Launch App

Sommelier Protocol Team Weekly Update #11

Welcome to the Protocol team update on the Sommelier Cellars release! This week we continue with Macro’s audit on the Aave cellar smart contract, the Cellar staking reward, and the team's delivery of Steward and Cellars release.

MACRO AUDIT METHODOLOGY

The purpose of this audit is to review the source code of `CellarStaking` and `AaveV2StablecoinCellar` Sommelier Cellar contracts and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.

Macro performed a thorough manual review of the code, checking that the code matched up with the specification, as well as the spirit of the contract (i.e. the intended behavior). During this manual review portion of the audit, they primarily searched for security vulnerabilities, unwanted behavior vulnerabilities, and problems with systems of incentives.

Next, they performed the automated portion of the review consisting of assessing the quality of the test suite and evaluating the results of various symbolic execution tools against the code. Finally, a final line-by-line inspection of the code was done, including comments –in an effort to find any minor issues with code quality, documentation, or best practices.

RESULTS AND FINDINGS FROM THE MACRO AUDIT

In the first review of `AaveV2StablecoinCellar`, they found a significant number of issues originating from the use of inactive assets. The Sommelier team was already thinking of changing the approach of using inactive assets, and after seeing our reported issues, they diligently decided to take the time required to change the approach they were taking. After the approach changed, we proceeded with our second review.

The results of the second audit showed one high and three medium vulnerabilities, along with a number of informational notes and gas optimizations. All issues were alleviated. The high-level vulnerability related to the staking contract, and overpayment of incentives to old stakers when new reward cycles were begun. All medium issues related to the cellar itself, and covered fee accounting (non-user facing functionality) and edge cases regarding fee-on-transfer tokens.

Beyond the high and medium-severity issues, Macro reported a handful of informational and code quality improvements. Gas optimizations were implemented where they did not significantly affect contract logic. Other informational issues were either addressed or deemed “won’t fix”, with explanations of acknowledgement included in the report.

WHAT DOES THIS AUDIT MEAN FOR THE SOMMELIER PROTOCOL TEAM

Following both audits, the Sommelier team implemented patches for these findings based on the recommendations by Macro. Several strengths were noted during the review, such as well-structured code and project files that enhance UX and maintenance, well-designed smart contracts that clearly define access rights, custom explanations of verification errors, and the use of an up-to-date compiler.

This audit and fixing of the security risks have enabled the protocol team to prepare for Sommelier’s first Cellar launch. To this effect, a proposal draft to authorize a one-time transfer of SOMM from the community pool to the CellarStaking contract, which is used to incentivize cellar depositors on Ethereum Mainnet. These funds will be used for an incentive program for depositors into Sommelier’s inaugural AAVE V2 Stablecoin Cellar. The tokens prescribed by the program will be distributed pro rata to users on Ethereum Mainnet who elect to bond aave2-CLR-S in Sommelier’s staking contract.

To learn more about Sommelier, please visit https://sommelier.finance/
To participate in the community, please join the Telegram group https://t.me/getsomm.
To follow the project on Github, please star the project https://github.com/PeggyJV/sommelier.

More articles


This website does not constitute an offer to sell or a solicitation of interest to purchase any securities in any country or jurisdiction in which such offer or solicitation is not permitted by law. Nothing on this website is meant to be construed as investment advice and we do not provide investment advisory services, nor are we regulated or permitted to do so. This website is provided for convenience only. Sommelier does not manage any portfolios. You must make an independent judgment as to whether to add liquidity to portfolios.

Users of the Sommelier website should familiarize themselves with smart contracts to further consider the risks associated with smart contracts before adding liquidity to any portfolios.

Note that the website may change, and we are under no obligation to update or advise as to these changes. There is no guarantee that the Sommelier Mainnet, including any software, products or token use cases mentioned on the website, will be built, or offered by Sommelier. In particular, actual results and developments may be materially different from any forecast, opinion or expectation expressed in this website, or documents contained in it, and the past performance of any portfolio must not be relied on as a guide to its future performance.

To the extent permitted by law, the company and its directors, officers, employees, agents exclude all liability for any loss or damage arising from the use of, or reliance on, the material contained on this website whether or not caused by a negligent act or omission. The release, publication or distribution of this website and any materials herein may be restricted in some jurisdiction and therefore you must inform yourself of and observe any such restrictions.

© 2022 Sommelier by Bajanss OÜ –Maakri 36-50, Tallinn, Estonia 10145

Telegram
Discord
Twitter