Yearn V1 Code Review - Solidity Code Review

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right this seems like a live how you guys doing i'm alex the entrepreneur thank you for being live with me in this live stream i'm actually going to go over the wiring code specific algo over wire and v1 which is uh not necessarily the uh most up-to-date defy application however it's a great uh starting point to do a code review and to just learn solidity and learn how that works so um if you have any questions for me i'll be reading the chat right there and i'll just go over that i'm doing this experiment to see if there's any interest hey nia's how you doing great glad to have you here and again if you have any questions let me know but uh i'm doing this for educational purposes i am not invested in wiring and i thought it was a good idea to uh just uh cover it because uh you may have heard the noise related to ethereum d5 development and uh as such i'm gonna start by sharing my screen i'm gonna read all of your questions and answer them and again i'm going to go over uh wire and v1 which you can access on github.com slash wire and slash wiring protocol and the reason why i'll go over v1 is because all of the code is in one repo and um a friend of mine colleague of mine uh tom actually uh taught me most of the code so i have to give him a credits for that and uh as such i can actually make an entertaining argument again if you have any questions let me know if you're developing your own solidity project uh just send me the code in the chat and i'll be happy to check that out i'm gonna go in the contracts folder i'm also seeing that there's an inter interface folder both of these are fairly interesting we have um let's see what we have for interfaces basically for interfaces we're going to have uh all of the external smart contracts that wire will be interacting with and for context if you want to find the v1 version you can go on v1.wire.finance and um that way you have an understanding of what uh the product looks like and i'm going under the vaults section to um just show what it is so this was uh literally the catalyst of uh defy summer of last year so uh i just think it's a great idea to cover this before jumping into more advanced uh concepts obviously there's a wiring v2 now so if you wanna uh check that out uh this is the most recent version however this is way more advanced way more complicated and uh it takes a while to wrap your head around it so again we have this interface folder which simply goes to uh show the way for us to interact with other protocols i'm going to open the compound token.sol randomly just to show one and we can see that this is just interfaces which is a way to specify how to interact with the rest of the code i would love if uh there was an easier way to uh just import code from under uh github repos without having to copy paste all of this as uh when you actually start developing in solidity you actually end up like the simplest decision is always to just copy paste but that means that um we have all these uh you know additional code which is not particularly um particularly useful uh thank you man uh yeah i do have a beard and i'd also have a barber that uh takes care of it uh once every couple of months so thank you for the compliment and uh yeah basically in terms of interfaces we just have ways to interface with other different protocols and that's because if you don't know it iron is a basically a tool uh or a set of smart contracts that automates yield farming which means that you put your uh cryptocurrencies such as ifuf or dye into this vault and then what the vault does it is uses strategies to invest these currencies into other smart contracts as if you look at the interfaces you can assume that it's going to invest into ave compound cream curve deforest maker uniswap and what uh in itself i guess and uh it's gonna do that again to automate yield if you're not familiar with any of these protocols uh drop a comment in the uh in the chat or in the uh comments and maybe i'll also cover those i thought uh you know this was like an interesting application of these ideas but if you're completely unfamiliar with ave or compound you can literally just google them and you'll find that these are uh decentralized lending platforms which basically means that you can take again your currency the iusd et cetera and basically they will land them automatically for you and they will share uh the the yield with you and you can see that the yield is going insane today because um because i'm in the amm market actually but uh avi is actually going to incentivize more deposits so you'll see that the numbers will go insane uh how to make a coin like safe moon i love that question and if you stick around for a few more minutes i'll actually talk about safe moon i think it's a hilarious uh project with 400 000 twitter followers that's that's just that has to be like the most uh hilarious uh you know outcome but uh yeah i wouldn't put uh a dime into that project even if they paid me uh to to do that and that said this is compound compound is uh another landing platform you can click on markets and see the available currencies and basically again you can just put your uh current cryptocurrencies into compound it will land it for you it will earn an interest and give you that interest now something interesting that you'll see here is that each market has a uh percentage it gives you a supply api which means that it's an interest rate that you get for just putting your dollars here and then you have a distribution api which is the percentage you get from uh it's basically the extra value that you get in compound token which means that you get paid in a different token from the one you put in and you specifically get paid back with this compound token which fundamentally if you go in governance you'll see it but fundamentally it allows you to uh basically vote on uh the future of the protocol uh through what is called a um i guess through uh because uh compound is now a dial which means that it's a decentralized autonomous organization and that means that owning the token means that you own a part of the protocol basically as such you can vote on its future so that's the point of the token but uh for uh those uh financially savvy uh the token is also another way to get more money basically and as such there are tools such as iron which will auto invest those uh for you uh again in a few minutes i'll talk about safe moon we'll actually read the source code uh and i guess we'll talk about it but uh i want to make make sure that you guys understand that um for some people the compound token is a voting token and as such it's a tool that allows you to decide the future of the protocol it allows you to interact with the developers and have a say in the protocol and for other people it's a speculative asset and uh they will just get the token and sell it back as a way to have more dollars and so uh that's basically what wiring will do and so i guess that leads us into why we have the interface here for token and it also leads us to why we have an interface for uni swap here and uh the reason is because once you get your compound token you're gonna swap exact tokens for tokens which is the act of taking your let's say compound taking your compound token swapping it into a usdc for example and as such earning uh that extra usdc which you can now use to earn more compound something else that you want to learn about is the fact that if you look in the markets let me see if there's the uh distribution ui for it but fundamentally uh since these uh markets are subsidized by the compound token this means that there are situations in which borrowing a currency borrowing a usdc for example will actually pay you back in compound token so that means there are situations in which it's worth it for you to to low take a loan in order to get more compound