Live
Competition ends in 8 days
IQ AI
Tokenized agents for DeFi and beyond
View Repo- Start date29 Jan 8:00 PM UTC
- End date7 Feb 8:00 PM UTC
- Total awards$35,000 in USDC
- Duration9 days
- Details
IQ AI audit details
- Total Prize Pool: $35,000 in USDC
- HM awards: $23,900 in USDC
- QA awards: $1,000 in USDC
- Judge awards: $2,800 in USDC
- Validator awards: $1,800 in USDC
- Scout awards: $500 in USDC
- Mitigation Review: $5,000 USDC
- Read our guidelines for more details
- Starts January 29, 2025 20:00 UTC
- Ends February 7, 2025 20:00 UTC
Note re: risk level upgrades/downgrades
Two important notes about judging phase risk adjustments:
- High- or Medium-risk submissions downgraded to Low-risk (QA) will be ineligible for awards.
- Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.
As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.
Automated Findings / Publicly Known Issues
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
- The token will be IQ, so there is no need to review implementations with other tokens.
- Whitelisted proxies can be malicious - no need to raise this as an issue.
- The owner will be a multisig.
- Gas optimizations are not needed since this will be deployed on a cheap L2 chain.
Overview
AIToken
- ERC20 Compliant Token which confers governance over
AgentContract. - Contains ERC20Permit Functionality.
- Token contract is owned by the
AgentContract. - Token Clock based on timestamp rather than blockNumber
Agent
AgentContract which allows for call forwarding to whitelisted implementation contracts.- Owner of the
Agentis theTokenGovernorcontract. - Whitelists must be approved via the
AgentFactorycontract. - Implementations must adhere to the storage layout set forth in
Agent - Similar to EIP-897 upgradability pattern
AgentFactory
- Contract responsible for deploying the Agent Contract array
- On
createAgent()call the factory will deploy several contracts:AgentAITokenTokenGovernorLiquidityManager--initializeBootstrapPool()--> 4.1BootstrapPool
- AITokens in this step will be allocated between the
Agent,DAO&LiquidityManagerat this point. - Users will have an option to perform an initial buy through the
BootstrapPoolcontract on the initial call.
AgentRouter
- Contract used to route trades either buying or selling a given
AIToken - Will swap either through the
BootstrapPoolor aFraxswappair
BootstapPool
- Serves as an initial pool through with an
AITokencan be traded. - Owned by
LiquidityManagercontract. - Very similar to X*Y=K style AMM.
LiquidityManager
- Contract intended to move liquidity between the bootstrap pool and the fraxswap pair given certain conditions are met.
TokenGovernor
- Governance contract based off of OZ
Governor.sol - Voting token is
AITokenGovernor address will have ownership rights over theAgentcontract.
Links
- Previous audits: N/A
- Documentation: N/A
- Website: https://iqai.com
- X/Twitter: https://x.com/IQAICOM
Scope
See scope.txt
Files in scope
| File | Logic Contracts | Interfaces | nSLOC | Purpose | Libraries used |
|---|---|---|---|---|---|
| /src/AIToken.sol | 1 | **** | 38 | @openzeppelin/contracts/access/Ownable.sol, @openzeppelin/contracts/token/ERC20/extensions/ERC20Permit.sol, @openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol, @openzeppelin/contracts/utils/Nonces.sol, @openzeppelin/contracts/utils/types/Time.sol | |
| /src/Agent.sol | 1 | **** | 63 | @openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol, @openzeppelin/contracts/access/Ownable.sol, @openzeppelin/contracts/proxy/Proxy.sol | |
| /src/AgentFactory.sol | 1 | **** | 217 | @openzeppelin/contracts/interfaces/IERC20.sol, @openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol, @openzeppelin/contracts/access/Ownable.sol, @openzeppelin/contracts/access/Ownable2Step.sol | |
| /src/AgentRouter.sol | 1 | **** | 100 | @openzeppelin/contracts/interfaces/IERC20.sol, @openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol, dev-fraxswap/src/contracts/core/interfaces/IFraxswapPair.sol, dev-fraxswap/src/contracts/core/interfaces/IFraxswapFactory.sol | |
| /src/BootstrapPool.sol | 1 | **** | 137 | @openzeppelin/contracts/interfaces/IERC20.sol, @openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol, @openzeppelin/contracts/utils/ReentrancyGuard.sol | |
