d-bis/strategic
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
strategic/docs/reports/GAPS_AND_PLACEHOLDERS.md
defiQUG 7003349717 Initial commit: add .gitignore and README
2026-02-09 21:51:54 -08:00

525 lines
14 KiB
Markdown
Raw Permalink Blame History

# Code Review: Gaps and Placeholders
## Critical Gaps
### 1. Chain Registry - Hardcoded/Incorrect Addresses
**Location**: `src/config/chains.ts`
**Issues**:
- **Line 70**: Aave PoolDataProvider address is placeholder: `0x7B4C56Bf2616e8E2b5b2E5C5C5C5C5C5C5C5C5C5`
- **Line 82**: Maker Jug address is placeholder: `0x19c0976f590D67707E62397C1B5Df5C4b3B3b3b3`
- **Line 83**: Maker DaiJoin address is placeholder: `0x9759A6Ac90977b93B585a2242A5C5C5C5C5C5C5C5`
- **Line 102**: USDT Chainlink oracle is placeholder: `0x3E7d1eAB1ad2CE9715bccD9772aF5C5C5C5C5C5C5`
- **Line 179**: Base Aave PoolDataProvider is placeholder: `0x2d09890EF08c270b34F8A3D3C5C5C5C5C5C5C5C5`
- **Missing**: Many protocol addresses for L2s (Arbitrum, Optimism, Base) are incomplete
- **Missing**: Chainlink oracle addresses for L2s are not configured
**Impact**: High - Will cause runtime failures when accessing these contracts
---
### 2. AtomicExecutor.sol - Flash Loan Callback Security Issue
**Location**: `contracts/AtomicExecutor.sol:128`
**Issue**:
```solidity
require(msg.sender == initiator || msg.sender == address(this), "Unauthorized");
```
- The check `msg.sender == address(this)` is incorrect - flash loan callback should only accept calls from the Aave Pool
- Should verify `msg.sender` is the Aave Pool address, not `address(this)`
**Impact**: Critical - Security vulnerability, could allow unauthorized flash loan callbacks
---
### 3. MakerDAO Adapter - Missing CDP ID Parsing
**Location**: `src/adapters/maker.ts:80`
**Issue**:
```typescript
return 0n; // Placeholder
```
- `openVault()` always returns `0n` instead of parsing the actual CDP ID from transaction events
- Comment says "In production, parse from Vat.cdp events" but not implemented
**Impact**: High - Cannot use returned CDP ID for subsequent operations
---
### 4. Aggregator Adapter - No Real API Integration
**Location**: `src/adapters/aggregators.ts:59-67`
**Issue**:
```typescript
// In production, call 1inch API for off-chain quote
// For now, return placeholder
const minReturn = (amountIn * BigInt(10000 - slippageBps)) / 10000n;
return {
amountOut: minReturn, // Placeholder
data: "0x", // Would be encoded swap data from 1inch API
gasEstimate: 200000n,
};
```
- No actual 1inch API integration
- Returns fake quotes that don't reflect real market prices
- No swap data encoding
**Impact**: High - Cannot use aggregators for real swaps
---
### 5. Cross-Chain Orchestrator - Complete Placeholder
**Location**: `src/xchain/orchestrator.ts`
**Issues**:
- `executeCrossChain()` returns hardcoded `{ messageId: "0x", status: "pending" }`
- `checkMessageStatus()` always returns `"pending"`
- `executeCompensatingLeg()` is empty
- No CCIP, LayerZero, or Wormhole integration
**Impact**: High - Cross-chain functionality is non-functional
---
### 6. Cross-Chain Guards - Placeholder Implementation
**Location**: `src/xchain/guards.ts:14`
**Issue**:
```typescript
// Placeholder for cross-chain guard evaluation
return {
passed: true,
status: "delivered",
};
```
- Always returns `passed: true` without any actual checks
- No finality threshold validation
- No message status polling
**Impact**: Medium - Cross-chain safety checks are bypassed
---
### 7. KMS/HSM Secret Store - Not Implemented
**Location**: `src/utils/secrets.ts:31-40`
**Issue**:
```typescript
// TODO: Implement KMS/HSM/Safe module integration
export class KMSSecretStore implements SecretStore {
// Placeholder for KMS integration
async get(name: string): Promise<string | null> {
throw new Error("KMS integration not implemented");
}
```
- All methods throw "not implemented" errors
- No AWS KMS, HSM, or Safe module integration
**Impact**: Medium - Cannot use secure secret storage in production
---
### 8. CLI Template System - Not Implemented
**Location**: `src/cli.ts:76`
**Issue**:
```typescript
// TODO: Implement template system
console.log("Template system coming soon");
```
- `strategic build --template` command does nothing
**Impact**: Low - Feature not available
---
## Implementation Gaps
### 9. Compiler - Missing Action Types
**Location**: `src/planner/compiler.ts`
**Missing Implementations**:
- `aaveV3.flashLoan` - Detected but not compiled into calls
- `aaveV3.setUserEMode` - Not in compiler
- `aaveV3.setUserUseReserveAsCollateral` - Not in compiler
- `compoundV3.withdraw` - Not in compiler