token this is something that i've read from uh arbing sam so i want to give the credits uh you can check this blog called samprasy.com which talks about this idea so this guy's genius guy in the act of uh finding uh arbitrage opportunities and this is called basically a uh i guess a yield arbitrage but what it means is that um if you pay attention to these numbers you may actually find a situation where borrowing has in this case he has a 3.7 percent rate which means you pay 3.79 to borrow but you may actually find that sometimes you'll find a negative rate which means that you actually are being paid let me see if we find one but basically you're being paid to there you go you're being paid to borrow a compound token you get paid 7.27 which means that the act of taking a loan of the compound token effectively pays you in uh this compound token so if you value the compound token or you want to convert it to usdc you would actually have an incentive to just borrow that out and uh take that interest off of it now obviously you have to factor in gas you have to factor in a lot of stuff and again that's why the tools such as wiring even exist it's literally because they will automate this process for you and they will bulk those transactions so now that i'm gonna dive deeper in the code hopefully you have an understanding for why wiring exists and what it actually does and again we're looking at b1 because it's much simpler i am uh more equipped to talk about it and um it just uh there's all of the learnings are here and maybe we'll look at v2 later and uh if you're interested in me talking about safe mode early and i we got a second person commenting about safe moon i guess i'll jump into the safe moon at the battle first but otherwise i'll just get started and i'll start with vaults these are going to be our free keywords for wiring vaults controllers and strategies those are the three keywords you want to keep in mind and a vault is the place in which you deposit so in this case you can see the vault here this is the place which will do a deposit then you will have a controller which will manage the assets of the vault and lastly you have a strategy which is a set of actions that the controller will take in order to get that yield so i'm going to go in volts and uh we have uh three volts currently y delegated we actually four curve vault y delegated vault y volt and y uh volt so if we look at this we see the if volt which is actually this one uh we have the y uh vault which will be this one then we have the curve vault which i'm not seeing perhaps there are no balances in it yeah so basically we have all of these vaults and um we're just we're just gonna talk about one because the the source code is gonna be very similar so i'm gonna open the y left vault and we can do a quick comparison to see if there's any quick difference between the two vaults although it really doesn't seem to have basically it seems to just be more complicated because we are dealing with wef and if and if you're not aware uh if is the uh the way you pay gas the way you pay for transactions in uh the ethereum blockchain and web is the wrapped version of if which basically means that it's the erc20 version of if and the reason why you would need the erc20 version is because developers will have to write specific code to endless while all of the code that handles the erc20 will be the same for any erc20 basically that means that anytime you have to support actively support eve you have to work twice as much for very little benefit uh while uh you would be just better off wrapping that if in the first place so let's look at this um let's actually just look at the y volt which should be the die vault and which is going to be simpler it basically uses a erc20 and allows to deposit we see that we're using safehere c20 where the safety anytime you see this stuff by the way especially when you see this open zeppelin uh up here that means that if you literally google open zeppelin and in this case you will google safehrc20 you will find the documentation for it from the uh from the open zeppelin docs where opens that palin uh i'm not sure who financed it but it's basically is an open source collective of uh contracts that uh basically defined standards so anytime you see a contract written by open zeppelin you can trust it by default and anytime you see a contract that is not written by opensupply you probably will have to read it line by line that said you should also read the uh opens up in contracts but uh they basically paved the way uh in uh writing these contracts and so the main difference between the year c20 and the savior c20 as we can see here is that uh the savior c20 will throw on failure so a normal erc20 may perform an operation let's say send a transfer and approve and uh that operation may fail and that operation may simply return false and that means that uh unless you're checking for the outcome of that operation your contract may continue executing and if you ever written anything in solidity you know that um you would rather have the contract revert because otherwise you're bound to lose money and the simplest example i can give you is that if you have a c in your c20 operation and then you have an operation where you are let's say i'm sending you some money then the fact that the year c20 operation doesn't fail and it doesn't revert will mean that somebody can just literally just press a button and take all of my money uh systematically so that's why you will use the safehrc20 and uh basically uh you get that behavior without having to really uh think about it like it just makes your life so much easier so again save your c20 that's why it is and opens applying again you can check it out and basically make sure so much easier we also have address for address if i'm not mistaken it's a way to verify we'll see it later but it's a way to verify uh uh addresses and to check if they're a contract it's basically a set of utilities related to addresses and then we have the safe math which fundamentally uh ensures that uh you don't get overflows and that's because uh like if you look at any number any digit in um solidity you see that we don't have decimals and um that also means that if you subtract a number um with a high enough number you'll actually go uh you would expect to go in the negative but what would you would actually happen is you would overflow and the act of overflowing uh basically will throw off your math and uh if you ever played the uh gta 5 uh that's all that also explains why the maximum amount of money you can have is something like 2 to the power 32 and that's because if you add an extra digit you're just gonna lose all of your money next up we have an erc20 public token we don't know what that is we'll figure it out we have a min and a max we can see that it's nine five zero zero and this is ten thousand and i uh know that this is used to have a something like a 95 percent we'll figure it out in a second we then have a address related to governance and then we have another address related to the controller we have our constructor which receives a token and a controller and then it calls a constructor which has been brought by again the open zeppelin contract which we'll call erc20 detail specifying the um token name we basically will specify a name prefixed by wire with a space and then he will set the token symbol to a token symbol with a y and uh if i know uh at this point i'm assuming that token is going to be the address yeah the address of an actual token that exists such as usdc die etc so this is a way for you to programmatically fetch the data from that token because we are casting this is that the act of type explicit type casting of the erc20 detailed type onto the underscore token uh address on the token address and then we're getting the name property here so that's what's happening here and lastly we also get the decimal so