sol2uml diff uses Google's diff_match_patch package to make the code comparison. The human-readable output of the diff to the console is my own implementation.

Show this thread

Nick Addison

@naddison

Dec 15, 2022

Use the `-s, --saveFiles` option to save the flattened files so they can be compared in an IDE. The file names will be the contract address with a .sol extension.

Use the `-l, --lineBuffer <value>` option to increase the number of lines output before and after each change.

It will work against any chain with an Etherscan-like explorer. eg Goerli, Sepolia, Polygon, Arbitrum, Avalanche, BSC and Optimistic Here's an example from Polygon sol2uml -n polygon diff 0x4f59cb6db6020c5553a5c856aba0a7e477aad1ee 0x25D1e7f9B306fb6502D3748490cfCBe0CCB546E7

Here's how to compare the old and new USDC implementation contracts sol2uml diff 0xb7277a6e95992041568d9391d09d0122023778a2 0xa2327a938febf5fec13bacfb16ae10ecbc4cbdcf

Contract diff has been published in sol2uml v2.4.0

github.com

Release Release v2.4.0 · naddison36/sol2uml

New diff command was added that downloads the verified Solidity code of two contracts from Etherscan, flattens the source files and compares the code. Usage: sol2uml diff [options] ...

What sol2uml enhancement would you most like to see? github.com/naddison36/sol

diff between contracts
50%
parse slot data
25%
generate from git repos
25%
another from issues list
0%

12 votesFinal results

Nick Addison

@naddison

Dec 5, 2022

sol2uml v2.3.0 has been published with a new feature that will squash all inherited contracts into one class diagram. See the release notes for an example of the Uniswap V3 Router github.com/naddison36/sol

Uniswap V3 Router generated using

sol2uml -s -hp -hi -hl -hs -he 0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45

read image description

ALT

Nick Addison

@naddison

Dec 2, 2022

Great to see what I've been working on all year with the

@mstable

team is now live! yield.mstable.org

Quote Tweet

mStable

@mstable_

Dec 1, 2022

We are officially releasing our Meta Vaults today, a composable vault architecture built on ERC-4626. yield.mstable.org

Show this thread

0:50

3.2K views

Nick Addison

@naddison

Nov 16, 2022

A great list of smart contract tools and techniques. And not just because sol2uml and tx2uml are on the list 🙂

Quote Tweet

Shantanu Sontakke

@shanzson

Nov 16, 2022

I have made a list of Smart contract tools and techniques that can be utilized by both smart contract auditors and developers for secure smart contracts development and analysis. github.com/shantanhunt/Sm #tools #smartcontract #cybersecurity #web3 #blockchain #blockchainsecurity

Nick Addison

@naddison

Nov 14, 2022

The Medium article medium.com/mstable/solvin

We recognize the limitations of existing standards and find optimal workarounds for them, and in this case, the problem of slippage when it comes to ERC-4626 Vaults.

While standards play a huge part in standardisation and gaining adoption — problems like these remind us that there are no easy wins when it comes to DeFi.

Here's the full process for a deposit

Once we have a fair price we can reduce it by a slippage factor which is currently configured to be 1%. This adjusted fair price is used to calculate the minimum number of Curve Metapool LP tokens (musd3Crv) that can be received when adding 3Crv liquidity to the pool.

For the deposit into mStable’s vaults, we need to price the Metapool LP tokens in Curve’s 3Pool LP token (3Crv) as that’s the asset we are using in the vault. To do that we get the 3Pool virtual price and divide it by the Metapool LP token price.

It does this by calculating the pool's invariant which is the USD value of the tokens in the pool divided by the token’s total supply. As the balance of the tokens in the pool does not affect the pool’s invariant or USD value, the virtual price is safe from sandwich attack.

The way mStable’s Vaults get a fair Metapool LP token price is to use the virtual prices of the Curve Metapool and Curve 3Pool. The `get_virtual_price` function returns the price of the pool’s liquidity provider token in USD.