- `compoundV3.borrow` - Not in compiler
- `compoundV3.repay` - Not in compiler
- `maker.*` actions - Not in compiler
- `balancer.*` actions - Not in compiler
- `curve.*` actions - Not in compiler
- `lido.*` actions - Not in compiler
- `permit2.*` actions - Not in compiler
- `aggregators.*` actions - Not in compiler
- `perps.*` actions - Not in compiler
**Impact**: High - Most strategy actions cannot be executed
---
### 10. Flash Loan Integration - Incomplete
**Location**: `src/planner/compiler.ts:67-70`
**Issue**:
```typescript
// If flash loan, wrap calls in flash loan callback
if (requiresFlashLoan && flashLoanAsset && flashLoanAmount) {
// Flash loan calls will be executed inside the callback
// The executor contract will handle this
}
```
- No actual wrapping logic
- Calls are not reorganized to execute inside flash loan callback
- No integration with `executeFlashLoan()` in executor
**Impact**: High - Flash loan strategies won't work
---
### 11. Gas Estimation - Crude Approximation
**Location**: `src/planner/compiler.ts:233-236`
**Issue**:
```typescript
private estimateGas(calls: CompiledCall[]): bigint {
// Rough estimate: 100k per call + 21k base
return BigInt(calls.length * 100000 + 21000);
}
```
- No actual gas estimation via `eth_estimateGas`
- Fixed 100k per call is inaccurate
- Doesn't account for different call complexities
**Impact**: Medium - Gas estimates may be wildly inaccurate
---
### 12. Fork Simulation - Basic Implementation
**Location**: `src/engine.ts:185-213` and `scripts/simulate.ts`
**Issues**:
- Uses `anvil_reset` which may not work with all RPC providers
- No actual state snapshot/restore
- No calldata trace/debugging
- No revert diff analysis
- Simulation just calls `provider.call()` without proper setup
**Impact**: Medium - Fork simulation is unreliable
---
### 13. Uniswap V3 Compiler - Hardcoded Recipient
**Location**: `src/planner/compiler.ts:195`
**Issue**:
```typescript
recipient: "0x0000000000000000000000000000000000000000", // Will be set by executor
```
- Comment says "Will be set by executor" but executor doesn't modify calldata
- Should use actual executor address or strategy-defined recipient
**Impact**: High - Swaps may fail or send tokens to zero address
---
### 14. Price Oracle - Hardcoded Decimals
**Location**: `src/pricing/index.ts:90`
**Issue**:
```typescript
decimals: 18, // Assume 18 decimals for now
```
- TWAP price assumes 18 decimals for all tokens
- Should fetch actual token decimals
**Impact**: Medium - Price calculations may be incorrect for non-18-decimal tokens
---
### 15. Price Oracle - Weighted Average Bug
**Location**: `src/pricing/index.ts:146-155`
**Issue**:
```typescript
let weightedSum = 0n;
let totalWeight = 0;
for (const source of sources) {
const weight = source.name === "chainlink" ? 0.7 : 0.3;
weightedSum += (source.price * BigInt(Math.floor(weight * 1000))) / 1000n;
totalWeight += weight;
}
const price = totalWeight > 0 ? weightedSum / BigInt(Math.floor(totalWeight * 1000)) * 1000n : sources[0].price;
```
- Division logic is incorrect - divides by `totalWeight * 1000` then multiplies by 1000
- Should divide by `totalWeight` directly
- Weighted average calculation is mathematically wrong
**Impact**: High - Price calculations are incorrect
---
### 16. Permit2 - Not Integrated in Compiler
**Location**: `src/utils/permit.ts` exists but `src/planner/compiler.ts` doesn't use it
**Issue**:
- Permit2 signing functions exist but are never called
- Compiler doesn't check for `needsApproval()` before operations
- No automatic permit generation in strategy execution
**Impact**: Medium - Cannot use Permit2 to avoid approvals
---
### 17. Flashbots Bundle - Missing Integration
**Location**: `src/wallets/bundles.ts` exists but `src/engine.ts` doesn't use it
**Issue**:
- Flashbots bundle manager exists but execution engine doesn't integrate it
- No option to submit via Flashbots in CLI
- No bundle simulation before execution
**Impact**: Medium - Cannot use Flashbots for MEV protection
---
### 18. Telemetry - Simple Hash Implementation
**Location**: `src/telemetry.ts:35-38`
**Issue**:
```typescript
export function getStrategyHash(strategy: any): string {
// Simple hash of strategy JSON
const json = JSON.stringify(strategy);
// In production, use crypto.createHash
return Buffer.from(json).toString("base64").slice(0, 16);
}
```
- Comment says "In production, use crypto.createHash" but uses base64 encoding
- Not a cryptographic hash, just base64 encoding
**Impact**: Low - Hash is not cryptographically secure but functional
---