fundamentally the token we have we're creating here when we set up the y vault will have the same amount of decimals as the uh its counterparty as erc20 counterparty and it will then have a symbol that is very similar and prefixed by a y uh let's see what else we do we assign the token to ierc20 of underscore token and that's because the token up here is a uh erc20 so um yeah this is done through a public however if you're gonna be doing this in a newer version of solidity something like 0.7 or 0.8 you could actually use the immutable keyword which ensures that this token can never change i don't believe that's a security vulnerability unless there's actually a situation in which the token gets changed but again it just would make an auditor safer to have an immutable token next up we have governance and it's set to message.sender this is literally how the majority of rug pools are done so you we definitely want to check where the governance goes later because this means that the owner of the contract is the person that created it which is completely fine as the starting point but if you are uh if the the the protocol is suggesting that they're gonna do a uh dow they're gonna decentralize they're gonna issue a difference type of governance uh this is basically a classic attack vector uh because you know the one person that owns that contract is the one person that uh can do anything and if i'm not mistaken that was at the time that was a multi-sig with nine signers and you can find that in the docs as well next up we have the controller the controller is being set to a specific address so that means that this y vault will be deployed after the controller is deployed let's keep that in mind but let's also continue we now have a balance function which basically will get the balance of the token and then it will add the balance of the controller we can see here dot add eye controller controller of balance address token so something that is particular here is that for some reason uh i'm assuming under but the developer decided to set the token to be a erc20 basically they casted it to the specific contract type while uh they didn't decide to cast the controller i'm not sure if they ever will use the controller as an address but that's something that is uh you know it's just a particular styling uh coding convention but basically uh it's also very flexible though because that means that anytime you need the address you will just use the controller variable and anytime you need the contract you will just cast the uh contract uh like so next up we have set mein which can only be done by the governance and this is uh an indicator of some sort of boundaries and checks that's not a bad thing uh i believe that um a safer and even safer approach to this would be to also have a time lock contract which means that anytime you want to make a change you have to wait some time but this will basically set this mean variable which we'll see what it does then we have the governance this is the act of uh proactively losing access to the governance or uh giving it to somebody else this is one of the most dangerous uh operation because if the owner of the contract sends the uh ownership of the contract to somebody else then that person may be able to withdraw changed variables etc etc and the act of burning your keys is the act of setting the governance to the address zero uh that's how you burn your keys if you set that to zero nobody can ever access that code unless you know you crack all of cryptography in which case you will be concerned with that not so much with losing access to this uh contract next up we have set controller which again is ruled by governance and you simply set the controller to a different address here we have available and we also have a comment custom logic in here for how much the vault allows to be borrowed sets minimum required on hand to keep small withdrawals cheap and so that's something that uh if you uh followed under crony's work you'll actually uh hear about that i think in the ftx podcast i'm not sure if the second or the third podcast talks about this idea and the idea is that by having a float by having an amount of um currency that is not invested you can make it so that uh small investors can withdraw without having to go inside of all the pipes and withdraw all the stuff from the other protocols and so that just makes it really cheap and it's uh just a nice thing to do for the small cap investor considering that gas is already very expensive so that's basically going to check available and set and it will basically multiply to mean by max and again we saw that max is 10 000 and we saw that min is 9500 so to to you as the developer this is how you do percentages you just do thousand and ninety ninety five hundred or you can do uh in this case you could cut a zero although i believe uh i believe ave will do uh uh one thousand and nine hundred fifty while wiring adds an extra zero there is no difference just something that i've noticed by reading their contracts and uh you always multiply first that's something that um tom reminded me um shout out to tom uh if he ever wants to do a live with me i'll uh i'd be happy to have him but basically you always multiply first and you divide later because if you ever divide first you may actually end up rounding out stuff or you may literally uh underflow or just uh ruin your math so that's why you always multiply first in solidity next up we have a function called earn let's see what it does it's gonna get the balance here it's then going to call safe transfer uh to the controller it's basically gonna send funds from the vault to the controller and it's then gonna call the earn function on the controller so this basically gives us a clue as to the fact that this is a vault and this is literally just a place where you put your cryptocurrency in but then we have a controller which will do uh the heavy lifting so we'll we'll have to definitely check this in the controller code at a later time next up we have deposit all deposit all is going to deposit the balance of the message.sender so oh this seems to be like a utility to deposit everything in a normal ui we'll just type max and then input that uh i'm not sure why uh this is here but that's okay it's not not hurtful or dangerous at all next up we have deposit and actually let me see deposit okay so this deposit all is calling deposit which is this function and it's uh on the message.sender balance okay so now we have the function deposit and as you can see some stuff is happening it's not simply minting shares and uh leaving it like that let's see what happens we see the balance here uh which we already checked did we actually not sure balance there we go yeah we checked balance which is equal to all of our balance in here plus the balance on the controller then we check b4 we've token the balance of address it is so we get the balance of this contract then we do a token uh we do a safe transfer from the person requesting the deposit to the contract for the amount specified and then we check the after the after is equal to token the balance of others this so basically we just get the balance after the deposit we have before before the deposit after after deposit and amount is equal to after minus before so okay so okay so basically and i'm actually not sure about the security implications of why you will do it this way maybe there's something else here but basically all we did is we deposited and we uh got the amount that we deposited by a subtraction instead of just uh trusting this amount value we're not trusting this amount value we're actually doing it through the subtraction next up we got shares set to zero if total supply is equal to zero where total supply is a function that is already given um to you by um the open zeppelin uh code and basically tells you all of the amount of uh of your erc20 that you have and it says that if