So the problem remains, the EIP-4626 function has no way to pass in a minimum amount. Breaking the standard to add this is not an option and using oracles is also suboptimal. We need an on-chain method.

This can not be used to prevent a sandwich attack though. If a prior transaction has already been run to imbalance the pool, the `calc_token_amount` function will just return the now unfair LP token amount.

The Curve pools have a `calc_token_amount` function that calculates the amount of LP tokens received for the deposit of pool tokens.

But with the standard EIP-4626 deposit function there is no parameter defined to specify the minimum amount and therefore we can not pass in a fair amount of Metapool LP tokens that were calculated off-chain.

Typically, DeFi protocols have a fair amount passed in as part of the transaction. The `add_liquidity` function of Curve’s pools is a great example with the `min_mint_amount`.

To protect against a sandwich attack, a fair minimum amount of LP tokens needs to be specified when adding liquidity to the Curve Metapool.

This means the amount of Metapool LP tokens received in the vulnerable add liquidity transaction is much less than what it should be. In the third transaction, the attacker returns the mUSD removed in the first transaction and pockets the gains.

If there was a transaction to add 3Crv to the mUSD Metapool with a zero min LP amount, the attacker’s first transaction would be to decrease the amount of mUSD in the Metapool.

Attackers watch the Mempool for transactions that can be exploited before they are included in a block. To exploit a transaction, they bribe block producers to include their transaction in front of and after the exploitable transaction.

For example, if Curve’s mUSD Metapool had 2m mUSD, 6m 3Crv and 100k of 3Crv were added, 100,068 LP tokens (musd3Crv) will be received. If the Metapool had 6m mUSD, 2m 3Crv and 100k of 3Crv were added, 100,892 LP tokens (musd3Crv) will be received.

As the vault is only adding one of the two pool tokens, the amount of Metapool LP tokens it receives will depend on the balance of mUSD and 3Crv in the Metapool. The more 3Crv that is in the pool the fewer LP tokens will be returned when adding just 3Crv to the Metapool.

A technical challenge when developing the vaults was how we set the min amount of expected liquidity provider tokens. Just setting the `min_mint_amount` to zero is not good enough as it allows any deposit transaction to be sandwich attacked.

For the mUSD Metapool, the amounts are a two-item array. The first is the amount of mUSD, the second is the amount of 3Crv. The 3Crv Convex vaults are only depositing 3Crv so the first item of the amount array will be zero.

When you add liquidity to a Curve Metapool or any other pool, you specify the amount of assets you want to deposit and the minimum amount of the LP tokens you are willing to receive in return (commonly: minimum out).

The 3Crv is added to the Curve mUSD Metapool and the resulting LP token (musd3Crv) is then deposited into the Convex mUSD pool which invests in the Curve mUSD gauge with boosted rewards. A technical challenge in this process is how to protect against sandwich attacks.

A deposit to the 3Crv Convex mUSD Vault will transfer 3Crv from the caller and mint vcx3CRV-mUSD vault shares to the receiver.

The first of the

EIP-4626 vaults will invest in Convex pools based in Curve’s 3Pool. From an EIP-4626 perspective, the asset of the vault is Curve 3Pool’s liquidity provider token (3Crv).

A consequence of the EIP-4626 standard is that the deposit and mint functions don’t provide a way to specify a minimum share or asset amounts in return - commonly used to prevent high slippage or sandwich attacks.

The vault will invest the pooled assets into one or more underlying platforms to generate yield. Read more at

eips.ethereum.org

EIP-4626: Tokenized Vaults

Tokenized Vaults with a single underlying EIP-20 token.

EIP-4626 provides a standard way to invest a token into an investment pool, which is commonly called a vault. When you deposit your assets, which is an ERC-20 token, you receive a share token that represents your portion of the assets in the vault.

A thread 🧵on how

solved slippage with EIP-4626.

Show this thread