Open Dollar audit details

  • Governor role can update the safeManager address in the NFV, which would break the protocol if ever set incorrectly or maliciously.


Open Dollar is a floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults. Built specifically for Arbitrum. As the majority of the codebase is built with (the already audited) GEB framework, the focus of this audit is to review the major changes Open Dollar has made to the framework around proxies, vaults, and the safe manager.

Open Dollar contracts are built using the GEB framework, which uses Collateralized Debt Positions (CDPs) to allow accounts to generate debt against deposited collateral.

Non Fungible Vaults (NFV)

NOTE: The terms "CDP", "vault", and "safe" are used interchangeably here. They all refer to a collateralized debt-position in the protocol.

Our modifications to the existing GEB framework include the addition of a Non-Fungible Vault (NFV) feature, which ties CDP ownership to a specific NFT, rather than using the traditional account-based ownership for CDPs. This approach creates a new defi primitive, enabling the development of novel marketplaces, and generating new opportunities for users. Vaults can be sold through existing NFT marketplaces, automations can sell user vaults to arbitrageurs without having to pay liquidation penalties, and existing NFT infrastructure can be used in new ways. With a more capital efficient market for liquidatable vaults there is less risk when creating leveraged positions.

Here's a quick intro video that might help you get started and understand some of the basics:

Docs & Resources

Protocol Diagram


IMPORTANT: The audit scope is based on our v.1.5.5-audit release

Our contracts are forked from hai-on-op/core at v0.1.2-rc.3. Since that code has already been audited, we suggest that Wardens focus on the changes we've made since then. For convenience, we created a Pull Request showing these changes here: open-dollar/od-contracts#187

Contract SLOC Purpose
contracts/AccountingEngine.sol 185 The AccountingEngine receives both system surplus and system debt. It covers deficits via debt auctions and disposes of surplus via auctions or transfers (to extraSurplusReceiver)
contracts/oracles/CamelotRelayer.sol 62 Used by Oracle Relayer to fetch the current market price of the system coin (OD) using a Camelot pool on Arbitrum network
contracts/factories/CamelotRelayerFactory.sol 23
contracts/factories/CamelotRelayerChild.sol 11
contracts/oracles/UniV3Relayer.sol 61 Potential alternative option to using CamelotRelayer.sol. Used by Oracle Relayer to fetch the current market price of the system coin (OD) using a Uniswap V3 pool on Arbitrum network
contracts/gov/ODGovernor.sol 86 The DAO-managed contract which can modify protocol parameters, eg. add new collateral types and change PID settings
contracts/proxies/ODProxy.sol 22 A more restrictive version of the DSProxy used by Maker Protocol, where the owner cannot be changed. The purpose of this is to ensure that only the Vault721 contract has the ability to transfer a safe.
contracts/proxies/Vault721.sol 106 Serves as the Proxy Registry, Proxy Factory, and the ERC721 "Non-fungible Vault". Manages all safe ownership, transfers, and approvals via the ERC721 standard. Tracks proxy ownership and deploys new proxies- when called directly, or when a safe is transferred to an account which does not have a proxy.
contracts/proxies/SAFEHandler.sol 7 Grants permission to the ODSafeManager to make modifications to a safe. A new SAFEHandler is deployed for each safe, whose address serves as a unique identifier within the SAFEEngine.
contracts/proxies/ODSafeManager.sol 167 A more restrictive Safe Manager, which only allows the Vault721 contract to move a safe. Also calls Vault721 mint when a new safe is created.
contracts/proxies/actions/BasicActions.sol 268

Total: 998 lines

Files to focus on

The Following contracts are where we have implemented the new NFV feature, and where we would like auditors to focus their attention:


All Open Zeppelin imports are from @openzeppelin/contracts v4.8.2


Out of scope

  • contracts/proxies/actions/GlobalSettlementActions.sol
  • contracts/proxies/actions/RewardedActions.sol
  • contracts/for-test/**/*.sol
  • contracts/interfaces/**/*.sol
  • contracts/libraries/**/*.sol
  • Tests, scripts, and anything not in src/contracts

Additional Context

Token Interactions

  • ODGovernor should count ERC-20 delegated votes as expected
  • Vault721 should adhere to ERC-721 standard, and token transfers should also transfer the safe ownership as expected

Blockchain network

Protocol will be deployed to Arbitrum One (ID: 42161)

Trusted roles


  • In Vault721, can call updateNftRenderer() to modify the contract used in creating the SVG image for the token URI
  • In Vault721, can call setSafeManager() to modify the address for the ODSafeManager.

Standard Implementation

  • Vault721: Should comply with ERC721

Attack ideas (Where to look for bugs)

  1. Create a smart contract that is able to receive an NFV without a proxy being deployed for it, eg. by calling transfer in a constructor, or other means.
  2. Mint debt against an NFV in the same transaction that it is transferred to someone else, allowing the attacker to mislead an NFV buyer about the value of the NFV being bought.
  3. Use reentrancy to trick the SafeManager into allowing your modifications to a safe you don't own.
  4. Break access-control by calling SafeManager directly without using the ODproxy.

Main invariants

  1. Only the owner of a particular NFV can ever mint debt against the corresponding safe.
  2. If the ERC-721 token from Vault721 is transferred, so too is the ownership and control of the corresponding safe. Meaning only the owner can transfer it or mint debt against it.
  3. Users must exclusively use the ODProxy to interact with their safes.
  4. When a fresh account, which has never interacted with the protocol, receives an NFV via ERC721 transfer, an ODProxy should always be deployed for them.
  5. ODProxy cannot be transferred or change owner.
  6. There is 1 safe for each ERC-721 token, and the safe ID always corresponds to the NFT ID.
  7. Proper Access Control ensures that transferring safes can only be performed using the Vault721 .
  8. A user only ever has a single ODProxy deployed for them.
  9. Only the governor role can set an external Renderer contract for the NFV's token URI.

Scoping Details

Clone open-dollar/od-contract

git clone

⚠️ IMPORTANT: Switch to the tag v1.5.5-audit. This is the specific release which is in-scope for the audit.

git checkout v1.5.5-audit

Install dependencies and compile


yarn build

Setup the environment:

cp .env.example .env

The only required variables for running tests are:


Forge tests

Run tests with foundry:

yarn test
yarn test:e2e

Deploy to local Anvil environment:

yarn deploy:anvil


slither .

Other Tips and Tricks 🍬

Here's some helpful tips for using the od-contracts repo effectively.

  1. Understand that the changes we have made are isolated from the rest of the internal accounting and SAFE engine. You do not need a full understanding of the SAFE engine to contribute to this audit. You may find it helpful to think of the SAFE engine as a black box.

  2. Units. GEB uses different units for various levels of precision.

Unit Meaning
WAD Number with 18 decimals (10^18)
RAY Number with 27 decimals (10^27)
RAD Number with 45 decimals (10^45)
  1. Most of the tests in our repo are for contracts in other parts of the system that are out of scope for this audit. But they might still be helpful in understanding how users are expected to interact with the contracts or coming up with ideas or patterns for potential attacks.

  2. The primary entry point for users into the rest of the protocol is through their ODProxy which is used to execute proxy actions. Except when the user does not have a proxy and is making one for the first time.

  3. We're on your team! If you have questions, ask the Open Dollar devs for help. Seriously, don't be a stranger.