it's equal to zero then shares are going to be equal to amount so there's gonna be a one-to-one ratio between the shares and the amount otherwise shares are going to be equal to the amount multiplied by the total supply where total supply is all of the shares that represent the uh vault and then we're going to divide that by the amount in the pool which is equal to balance so basically this is a way to represent fractional ownership and uh that's what's happening and lastly we get the mint uh that will assign those shares to the owner next up we have withdrawal which is a way to withdraw everything and we also will have to check our withdrawal function we have also harvest here which uh as a comment saying that it's used to swap any borrowed reserve over the debt limit to liquidate to token let's read it again used to swap any borrowed reserve over the debt limit to liquidate to token we're gonna swap from the reserve that we borrowed over the debt limit to liquidate to tokens so it's gonna get you the token but it's gonna do it on the borrowed reserve over the debt limit so first of all it's can can only be done by the controller we require that the address is different from token and i believe that's because we don't want to um basically get rug pulled there uh there's a way to liquid or liquidate your token to yourself i guess and lastly it's going to do a it's going to call on reserve and it's going to do a safe transfer to the controller for that amount borrowed reserve over the limit i'm not fully sure i understand this but uh we'll probably see this happen again next up let's see the withdrawal as you can see there's no rebalance implementation for lower fees that means that uh this will literally just try to uh withdraw whatever is available and uh only in this case we're gonna have to uh do more work so r is equal to the balance of this contract which as we said is the uh everything in the contract plus the amount in the controller then we're going to divide it by the total supply so basically this gives us a uh owner a percentage ownership then we're going to burn the shares and since we're using um a safety your c20 burning the shares you can't burn more than that although i i kind of believe you can't burn more than that even in the uh non-safe version of your c20 but don't quote me on that next up we have uh b is equal to the token the balance of this address basically we're getting again the balance that we have if the balance is less than r then what we need uh then we're gonna have to uh do a bunch of stuff we're gonna do r dot sub b so we're just gonna get what we need to withdraw because we're gonna do it uh as a subtraction of uh the total amount that we need to withdraw minus the one that is already liquid then we're gonna get the controller and we're gonna call withdraw on the controller for the withdrawal amount so again we're gonna have to check what the controller does shortly we're gonna do that then we have the after which you know is simply the again this this way of re uh rebalancing and so checking what the new balance is talking the balance of this and then the difference will be equal to after dot sub b and then if d is less than withdraw r equals b dot add diff if the difference is less than the amount that we needed to withdraw then r is going to be equal to b dot add diff i'm i'm kind of confused by this to be honest if the difference is less than the amount that they withdraw then r is going to be equal to b dot add the difference i guess i guess i'll uh uh if you if you know why you did this uh let me know in the comments otherwise i guess i'll go i'll go over i'll just trust you i don't know i'm not really sure i think i think there has to be like a simpler way where you will simply let's see you will uh so this is something you need to do anyway then you check how much you have available if this is not the case then you need to withdraw which you're going to call withdraw withdraw withdrawal you're gonna call withdraw on this difference which does make sense and then given that difference what are you gonna do given that difference you will just uh you will send it yeah you get r here i think that that may be a way to account for when um you can't withdraw more or you can't withdraw exactly what's expected uh and it may be a way to maintain a ratio because otherwise here instead of the r you will just put like a ratio that you would get from shares but for some reason if b is less than r then uh it just i guess it works out to work in that way and lastly we get the get price per full share which is equal to the balance multiplied by uh basically one with 18 decimals divided by the total supply so this gives you what the price of the share is which um it's probably really useful to know um so that you know um how much it costs to get a share although if i don't believe it's ever used in the code yeah it's never used although this may be the way to avoid this stuff uh although i guess we'll see we'll see in the controller if that's the case so let's go ahead and check what the controller looks like we're gonna go in contracts controller and we see the controller.sol we have a bunch more of these open zeppelin code safe map erc etc and we also have three interfaces we have the converter the one split audit and the strategy interfaces next up we have safety rc we already addressed that we have the address utility which i don't believe we used in the previous code but maybe it's easier we'll see that we have safe math and then we have governance and strategies and strategist is the keyword for a person or a contract that is allowed to either rebalance or change the strategy we have one split and rewards which i'm not sure what they are we'll have to figure out and then we have vaults strategies converted so vaults were the smart contracts we were checking before strategies is uh set a smart contract we'll check later and we'll probably check a couple and basically they find a way for you to earn um your uh interest and then we have converters in the um which i'm not really sure what they are next we have approved strategies and uh this is actually a great um opportunity to have a quick side tangent the approved strategies are basically the reason why iron uh and i know why i learned was act and i'm not sure why maybe we can have a separate chat on that but if i'm not mistaken the idea of having approved strategies is the way in which you ver you you ensure that there are there are no strategies that will uh steal your funds and that's actually how um another protocol called pickled of finance was hacked so if you want to investigate that you can actually go on rect.news which is one of my favorite websites ever and you can go on the leaderboard and you can see the uh records for uh contracts that lost uh funds funds that were literally uh stolen you can see the piccolo finances here there's also a knack of wire i guess let's just check what happened to iron the vault was attacked using nine flesh loans 11 million was lost from the vault 2.7 curvy feel i think it was a um oracle attacked then if only into an arby's right here but maybe leaving for team mover scene as unbeatable anyway this this is one of my favorite websites ever and it literally shows you the evolving nature of d5 so if you're interested in figuring out why these particles were hacked and you want to have nightmares about all of your money being stolen definitely check those out check correct.news let's continue with our controller we see a split set to 500 and then a max which is equal to 10 000. our constructor will set the governance to the sender as we said uh hopefully that was a multisig which i believe it was that we have the strategies currently set to the message of sender then we have one split which is set to an address and then we have rewards set to a rewards which is an address as well for some reason they chose not to add the uh