This repository is for the audit competition for the Intuition. To participate, submit your findings only by using the on-chain submission process on https://app.hats.finance/vulnerability .
- follow the instructions on https://app.hats.finance/
We look forward to seeing your findings.
Intuition is an Ethereum-based attestation protocol harnessing the wisdom of the crowds to create an open knowledge and reputation graph. Our infrastructure makes it easy for applications and their users to capture, explore, and curate verifiable data. We’ve prioritized making developer integrations easy and have implemented incentive structures that prioritize ‘useful’ data and discourage spam.
In bringing this new data layer to the decentralized web, we’re opening the flood gates to countless new use cases that we believe will kick off a consumer application boom.
The Intuition Knowledge Graph will be recognized as an organic flywheel, where the more developers that implement it, the more valuable the data it houses becomes.
The main branches we use are:
- main (default): The most up-to-date branch, containing the work-in-progress code for upcoming releases
- tob-audit: The snapshot of the code that was audited by Trail of Bits in March and April 2024
To get a basic understanding of the Intuition protocol, please check out the following:
- Share prices may get arbitrarily large as deposits/withdraws occur after Vault asset and share amounts approach 0 (i.e. if all users have withdrawn from the Vault), but this still elegantly achieves our desired functionality - which is, Users earn fee revenue when they are shareholders of a vault and deposit/redeem activities occur while they remain shareholders. This novel share price mechanism is used in lieu of a side-pocket reward pool for gas efficiency.
- The Admin can pause the contracts, though there is an emergency withdraw that allows users to withdraw from the contract even while paused. This emergency withdraw bypasses all fees, to reduce the surface area of attack.
- Exit fees are configurable, but have a maximum limit which they can be set to, preventing loss of user funds. Users also have the timelock window to withdraw from the contracts if they do not agree with a parameter change.
To build the project and run tests, follow these steps:
$ npm i
$ forge install$ forge build$ forge test -vvvTo deploy the v1 smart contract system on to a public testnet or mainnet, you’ll need the following:
- RPC URL of the network that you’re trying to deploy to (as for us, we’re targeting Base Sepolia testnet as our target chain for the testnet deployments)
- Export
PRIVATE_KEYof a deployer account in the terminal, and fund it with some test ETH to be able to cover the gas fees for the smart contract deployments - For Base Sepolia, there is a reliable testnet faucet deployed by Alchemy
- Deploy smart contracts using the following command:
$ forge script script/Deploy.s.sol --broadcast --rpc-url <your_rpc_url> --private-key $PRIVATE_KEYTo verify the deployed smart contracts on Basescan, you’ll need to export your Basescan API key as ETHERSCAN_API_KEY in the terminal, and then run the following command:
$ forge verify-contract <0x_contract_address> ContractName --watch --chain-id <chain_id>Notes:
- When verifying your smart contracts, you can use an optional parameter
--constructor-argsto pass the constructor arguments of the smart contract in the ABI-encoded format - The chain ID for Base Sepolia is
84532, whereas the chain ID for Base Mainnet is8453
| Name | Proxy | Implementation | Notes |
|---|---|---|---|
AtomWallet |
0x69eaaae77Fb6be0D3c423fe5e5A982d53a1C8CBc |
0xDF0d74A6325082b9E6041e4A5F8a6d52E0e8de46 |
AtomWalletBeacon: BeaconProxy Atom Wallets: UpgradeableBeacon |
EthMultiVault |
0x61200E985eF40c676b58Ac42012Fa924981d88FB |
0x43eF3B52BE0DDD1112E87d0ea492d9eF38786659 |
Proxy: TUP@5.0.2 |
ProxyAdmin |
- | 0x8e2b6ad9B28d5e239EE779814b23d4766A9a3600 |
Used for upgrading EthMultiVault proxy contract |
TimelockController |
- | 0xd75B08Ff002BE0B1ce43A91aE6Eabf5Ef04ec8ab |
Owner of the ProxyAdmin and AtomWalletBeacon |