maysters981/2023-06-bond

Bond Options contest details

• Join Sherlock Discord
• Submit findings using the issue page in your private contest repo (label issues as med or high)
• Read for more details

Q&A

Q: On what chains are the smart contracts going to be deployed?

Mainnet, Arbitrum, Optimism

---

Q: Which ERC20 tokens do you expect will interact with the smart contracts?

Any. Must conform to ERC20 metadata with string memory name, string memory symbol, uint8 decimals variables.

---

Q: Which ERC721 tokens do you expect will interact with the smart contracts?

None

---

Q: Which ERC777 tokens do you expect will interact with the smart contracts?

None

---

Q: Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts?

No. Fee-on-transfer tokens are not supported.

---

Q: Are there any REBASING tokens interacting with the smart contracts?

No. Rebasing tokens are not supported.

---

Q: Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?

TRUSTED

---

Q: Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED?

TRUSTED

---

Q: Are there any additional protocol roles? If yes, please explain in detail:

The Option Teller has permissioned functions that are controlled by the Bond Protocol RolesAuthority contract. The Bond Protocol MS is the only permissioned contract on the authority.

---

Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?

Option Token is expected to conform to ERC-20.

---

Q: Please list any known issues/acceptable risks that should not result in a valid finding.

None.

---

Q: Please provide links to previous audits (if any).

These contracts have not been audited previously. Several library contracts which are used here were used in the previously audited Bond Protocol systems (Clones, FullMath, TransferHelper). Additionally, the design of the Option Teller is similar to the Bond Protocol Fixed Expiry Teller which has been audited.

• Sherlock Audit Update 03/2023
• Sherlock Audit 11/2022
• Zellic Audit 11/2022

---

Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?

None.

---

Q: In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.

Yes. The only potential external integration are oracle price feeds. Validation and handling of outages must be done in the user's IBondOracle implementation. Examples have been provided or them at https://github.com/Bond-Protocol/issuer-contracts.

---

Q: Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?

The protocol is permissionless. Fee-on-transfer is explicitly prohibited in the code. Our documentation will reflect that rebasing tokens and tokens without string metadata are not supported. Odd decimal values are supported, though could result in precision loss.

---

Q: Add links to relevant protocol resources

https://docs.bondprotocol.finance

---

Audit scope

options @ 817c62b24a8447870bdf4a618a3bc240f4cc86e3

• options/src/bases/OptionToken.sol
• options/src/fixed-strike/FixedStrikeOptionTeller.sol
• options/src/fixed-strike/FixedStrikeOptionToken.sol
• options/src/fixed-strike/liquidity-mining/OTLM.sol
• options/src/fixed-strike/liquidity-mining/OTLMFactory.sol
• options/src/periphery/TokenAllowlist.sol