one split to the rewards i think because they don't they didn't care but for some reason they did this here and they chose instead to assign it from the constructor here then we have set rewards which just sets the reward again you need to be done by governance same for the strategist same for the split same for the governance etc now we have set vault setting the vault can be done either by the strategist or by the governance and it will require that volts square bracket token is equal to address 0 so that means that the vault that is assigned to this token needs to be empty so i'm assuming this is a one-off setup that can only be done once so you can only set a vault for a specific token once and that's probably a pretty good idea to allow you to set that up later so it's more extensible but at the same time to avoid too much customizability which uh you know may bring a further risk on you next up we have a proof strategy approving the strategy will um basically just set the token and the strategy it's a mapping between the token and the strategy and it's set to true uh very extensible uh but it also ensures that you can have a a strategy and a token pair assigned but i'm guessing if you were to deploy a new strategy we'll just apply it to a new address anyway so um it's just a way to ensure that the list of strategies there then it allows you to revoke the strategy sending that to false that's fine now we have set converter set converter again can only be done by strategies or governance and it will set the converters of input output to be equal to converter where converter is an address my intuition is telling me that this is a way to uh swap between different tokens something like uni swap or curve etc but uh again we want to keep in mind this converter's keyword next up we have set strategy it requires that the strategy is approved really important and it will set current equals to strategy square bracket token because setting a strategy requires the address of the token and the address of a strategy so it will fetch the current strategy that is being used and it will check if the current is different from zero then it first will call withdraw all on the strategy and that's because the strategy is the active part of the wiring management system and as such you don't want to leave the strategy with a bunch of funds they're going to be withdrawn and then next up we're just going to change the strategy the active strategy for uh that token to be equal to the strategy so this is uh nice next up we have earn we see that we receive a token and an amount we have a strategy which we fetch for this specific token we have a want which is given us by to us by the strategy uh which is the want and then we do if the want is different from the token so this is really important if the want i.e what the strategy wants is different from the token i.e what the uh strategy uh token is then we're going to call converter which is converter square back in tokens i want a keyword we looked at before and then we're going to call erc token save transfer we're going to transfer to the converter for the amount that we got as the parameter for earn and then we're going to set amount to be equal to iconverter converter.convert strategy iconverter.convert strategy and then we're gonna save transfer want which is the the the token that the strategy wants and we're gonna send it to the strategy so what does convert mean i convert a converter strategy let's check the interfaces on wiring protocol interfaces converter i guess i'll mark this and then i'm going to search for iconverter which we got from interfaces wiring iconverter and this is where i left off let's see what this i converter does function convert address external result returns you in 256. i'm guessing it just uh converts as in it just provides uh the ratio it's just a way to calculate what each of them is worth and uh save transfer to converter convert convert strategy or it's a way to um yeah because because you're sending the tokens to the converter so i'm assuming it's actually a way to actually convert these tokens and uh basically swap them um so it's probably a way to generalize that i'll have to check what this exact contract is to be sure but i'm gonna assume that that's a way to just swap tokens into that which also explains that uh the fact that we have the check for want versus token because in the case that one and token are the same we're just to send all of our tokens to the strategy and lastly we're going to call strategy.deposit and as we said before the difference between depositing the if you remember in the vault you deposit without rebalancing because that way it's cheaper gas so uh i believe that the earned function caused the positive uh because this is not the cheaper transaction this is the expensive transaction you want to have done um to ensure that that works and it seems like it's public and it can be called by anyone i'm guessing because uh fundamentally you're doing a favor to the protocol by calling this function so uh this actually um will be called by a keeper i'm guessing and uh where keepers are a way to automate a bunch of tasks and it's something that you'll definitely learn more as uh d5 evolves next up we have balance off balance off will check uh the balance of the token and he will just get the strategy and then get the balance off of it then we have withdrawal which will call withdrawal on the strategy we're not sure where it's going to send these uh tokens to but uh we'll see that i'm guessing it sends it to this contract or to the vault one or the other but again we'll see that as we get into the strategy code in case token gets stuck this will be literally the way to rug pool uh projects in case token gets stuck seems to actually allow any token to be fetched so i'm assuming that uh this uh code assumes that this contract will never have any funds uh because if if it wasn't the case then you would actually be able to rug pull uh a uh the the want token or the token from the vault at any time so i'm assuming this controller is coded in a way where it will never have any any code because uh otherwise this is literally how you steal it and the way you would prevent that would be to have a check between the um token that the controller can can can hold and the uh tokens that the vault can hold and you will just have a check to ensure that they're not the same in case tokens get stuck this is the way to uh in case strategy tokens get stuck seems to be a way to withdraw a specific token from a strategy i'm guessing it's a you know another utility of that type then we have the get expected return which receives a strategy a token imparts and it will return a amount that represents the expected so let's see what that is we have and this is a view function so it's uh you can call it uh but it may also be used in the contract so let's see what the balance uh we're going to fetch the balance of the strategy then we're going to check what the strategy wants and then we're going to do one split audit dot get expected return and i'm guessing this is a way to figure out um what the um yeah the expector basically what these uh strategy is expecting to get uh or rather this controller is expecting to get given the active strategy and the want i'm not sure what parts is it's just a number so uh this is definitely something we'll have to investigate later and lastly we have wired and we have withdrawal withdrawal simply withdraws from the strategy and then we have wire and that was uh something really cool at the time as you can see it says it only allows to withdraw non-core strategy tokens which is over the above above the normal yield and that was basically a way for you to do either a flash loan or a set of operations that are expensive and if i'm not mistaken there is an extra percentage fee on that uh but fundamentally let's see what it does this contract should never have