Grant Update: Example output of the automated New Token Checklist

As part of our ongoing grant; “Compound New Asset Listing checklist Automation”, DeFiSafety is building an automated process for authors to propose new tokens. New authors will start a script. The script will ask a series of questions based on the OZ questionnaire. Many answers will be entered as text. The author will enter the Etherscan address to the token code. From this a set of automated questions will be answered using AI or code analysis. The output will be a markdown document that will act as the post for the token in the New Markets category.

This forum post has three example post outputs. These were generated using the process but the outputs were not automated. Our automated process is almost complete and will be demonstrated for the next milestone.

This post is the third milestone in our grant. It includes example posts from three recent tokens from the New Markets category; tBTC, rsEth on Arb, WOEth. Comments are welcome. We are always available to discuss anything presented here.

1 Overview

Token: tBTC on chain: Ethereum

This report is the automatically generated output from the Compound New Asset Checklist Automation script v0.0 developed in August 2024. Some of the data in this report is manually typed by the report’s “author”, the person who ran the script. Some of the data is generated by the script as it analyzes the blockscan data and code of the entered token.

The manually entered code (in Section 3 and 4) is not checked. We merely present the text as typed by the author. The automatically generated text (in Section 5) is automatically generated upon analysis by scripts and LLM on the code of the presented Etherscan

Please see the Disclaimer in Section 6 before using the data in this report.

2 Red Flags

Note: Red flags are based on automated tests only (not text manually entered by the Author).

The token contract has no red flags

3 Token Description

Token: tBTC on chain: Ethereum

This report was generated on August 26, 2024

Website:

https://threshold.network/

3.1 Description

Background tBTC:

tBTC is a decentralized wrapped Bitcoin that is 1:1 backed by native BTC. Unlike other wrapped Bitcoins, the BTC that backs tBTC is not held by a central intermediary, but is instead held by a decentralized network of nodes using threshold cryptography.

tBTC is trust minimized and redeemable for native BTC without a centralized custodian. It can be used across the entire DeFi ecosystem.

tBTC can be used as collateral, liquidity, a store of value, and can be integrated with DeFi apps across all supported blockchains. As with other BTC wrappers, tBTC provides cryptocurrency traders and general users with a BTC-pegged token, that can be used to generate yield whilst holding native BTC.

  • Since launching the full 2-way BTC bridge in August, tBTC has scaled to 9 chains beyond Bitcoin.
  • tBTC is the only fully permissionless BTC bridge.
  • MCAP increased from 85m to 225m in 3 months.
  • Collateral for crvUSD.
  • About to go live on Aave.
  • Becoming the go-to bridged Bitcoin on Bitcoin L2’s with 706 BTC on Mezo and 229 BTC on BOB, with more partnerships incoming.

Background Threshold Network:

tBTC was created by a decentralized effort of contributors at the Threshold Network DAO, and extensively utilizes the Threshold Network’s threshold cryptography to create a secure BTC asset. tBTC is a product launched on Threshold Network, on which many other decentralized applications such as Threshold Access Control (TACo) and Threshold USD (thUSD) are built.

Threshold Network DAO was born out of the first on-chain merger between two decentralized protocols, Keep Network and NuCypher early in 2022. The DAO has successfully operated since that time, and supports an active community of contributors that work towards building tBTC liquidity and usability.

3.2 Benefits to the Compound community

  • A range of lending options for those who wish to earn yield on their Bitcoin.
  • Collaboration with the Threshold Network DAO, opening up co-marketing opportunities to boost Compound’s reach.
  • Potentially enables direct deposits from BTC chain in the future.
  • Preferable yields on tBTC through active incentive participation, boosting Compound protocol use, fees and TVL.
  • Threshold Network has internally granted a 45k incentives budget to be distributed over a 3-month period.
  • A long-term incentives partnership TBC, depending on the success of this initial distribution.

3.3 Author

Name: Ethan

Author’s relationship with the token:

Ethan is the Growth Coordinator for Threshold Network

4 Manually Entered token information

4.1 Etherscan Link:

This token contract is not upgradeable.

