the Implementation contract is used as a proxy to interact with the Root contract.
QSD (Dollar):- The supply of QSD is elastic. Therefore, when the price of QSD read from Uniswap's TWAP is above $1, a rebase will occur expanding the supply of the token.
- The rebase will occur every epoch (~4 hours) and can only increase the supply of the token if the peg (read from TWAP) exceedds $1.
- Users can stake their QSD tokens to earn rewards in both QSD and QSG tokens.
- The minter role for this contract has been set properly to the Bootstrapping rewards contract and ownership powers renounced.
QSG (Governance):- The QSG token acts as a governance token and can be used to interact with governance proposals.
- The total supply of the token is capped at 999,999,999 tokens and it is only provided as rewards for staking QSD tokens.
- Any token holder with more than the minimum tokens needed can offer up governance proposals.
- Users then vote on proposals over a time period defined by the owner and if the proposal passes the proposed transaction can be executed.
- Users also have the ability to stake their QSG tokens along and bonding curve to receive rewards in the form of QSD.
- The governance has substantial power in the ecosystem and can alter critical variables and access functions that could be used maliciously. Therefore, having governance tokens distributed fairly is critical.
- Governance features will not be available (though they are properly set) until the bootstrapping period of 72 epochs elapses.
- The minter role for this contract has been set properly to the Bootstrapping rewards contract and ownership powers renounced.
UniLpRewards:- This contract allows users to stake Uniswap LP tokens in order to earn rewards in QSG.
- The LP rewards are issued along a bonding curve, depending on how many tokens have been staked and the supply.
- The governance address can transfer any ERC20 tokens out of the contract and pause functionality.
Security Best Practices:- Uniswap's Time-Weighted Average Price (TWAP) implementation is used; which is resistant to manipulation by flash loans.
- Governance has been properly set to the QSG contract in all applicable locations.
- Utilization of SafeMath and SafeERC20 to prevent overflows and ensure safe transfers.
- The token properly follows the ERC20 standard.
Audit Findings Summary:- No security issues from outside attackers were identified.
- Governance must be and remain decentralized as the governance contract has substantial power in the ecosystem.
- Date: January 30th, 2021
Name | Address | Visualization |
| ||
| ||
| ||
| | |
| ||
| ||
|
External Threats - Audit Results
Vulnerability Category | Notes | Result |
---|---|---|
Arbitrary Storage Write | N/A | PASS |
Arbitrary Jump | N/A | PASS |
Delegate Call to Untrusted Contract | N/A | PASS |
Dependence on Predictable Variables | N/A | PASS |
Deprecated Opcodes | N/A | PASS |
Ether Thief | N/A | PASS |
Exceptions | N/A | PASS |
External Calls | N/A | PASS |
Flash Loans | N/A | PASS |
Integer Over/Underflow | N/A | PASS |
Multiple Sends | N/A | PASS |
Oracles | N/A | PASS |
Suicide | N/A | PASS |
State Change External Calls | N/A | PASS |
Unchecked Retval | N/A | PASS |
User Supplied Assertion | N/A | PASS |
Critical Solidity Compiler | N/A | PASS |
Overall Contract Safety | PASS |