value in it but just in case this is a public call again this confirms what we saw before that the controller should never have a balance next up we see before is equal to the balance of the token uh balance of this contract of the token that we get the we call withdraw on the strategy and we check what we got after basically we just do we check we withdraw from the strategy we check the after if after is greater than before then we're going to get the amount that is going to be equal to the after minus the before so this is the uh let's call it the extra stuff that got that we received from the strategy we're gonna get one from the strategy so we know what which token we want then we're gonna set up this distribution variable setting memory as a uh as a list of you you win two five six then we're gonna declare expected as another two uh you intro five six we're gonna call b4 which we already declared here we're gonna just change it to be equal to irc want dot balance address this so we're going to get the balance of ones that we currently have and that's the before that we're going to do a safer proof on one split which we don't know what it is but we know that we are approving a way for safe split to do stuff then we're gonna save approve one speed amount so this is resetting the approval of uh one split to zero and then we're setting it to a specific amount which is equal to amount which is equal to the the difference between the before and after that we add up here and now before has been set to this different value which is the current balance of the want next up we're going to set expected distribution by calling this one split audit dot get expected return we have this expected and distribution we're then going to call one split audio one split does swap this is the act of swapping so this brings us at least makes this thing of uh uni swap and uh we see the expected and then the distribution here and then we're gonna have an after set to the balance of uh want that we now have in this contract if after is greater than before ie if we made some money then amount is equal to the difference and reward is equal to the split divided by max so i'm assuming this is a way to uh divide it to a certain percentage and then we call earn on want on the amount sub reward because we probably reinvest this balance and the other part gets put into rewards so i think this reveals what rewards is rewards is probably a place where we store extra uh yield extra results from doing this set of operations and then earn is a way to uh basically reinvest if i'm mistaken we chucked it already let's see yeah and earn is the way to basically convert and then deposit into the strategy so uh basically this is a uh the code that runs all the operations the next uh code we want to check is the strategies code i'm gonna go in contracts and we see that there's a ton of them we're just gonna check maybe one or two i think the compound one is one of the best to check because we have an intuition for this the compound strategy and i've seen that there's curve compound but uh the compound strategy is based on the idea that you can borrow or deposit and you can earn interest and sometimes you can literally make more money in borrowing from compound than in actually uh landing the two compound and that's literally what the uh intuition is for the strategy so we see that we have a ton of uh variables here we want this token we can check that on either scan i'm not going to check all of them but we we can check uh at least the one so we know what this strategy wants the strategy wants this token called uh cdi over cusdc which is basically the ownership of the seed i see usdc pool and then we have the curve which is the smart controver curve we have the uni uh i'm assuming the unit is a router contract i'm also going to check this one and that's kind of the beauty of having uh hard-coded variables is that if you have the patience for it you can this is the unit's operator true but basically if you have the patients you can verify all of them we have wef we have die we have curve we have gauge and voter where um gauge is um as far as i know gauge is simply the way for you to staking curve it has this name but it's basically the pull that you stick to in curve now we have the keep crv variable we have performance fee 450 strategies reward 50 withdrawal fee 0 and then feed the nominator 10 000. so that means that or at least that leads us to uh understand that the performance fee will be a percentage of this so we'll just check it out it's probably yeah 4.5 for performance and 0.5 percent for strategies reward next up we have a proxy governance controller strategies we already saw those these are to ensure no shenanigans happen and that we have earned which is the lifetime earnings this is just probably just a convenience tool to check what they earned uh then we have the event harvested which uh shows you how much you earn and the lifetime earned the constructor will uh set literally just like the controller was doing get name will tell you the name of the strategy strategy sets the strategy we can set keep crv here which is an address if i'm mistaken no it's a number keep survey it's a number then we set the withdrawal fee to a number performance fee again another number strategies reward and then we set proxy here so these are just sellers ruled by governance next up we have a way to deposit and depositing will do a safe transfer to proxy uh of uh the token that we want and then it will call voterproxyproxy.deposit uh into uh gauge and want so uh this means that we will also have to figure out what this voter proxy is and uh we're just calling this deposit function with the gauge parameter and uh the want parameter where gauge is a address there we go and then uh the other one is the amount that we currently have in this smart contracts at the time of the deposit call next up we have withdraw we draw asset controller only function for credit edition reward from dust so again you need you can only do it from the controller requires want different from the others of assets so this is the example that was mentioned about avoiding rag pools uh when uh there's a way for you to withdraw stuff and uh you're not expected to be able to withdraw because that has to be associated with removing uh tokens from the pool uh you would have a check that ensures that whatever this asset is cannot be one of the assets that is related to the operativity of this because you could imagine that if i could withdraw the want and then there is no longer any want in the strategy that means that every person that deposited in their in their vault lost all of their funds even though they still have the token representing their ownership of money that was stolen so that's why you have these checks this is like a very important thing next up we do save transfer from controller for the entire balance okay then we withdraw we'll draw a partial funds normally used with vault withdrawal okay this is called uh it's an external function which means that it can all be called by another uh contract externally so it can't be called from this contract it has to be called by somebody else let's see we have required message.sender it needs to be the controller we're gonna get the balance of want uh from this contract if balance is less than amount then we're gonna call with draw some so this is just a way to again avoid extra work when you could just withdraw now we have the fee which will be equal to withdrawal fee divided by the fee denominator uh you always multiply first divide later and withdrawal fee we said is a 0.5 percent so it's a uh what is it 50 out of 10 000 then we have the want here we're going to do a safe transfer from uh controller.rewards for the fee because again the controller words is where we store their words then we uh get the vault by calling the volts of others of one and we ensure that the vault