Link to token code

$57,466.38 | tBTC (TBTC) Token Tracker | Etherscan

4.2 GitHub Link:

GitHub - keep-network/tbtc-v2: Trustlessly tokenized Bitcoin everywhere, version 2

4.3 Audits

About

4.4 Link to Test suite

tbtc-v2/solidity/README.adoc at main · keep-network/tbtc-v2 · GitHub

4.5 Bug Bounty program

Kelp DAO Bug Bounties | Immunefi | Immunefi

4.6 Emergency Contacts:

security@threshold.network

4.7 Additional Security Tools

Slither

4.8 Will the token include implementations on other networks?

Yes

4.8.1 If so, will the tokens be natively minted on the other networks or bridged across?

Natively mintable on Ethereum and soon on Arbitrum.

4.8.2 If so, Are there any mitigations in the contracts in case a bridge becomes inoperable or compromised?

There are 8 guardians in place who can halt bridging from L2s

4.9 Are there any flash loan pools for this token?

No

4.9.1 If so, please list the protocols:

N/A

5 Automated Token Information

Token Age: * 1,441 * days

Number of Transactions: 44,353

The token contract is NOT Pasusable.

The contract does not have a deny list.

The token has SafeMath and uses it throughout.

The contract follows the ERC20 standard.

The contract allows the minting of new tokens.

The contract allows the burning of new tokens.

The contract does NOT have rebasing functions.

The contract does not have fees on transfer.

The contract does not have delegate calls.

The token cannot be flash minted.

6 Disclaimer

The purpose of these reports is a succinct technical summary for devs and auditors when considering using a token on a chain. It is designed to use their time more efficiently. DeFiSafety’s team are analysts, not devs or auditors.

1 Like

1 Overview

Token: wOEth on chain: Ethereum

This report was manually generated for Milestone 3 using the processes of our upcoming scipts (but executed manually) for the automated parts. The manual parts are from the excellent report in Comp.xyz.

This report is the automatically generated output from the Compound New Asset Checklist Automation script v0.0 developed in August 2024. Some of the data in this report is manually typed by the report’s “author”, the person who ran the script. Some of the data is generated by the script as it analyzes the blockscan data and code of the entered token.

The manually entered code (in Section 3 and 4) is not checked. We merely present the text as typed by the author. The automatically generated text is highlighted in blue. This text is based on blockscan data (Etherscan or equivalent) and analysis of the token code (from the blockscan) as analyzed by our scripts and AI. Unhighlighted black text, such as this, is default report text.

Please see the Disclaimer in Section 6 before using the data in this report.

2 Red Flags

Note: Red flags are based on automated tests only (not text manually entered by the Author).

a) The contract has delegate calls.

3 Token Description

Token: wOEth on chain: Ethereum

This report was generated on August 22, 2024

Website:

Origin Ether (OETH)

3.1 Description

Origin Ether 1(OETH) was launched in May 2023 and is an ERC20 that generates yield while sitting in your wallet. Similar to stETH, OETH yield is paid out daily and automatically (sometimes multiple times per day) through a positive rebase in the form of additional OETH, proportional to the amount of OETH held.

Until a recent proposal 1, OETH was an LST aggregator that earned yield by tapping into blue-chip protocols while being collateralized by other LSTs. Over the next few weeks, OETH LST collateral will be divested back to ETH, as OETH will be transitioned into a full-fledged LST. OETH will soon become a superior LST with an extremely tight peg (1:1 redemptions to ETH thru Origin’s ARM) and high yields thanks to DVT direct staking through SSV/P2p.

wOETH is a ERC-4626 tokenized vault designed to accrue yield in price rather than in quantity. When you wrap OETH, you get back a fixed number of wOETH tokens. This number will not go up - you will have the same number of wOETH tokens tomorrow as you have today. However, the number of OETH tokens that you can unwrap to will go up over time, as wOETH earns yield at the same rate as standard OETH. The wOETH to OETH exchange rate can be read from the contract 1 (function number 16), or via the OETH dapp.

3.2 Benefits to the Compound community

Since 2021, Origin has streamed millions of dollars in stablecoin to Compound markets via OUSD strategies, generating millions in yield and significantly boosting Compound’s TVL. This new OETH market would lead to additional increased TVL for Compound, additional revenue to the Compound Protocol and DAO from active loans and liquidations, and will attract a wider user base.