| /src/LiquidityManager.sol | 1 | **** | 146 | @openzeppelin/contracts/interfaces/IERC20.sol, @openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol, dev-fraxswap/src/contracts/core/interfaces/IFraxswapPair.sol, dev-fraxswap/src/contracts/core/interfaces/IFraxswapFactory.sol, dev-fraxswap/src/contracts/core/libraries/Math.sol | |
| /src/TokenGovernor.sol | 1 | **** | 77 | @openzeppelin/contracts/governance/Governor.sol, @openzeppelin/contracts/governance/extensions/GovernorCountingSimple.sol, @openzeppelin/contracts/governance/extensions/GovernorVotes.sol, @openzeppelin/contracts/governance/extensions/GovernorVotesQuorumFraction.sol, @openzeppelin/contracts/governance/utils/IVotes.sol, @openzeppelin/contracts/utils/types/Time.sol | |
| Totals | 7 | **** | 778 |
Files out of scope
See out_of_scope.txt
| File |
|---|
| ./script/Base.s.sol |
| ./script/Deploy.s.sol |
| ./src/interface/IBAMM.sol |
| ./src/interface/IBAMMFactory.sol |
| ./test/AITokenTest.sol |
| ./test/AgentFactoryTest.sol |
| ./test/AgentRouterTest.sol |
| ./test/AgentTest.sol |
| ./test/BootstrapPoolTest.sol |
| ./test/Helpers/SigUtils.sol |
| ./test/MoveLiquidityTest.sol |
| ./test/ProxyTest.sol |
| ./test/TokenGovernorTest.sol |
| Totals: 13 |
Scoping Q & A
| Question | Answer |
|---|---|
| ERC20 used by the protocol | vanilla ERC20s as collateral, IQ |
| Test coverage | 93.09% |
| ERC721 used by the protocol | None |
| ERC777 used by the protocol | None |
| ERC1155 used by the protocol | None |
| Chains the protocol will be deployed on | Fraxtal |
ERC20 token behaviors in scope
| Question | Answer |
|---|---|
| Missing return values | Out of scope |
| Fee on transfer | Out of scope |
| Balance changes outside of transfers | Out of scope |
| Upgradeability | Out of scope |
| Flash minting | Out of scope |
| Pausability | Out of scope |
| Approval race protections | Out of scope |
| Revert on approval to zero address | Out of scope |
| Revert on zero value approvals | Out of scope |
| Revert on zero value transfers | Out of scope |
| Revert on transfer to the zero address | Out of scope |
| Revert on large approvals and/or transfers | Out of scope |
| Doesn't revert on failure | In scope |
| Multiple token addresses | Out of scope |
| Low decimals ( < 6) | Out of scope |
| High decimals ( > 18) | Out of scope |
| Blocklists | Out of scope |
External integrations (e.g., Uniswap) behavior in scope:
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
EIP compliance checklist
| Question | Answer |
|---|---|
| src/AIToken.sol | ERC20 |
| src/Agent.sol | ERC721 |
Additional context
Main invariants
N/A
Caveates
- CurrencyToken is intended to be an IERC20 compatible token. This excludes tokens with
feeOnTransfer()
functionality, in addition to ERC777-like callback functionality. - Implementation contracts for
Agentare intended to inherit the storage layout of the baseAgentcontract. Using a
pattern like so:
contract AdditionalFunctionalityForAgent is Agent {
uint256 public someAdditionalState;
constructor(
string memory name,
string memory symbol,
string memory url,
address _factory
)
Agent(name, symbol, url, _factory)
{ }
function someAdditionalFunctionality() public { .... }
}
- Similarly it can also be assumed that the
AgentFactoryOwner will not whitelist and proxy Implementations which are
malicious or interact with the baseAgentstate in a malicious manner.
Attack ideas (where to focus for bugs)
- Graduation of agents and transfer of LP to Fraxswap
- High severity risks around funds getting stuck or stolen from the protocol
All trusted roles in the protocol
| Role | Description |
|---|---|
| AgentFactory Owner | admin rights |
Describe any novel or unique curve logic or mathematical models implemented in the contracts:
N/A
Running tests
git clone --recursive https://github.com/code-423n4/2025-01-iq-ai
cd 2025-01-iq-ai
pnpm i
forge test
To run code coverage
forge coverage
To run gas benchmarks
forge test --gas-report
Miscellaneous
Employees of IQ AI and employees' family members are ineligible to participate in this audit.
Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.