does exist and that we do a safe transfer to the vault so withdrawing from the strategy is the act of rebalancing taking the fees and then sending back to the vault now we have withdraw some and we have this voter proxy to withdraw i'm not sure what this is i'll have to check it but basically we're calling withdraw with the primary gauge want and amount i'm assuming it's a way to withdraw from the uh curve uh uh pool basically that's what i'm gonna assume although we will have to verify later next one we draw all which can all be done by the controller we do because the function we draw all which uh with an underscore which again calls the voter proxy withdrawal and then it's gonna check the balance of the want from this account and and then you're gonna get the vault and then it's going to deposit to the vault the fact that uh fetching the vault is done in this way uh basically creates this connection between the vault the controller and strategy where the controller is basically the pipings is all the connections between the uh everything else while the strategy is kind of blind it just asks the controller what to do and uh and then it sends the funds to the vault because uh the vault is where you store all the stuff so um that's great next we have the harvest function which is probably the most important one so i'll talk about it late last balance of want just a way to know how much we have or what we want balance of pool how much of this voter proxy is in the gauge we'll figure out what this voter proxy is in a second but that's basically what it does balance off is balance of want plus balance of pool so this is the balance that we have that we have set governance and set controller which are you know safe safe stuff next up let's check the harvest function clearly uh the bulk of this operation again cannot be done by the governance or the strategist we're gonna call harvest on this voter proxy so we definitely have to figure out what this voter proxy does although i'm guessing it basically rewarded harvest is the act of getting the reward that's what i'm guessing at this point but we'll have to verify next up we get curve irc of curve the balance of this we check how much curve we have if we have more than zero then we're gonna call uh we're gonna get this keep curve equal to crv which is the current curve we have multiplied by keep curve divided by the denominator so this is how much curve this is a percentage currently of the curve we have and uh we're gonna do erc crv safe transfer to voter so we're gonna send uh the the amount that we wanna keep or this percentage of the amount we have we're going to send it to keep crv which i'm not sure what uh two voters sorry which i'm not sure who is voter then we're going to have crv set to crv minus the one we already sent so now we have this new amount and then we're going to save approve and approve uni for zero which means that we reset the allowance of the unizwa parameter to zero next we set that amount to this value up here 150 online 150. next we do path basically we set up for a unisop swap if you check the uniswap documentation this is exactly how they tell you to do it and now don't add 1800 i'm not sure if this is a way to do it in this block but that's what i'm going to assume and basically we're calling swap exact tokens for tokens where we put crv and we expect a minimum amount of zero so this may be this may actually be part of how they got uh their funds uh i'm i'm honestly not sure i haven't uh i remember checking about i guess i'll just speculate at this point complete speculation but basically if you set that the minimum amount you want uh for a trade is zero that means that if somebody front runs you or that somebody manipulates the pool you're going to accept any deal so um that it may be a good idea to have the uh harvest set to only be called by strategies of the governance because that way um you know they would have to listen unchained for when you're gonna make this call but this may be a way to uh basically give a worse rate to these um to this contract because there is no check here on how much it uh wants to get next we have die equals to irc die balance of address this if there's more than zero die we're gonna send the die to curve basically and then we're gonna call add liquidity with die set to that so basically we're going to reinvest some dye if we do have it i'm not sure uh why we mentioned i but yeah basically if we have some that we're going to reinvest next up we have one and basically we're going to get the balance of how much we have if we have something we're gonna then get our fees here we have performance fee divided by feed denominator reward uh is the strategy's reward and then we're gonna call uh the we're gonna send the rewards to the rewards uh set by our controller and lastly we're gonna set the rewards to the strategies and then we're gonna call the deposit function only if we have more so and i'm guessing deposit was yeah just a way to re put money in the voucher proxy and then it's gonna call voterproxy.lock which is definitely something to uh keep in mind which means that in order to close our circle and figure out everything that we did we have to check this voter proxy and lastly just emits a event and it shows you that so let's see what this voter proxy is it's from iron i voter proxy from interfaces iron ivory proxy dot sol we see that we have a way to withdraw we have a balance we have withdrawal we have deposit we have harvest we have a lock we have a claim rewards so um actually not sure why you wouldn't have the contract for the voter proxy maybe i'm not experienced enough to know so that was kind of the the entire uh flow of how iron works hopefully that was informational as you can imagine uh the um i mean uh honestly the developing on solidity is an extremely harsh learning curve at least for me and uh also the the act of coding is not even the most important part because the smartness of coming up with the strategies figuring out these type of opportunities uh is way more um just way more complicated even than the code even though the code is already uh complicated enough and also extremely dangerous because uh you can get you can lose all of your funds if you did so at this point let's go and check the coin like safe moon so safe moon has a github here and they also have like a twitter account uh that has over and i have no idea how they have all of those followers but they have 400 000 followers and they seem to have raised like 700 million dollars you know 700 000 i'm gonna i'm not gonna expect them to have raised that much but let's see let's see what uh they're doing funding page safely to the moon eight hundred thousand out of one million has been raised so far okay because they want to raise some money here okay anyway uh if we look at the safe moon contract you'll see that there's very little here you know i'm not even sure why it's being forked so much because this is uh literally the inline uh version of a um this is just the inline version of a year c20 and then there's some uniswap code so it's not uh there's nothing particularly uh unique there's actually nothing unique about this but anyway this is um the worst way to read the code because all of your contracts are here but we'll i'll try to do the best that i can to do that and the reason why you will do it is because it's submitted to like uh a contract verifier that doesn't uh um either doesn't use hard at or it's just uh uh it is what it is next up let's see we see safe one features three percent out of fee fee auto add to the liquidity pool to locked forever when selling two percent fee are distributed to all holders i create a black hole so b token will deflate itself 50 supplies burn at start okay let's see that so first of all we have the interface for irc 20 uh the erc20 and uh you can literally get that from the uh opens up link code this is a 6.12 which