We’ve noticed many LSTs trade below their peg due to DEX fees and slippage, and to reflect the time value of money. LSTs that consistently trade below peg effectively impose a hidden exit fee - certain LSTs often trade ~0.25% below peg, meaning it takes three weeks of staking to break even. This may be ok for long-term holders, but is terrible for users who plan to loop LTSs for additional yield. This will not be the case with OETH.

Using OETH on Compound will produce higher yield than other top LSTs and have a near perfect ETH peg. OETH ARM mechanics and gas optimizations will ensure the best possible prices for traders looking for instant exit liquidity, while DVT staking will achieve greater risk-adjusted yield. Our vision for OETH is for it to become the most trusted LST for those seeking to use an LST for leveraged staking.

3.3 Author

Email: peter@originprotocol.com

Discord: @slagathorthemammothking

Telegram: @Pgee13

Author’s relationship with the token:

Peter is part of the Origin Protocol core team.

4 Manually Entered token information

4.1 Token Code Link(s):

This token contract is upgradeable.

4.1.1 Link to token proxy code

$2,583.65 | Wrapped OETH (WOETH) Token Tracker | Etherscan

4.1.2 Linkt token contract code

WOETH | Address 0x9c5a92aaa2a4373d6bd20f7b45cdeb7a13f9aa79 | Etherscan

4.1.3 Who is authorized to make an upgrade?

We have a timelock contract with a 48 hour delay. This is controlled by a Governance contract that uses xOGN.

4.1.4 Which components are upgradable?

The whole token contract can be upgraded.

4.1.5 How does the upgradeability design work? Who manages it and how are upgrades performed?

All OETH contracts are owned by the Timelock contract. All upgrades will have to go through Timelock. Only governance can queue/execute transactions on the Timelock, meaning the community has to vote for every on-chain proposal including upgrades to contracts.

4.1.6 Does it emit an event when the implementation is updated?

Yes, it emits event Upgraded(address indexed implementation);

4.2 GitHub Link:

origin-dollar/contracts at master · OriginProtocol/origin-dollar · GitHub

4.3 Audits

OETH was built reusing 95% of the OUSD code, of which 10+ audits have been done since 2020. Not that long ago, OUSD reached a market cap of $300m without breaking, and without diminishing the APY it was capable of generating. All OETH audits can be found in the audits section of the OETH docs. OpenZeppelin is also held on retainer to review 100% of the OETH and OUSD smart contract changes.

4.4 Link to Test suite

origin-dollar/contracts/test at master · OriginProtocol/origin-dollar · GitHub

4.5 Bug Bounty program

Yes, Origin maintains an active bug bounty. The rewards range in size from $100 OUSD for minor issues to $1,000,000 OUSD for major critical vulnerabilities. The bug bounty program is currently administered by Immunefi.

4.6 Emergency Contacts:

The Origin team is available 24 hours a day via Discord. On March 10 2023 when USDC depegged from the dollar (and therefore from OUSD), it took the Guardians/Origin engineers about 4 minutes to notice, and 16 minutes to start the process of moving the funds to a safer strategy. OETH and wOETH will have no exposure to stablecoins nor any other pegged asset aside from WETH.

4.7 Additional Security Tools

We use an in-house solution based on Subsquid as our indexer and Grafana. We also add custom alerts on Tenderly for critical events.

4.8 Will the token include implementations on other networks?

Yes

4.8.1 If so, will the tokens be natively minted on the other networks or bridged across?

Bridged

4.8.2 If so, Are there any mitigations in the contracts in case a bridge becomes inoperable or compromised?

The tokens are bridged using Chainlink CCIP. CCIP has cursed state if the bridge is compromised. We check that state before we do any cross chain op. CCIP also has defined cross-chain transfer limits.

4.9 Are there any flash loan pools for this token?

Yes

4.9.1 If so, please list the protocols:

OETH is flash swappable since we are in Uniswap pools which effectively means its flash loanable, but Origin does not offer a flashloan service for OETH. Other 3rd party platforms may provide this service.

5 Automated Token Information

Token Age: 427 days

Number of Transactions: 11,390

The token contract is NOT Pasusable.

The contract does not have a deny list.

The token has SafeMath through Solidity version 0.8 or greater.

The contract follows the ERC20 standard.

The contract allows the minting of new tokens.

The contract allows the burning of new tokens.

The contract does NOT have rebasing functions.

