Yield Fi yUSD Rate Providers #252
Conversation
brunoguerios
changed the title
|
@brunoguerios I think we are supposed to also add info to registry for each new rate provider. Maybe we could eventually figure out how to rip the info from the .md review files and use a GHA to automate the |
| - [Protocol Audits](https://docs.yield.fi/resources/audits) | ||
|
|
||
| ## Context | ||
| This RateProvider is updated via the API3 product. It reports the exchangeRate of yUSD/USD on mainnet. It is read on mainnet and available as an Oracle on arbitrum. |
There was a problem hiding this comment.
I must say I'm not able to fully grasp this API3 data source, but I'm assuming it's a standard and I replicated the findings registered on the ezETH rate provider review.
Can you guys please confirm this is indeed the case?
There was a problem hiding this comment.
Hey Bruno. Gerally speaking whenever we first took a look at a new oracle rate provider, they were reviewed as part of the review. After that if the rate is a "direct" result of a oracle price provider, we have marked it as usable. This includes oracle such as:
- API3
- Chainlink
- Redstone
- Chronicle
There was a problem hiding this comment.
In cases like this, you can refer to the review already being done at review
| - admin address: [arbitrum:0x2AAE699ed04BBbD068f67a5b3C813eBB35f2c9E8](https://arbiscan.io/address/0x2AAE699ed04BBbD068f67a5b3C813eBB35f2c9E8) | ||
| - admin type: multisig | ||
| - multisig threshold/signers: 4/8 | ||
| - multisig timelock? NO |
There was a problem hiding this comment.
I couldn't find timelocks in the implementation, but if it's too relevant, it would be nice if you could double check.
There was a problem hiding this comment.
Not every system has them. They are helpful for the reader to have but not a requirement.
| - admin type: multisig | ||
| - multisig threshold/signers: 4/8 | ||
| - multisig timelock? NO | ||
| - trustworthy signers? NO |
There was a problem hiding this comment.
Should we go through signers to figure this out? Is there a registry of some sort?
There was a problem hiding this comment.
The signers section of the review can be removed (I will also remove it from the template)
There was a problem hiding this comment.
I just removed it from the current review and from the template ✅
| - [x] Price data is provided by an off-chain source (e.g., a Chainlink oracle, a multisig, or a network of nodes). | ||
| - source: API3. | ||
| - source address: The data is sourced from multiple so called "beacons" which are a set of nodes which provide the rate data to be aggregated by the `Api3ServerV1` [base:0x709944a48cAf83535e43471680fDA4905FB3920a](https://arbiscan.io/address/0x709944a48cAf83535e43471680fDA4905FB3920a) | ||
| - any protections? The rate is calculated as the median of all the rate data "fetched" from beacons. For more information about more protections see [api3 docs](https://docs.api3.org/reference/dapis/understand/deviations.html) and consult the `updateBeaconSetWithBeacons` & `updateOevProxyDataFeedWithSignedData` functions. |
There was a problem hiding this comment.
Same here about not fully grasping API3 and replicating ezETH findings. Please confirm 🙏
There was a problem hiding this comment.
Fine to leave it like this.
| **Summary judgment: SAFE** | ||
|
|
||
| This rate provider should work well with Balancer pools. API3 updates the rate on arbitrum regularly and has various protections in place to ensure the correct values are bridged accurately. |
There was a problem hiding this comment.
I find it weird that I just flagged the mainnet rate provider as unsafe and these ones derived from that as safe 😂
I mean, I couldn't find a direct link between them, but I'm assuming L2s rates are derived from L1 rates through API3.
There was a problem hiding this comment.
Reasonable to say. Let's wait for them to upgrade to multisigs. We need to take into account that our reviews are time-boxed. So we cannot investigate all the fine details as this is not an audit. It might be worth to share your experiences on proper time-boxing with John & Daniel as well.
rate-providers/registry.json
Outdated
| "0xa65ffBa1CD05414df3fD24Bf5dc319B47450Fbf4": { | ||
| "asset": "0x1CE7D9942ff78c328A4181b9F3826fEE6D845A97", | ||
| "name": "YieldFi yUSD Rate Provider", | ||
| "summary": "unsafe", |
There was a problem hiding this comment.
Let's wait for them to upgrade to multisigs, then we can merge this pr. Blocked until then I suggest.
There was a problem hiding this comment.
On a side note, should we start using usable/unusable in the registry as well?
If yes, maybe we should have a separate PR to make that a standard through all existing reviews and registry entries.
Close #225