means that they're using a version 3 of the open zapping code but yeah it's a very safe code we have the safe map function we cover that and uh this is again a copy based off the 3.0 version of that there we have the context yeah this is basically a way to get the message sender and message data although i haven't never seen this one used but there's probably um somebody that has used that as well but yeah uh i've seen this use a lot to get the message.sender with this function underscore message center we have the address library which as i said checks for contract it basically verifies that the sender is a contract instead of it being a personal wallet then we have send value which i believe just sends uh funds and function call function called these are ways to interact with contracts programmatically then we have the ownable so anytime you see ownable you want to think of owner you want to think of um what's it called governance this is basically the way to have the uh owner we also see a lock time uh but yeah this is just the ownable contract which again you can check here in the i think in the utils actually in the case of 3.x it's going to be an access control so you can check that but basically if it's ownable you own it and um it just provides an extra security next up we have the v2 factory which is the way to um set up pairs right you have get pair all pairs create pair it's basically your way to register your um your new pair to uni swap then we have the uni swap v2 pair which is the specific pair which uh if you're not aware a pair is the way which you specify how uh two tokens can exchange and uh the most notable stuff is that you're gonna have a ratio which is x times y equals k or a curve i guess and uh that uh basically determines the price of each asset at each time then you have the uniswap router v1 and uh that's the the basically the contract this is the v1 there's going to be the v2 later but this is the contract that allows you to specify how to perform trades so you have all this function you have the if basically this is why uh developers hate if and love wef it's because when you have to deal with if you have to write twice the code so now we have the uni uh unison browser v2 which is uh the more sophisticated uh version of the router and it's the latest router although there's a v3 coming out uh soon enough next up safe moon is context basically safe moon this is the declaration of the safe moon contract safe moon is contracts irc and ownable uh he uses safe math it has an address we see our own to own a mapping between addresses and amounts it's going to be private we also see the allowances that may be because they are hard-coded is uh erc20 is excluded from fee basically there may be somebody that doesn't pay fees address is excluded excluded then we see max is going to be equal to tilde you int zero the total is equal to whatever this is with uh 15 zeros one two three four five six eight nine plus fifteen twenty four zeros okay so there's gonna be one to the uh 2024 i guess yeah 1e24 uh is going to be the total distribution i'm guessing so it's basically going to have 24 zeros uh which is a million a million if basically it would be the a million with 18 um other zeros then we have the r total which is equal to max minus max modulo the underscore t total we'll see what this is and then we have the t fee total we have the name symbol decimal there's nine decimals pretty odd but basically that means that there's what is this again one two three four five six seven eight nine nine and six it's 15 there's 15 uh one to the to the one uh 10 to the 15 of these tokens because the decimals are nine tax fee is five previous tax fees underscore tax fee okay liquidity fees five previous liquidity fee so i'm not sure why this would be set up in this way uh but uh uh it's you know it is what it is then it declares a swap ra a uniswap router it gets a immutable pair and that's why i'm confused because you will just do immutable here as well but you know whatever uh in swap and liquify is a boolean and then they set public swap and liquify enable set to draw max transaction amount is this number right here number sell to our liquidity is this number a year then they have event mean tokens before swap updated swap liquify enable updated swap liquify and then they have a modifier lock the swap which checks if in swap liquefies true and then it will set the in swap and liquify set to false okay so this is uh just um you know just weird i don't really have much to say on this our own is equal to okay our own of message.sender is equal to the total so this our own is setting uh the balance of this guy to to to everything i'm seeing then i'm seeing units web router and they're setting it to this uh thingy which you would have to check on the binding smart chain explorer basically this is the router i'm guessing this is going to be pancake swap but we'll see bsc explorer yeah this is the pancake swap router makes sense and uh factory unisoft v2 pair is going to create a pair between this token and wef where ref is uh the bsc coin and uh set the rest of the contract variables is excluded from fee owner owner doesn't pay fees he's a schooler from fee address this this contract doesn't pay fees either and then it's gonna emit transfer to other zero of message sender and total address zero message center total but our owned of message center is equal to our total okay and then you see the classic erc20 methods balance off transfer allowance approved transfer front decrease allowance deliver function deliver will get the message.sender it cannot be excluded so there's basically a black list here and then it gets this r amount from get values which we love to check and then it sets our own sender equals our own center minus sub amount so the the sender the guy the guy that makes the request uh basically owns less because they're sending it to him i'm assuming our total is our total sub our amount t fee total add t amount we're going to increment t amount where t amount is deliver so we're going to increment the fees to t amount they're gonna reduce the total r by r amount which is from get values then you have a reflection from token t amount is a variable that is received needs to be less than equal to t total amount must be less than supply okay the doctor if the if the uh if you're not gonna deduct transfer fee which i'm assuming is a it's a global variable then you're gonna get r amount and you're going to return that otherwise you're going to get values the return transfer amount token from reflection let's see what this get rate function and get values is get r values get values transfer amount get tv values t fee calculate tax fee t liquidity calculate liquidity transfer transfer amount is going to be equal to the amount dot sub t feet or subliquidity so i'm guessing it's just a way to handle a ratio as they were saying it this is like a they're trying to do a deflationary thing but yeah it just doesn't look and then they have swapping liquify i guess i'm just more confused by this than uh than uh that i would expect um if you have specific questions i'm gonna take a few specific questions uh maybe i will uh study the code and uh give you a definitive answer but yeah i wouldn't recommend investing in this at all and uh i would also recommend new developers to start using hard at which will handle your uh contracts in a cleaner way so you don't have to uh in line them you can just uh you can just use the r that verify plugin to verify your uh code and that's gonna make your life so much easier so let me know if you enjoyed the video i thought i would try something new and so let me know how that goes and i'll see you soon thank you for watching

Info

Channel: Alex the Entreprenerd

Views: 776

Rating: undefined out of 5

Keywords:

Id: p3cU9mWk_To

Channel Id: undefined

Length: 73min 11sec (4391 seconds)

Published: Tue Apr 27 2021