The contract does not have fees on transfer.

The contract has delegate calls.

function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {

return functionDelegateCall(target, data, “Address: low-level delegate call failed”);

}

The token cannot be flash minted.

6 Disclaimer

The purpose of these reports is a succinct technical summary for devs and auditors when considering using a token on a chain. It is designed to use their time more efficiently. DeFiSafety’s team are analysts, not devs or auditors.

1 Overview

Token: wRsEth on chain: Arbitrum

This report is the automatically generated output from the Compound New Asset Checklist Automation script v0.0 developed in August 2024. Some of the data in this report is manually typed by the report’s “author”, the person who ran the script. Some of the data is generated by the script as it analyzes the blockscan data and code of the entered token.

The manually entered code (in Section 3 and 4) is not checked. We merely present the text as typed by the author. The automatically generated text (in Section 5) is automatically generated upon analysis by scripts and LLM on the code of the presented Etherscan

Please see the Disclaimer in Section 6 before using the data in this report.

2 Red Flags

Note: Red flags are based on automated tests only (not text manually entered by the Author).

a) The contract has delegate calls.

b) This contract does have all the ERC20 standard functions.

3 Token Description

Token: RsEth on chain: Arbitrum

This report was generated on August 26, 2024

Website:

https://www.kelpdao.xyz/

3.1 Description

KelpDAO (Kelp Liquid restaking | restake ETH, stETH & ETHx) is one of the largest liquid restaking protocol built on top of the Eigen Layer. Restakers on Kelp get access to multiple benefits like restaking rewards, staking rewards, and DeFi yields.

3.2 Benefits to the Compound community

From Compound’s perspective, any new asset is a source of additional revenue and expands the ecosystem as a whole. LRTs are a great use case for Compound as it is one of the fastest growing ecosystems.

3.3 Author

Name: Aditya Deorukhkar
@Hedged_Adi on TG, Email - aditya@kelpdao.xyz

Author’s relationship with the token:

DeFi & Partnerships team member at KelpDAO

4 Manually Entered token information

4.1 Token Code Link(s):

This token contract is NOT upgradeable.

4.1.1 Linkt token contract code

KelpDao Restaked ETH (rsETH) Token Tracker | Arbitrum One

4.2 GitHub Link:

https://github.com/Kelp-DAO/KelpDAO-contracts

4.3 Audits

Kelp’s smart contracts are audited by Sigma Prime, MixBytes, and Code4rena-

4.4 Link to Test suite

Field left blank.

4.5 Bug Bounty program

Yes,
Kelp DAO Bug Bounties | Immunefi | Immunefi

4.6 Emergency Contacts:

Field left blank.

4.7 Additional Security Tools

Field left blank.

4.8 Will the token include implementations on other networks?

Yes

4.8.1 If so, will the tokens be natively minted on the other networks or bridged across?

Bridged

4.8.2 If so, Are there any mitigations in the contracts in case a bridge becomes inoperable or compromised?

Field left blank.

4.9 Are there any flash loan pools for this token?

Yes

4.9.1 If so, please list the protocols:

Field left blank.

5 Automated Token Information

Token Age: 218 days

Number of Transactions: 891,370

The token contract is NOT Pasusable.

The contract does not have a deny list.

The token has SafeMath through Solidity version 0.8 or greater.

The contract does not fully follow the ERC20 standard.
The function increaseAllowance is missing.
The function decreaseAllowance is missing.

The contract allows the minting of new tokens.

The contract allows the burning of new tokens.

The contract does NOT have rebasing functions.

The contract does not have fees on transfer.

The contract has delegate calls.

function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
(bool success, bytes memory returndata) = target.delegatecall(data);
return verifyCallResultFromTarget(target, success, returndata);
}

The token cannot be flash minted.

6 Disclaimer

The purpose of these reports is a succinct technical summary for devs and auditors when considering using a token on a chain. It is designed to use their time more efficiently. DeFiSafety’s team are analysts, not devs or auditors.

1 Like

@RexShinka This tool looks great and seems useful for asset listings. How would an applicant use it to run analysis and provide the responses to the forum for the community to review?

We have not dug into that yet. I would assume a link similar to the Grants category. We also have to determine if the post is done automatically or manually by the author. Does anyone know a command line syntax for the forum software?