### 19. Aave V3 Adapter - Missing Error Handling
**Location**: `src/adapters/aaveV3.ts`
**Issues**:
- No validation of asset addresses
- No check if asset is supported by Aave
- No handling of paused reserves
- `withdraw()` doesn't parse actual withdrawal amount from events (line 91 comment)
**Impact**: Medium - May fail silently or with unclear errors
---
### 20. Strategy Schema - Missing Action Types
**Location**: `src/strategy.schema.ts`
**Missing from schema but adapters exist**:
- `maker.openVault`, `maker.frob`, `maker.join`, `maker.exit`
- `balancer.swap`, `balancer.batchSwap`
- `curve.exchange`, `curve.exchange_underlying`
- `lido.wrap`, `lido.unwrap`
- `permit2.permit`
- `aggregators.swap1Inch`, `aggregators.swapZeroEx`
- `perps.increasePosition`, `perps.decreasePosition`
**Impact**: High - Cannot define strategies using these actions
---
### 21. Executor Contract - Missing Flash Loan Interface
**Location**: `contracts/AtomicExecutor.sol:8-16`
**Issue**:
- Defines `IPool` interface locally but Aave v3 uses `IFlashLoanSimpleReceiver`
- Missing proper interface implementation
- Should import or define the full receiver interface
**Impact**: Medium - May not properly implement Aave's callback interface
---
### 22. Executor Tests - Incomplete
**Location**: `contracts/test/AtomicExecutor.t.sol`
**Issues**:
- Test target contract doesn't exist (calls `target.test()`)
- No actual flash loan test
- No test for flash loan callback
- Tests are minimal and don't cover edge cases
**Impact**: Medium - Contract not properly tested
---
### 23. Deploy Script - Hardcoded Addresses
**Location**: `scripts/Deploy.s.sol`
**Issue**:
- Hardcodes protocol addresses that may not exist on all chains
- No chain-specific configuration
- Doesn't verify addresses before allowing
**Impact**: Medium - Deployment may fail on different chains
---
### 24. Example Strategies - Invalid References
**Location**: `strategies/sample.recursive.json` and others
**Issues**:
- Uses `{{executor}}` placeholder in guards but no substitution logic
- Uses token addresses that may not exist
- No validation that strategies are actually executable
**Impact**: Low - Examples may not work out of the box
---
## Data/Configuration Gaps
### 25. Missing Protocol Addresses
**Missing for L2s**:
- MakerDAO addresses (only mainnet)
- Curve registry (only mainnet)
- Lido (incomplete for L2s)
- Aggregators (only mainnet)
- Chainlink oracles (incomplete)
**Impact**: High - Cannot use these protocols on L2s
---
### 26. Missing ABIs
**Location**: All adapter files use "simplified" ABIs
**Issues**:
- ABIs are minimal and may be missing required functions
- No full contract ABIs imported
- May miss important events or return values
**Impact**: Medium - Some operations may fail or miss data
---
### 27. Risk Config - Static Defaults
**Location**: `src/config/risk.ts`
**Issue**:
- Always returns `DEFAULT_RISK_CONFIG`
- No per-chain configuration
- No loading from file/env
- No dynamic risk adjustment
**Impact**: Low - Risk settings are not customizable
---
## Testing Gaps
### 28. No Unit Tests
**Location**: `tests/unit/` directory is empty
**Impact**: High - No test coverage for TypeScript code
---
### 29. No Integration Tests
**Location**: `tests/integration/` directory is empty
**Impact**: High - No end-to-end testing
---
### 30. Foundry Tests - Minimal
**Location**: `contracts/test/AtomicExecutor.t.sol`
**Impact**: Medium - Contract has basic tests only
---
## Documentation Gaps
### 31. Missing API Documentation
- No JSDoc comments on public methods
- No usage examples for adapters
- No guard parameter documentation
**Impact**: Low - Harder for developers to use
---
### 32. Missing Architecture Documentation
- No diagrams of execution flow
- No explanation of flash loan callback mechanism
- No guard evaluation order documentation
**Impact**: Low - Harder to understand system
---
## Summary
**Critical Issues (Must Fix)**:
1. AtomicExecutor flash loan callback security (item #2)
2. Chain registry placeholder addresses (item #1)
3. Compiler missing action types (item #9)
4. Flash loan integration incomplete (item #10)
5. Price oracle weighted average bug (item #15)
**High Priority (Should Fix)**:
6. MakerDAO CDP ID parsing (item #3)
7. Aggregator API integration (item #4)
8. Uniswap recipient address (item #13)
9. Missing action types in schema (item #20)
10. Missing protocol addresses for L2s (item #25)
**Medium Priority (Nice to Have)**:
11. Cross-chain orchestrator (item #5)
12. Gas estimation accuracy (item #11)
13. Fork simulation improvements (item #12)
14. Permit2 integration (item #16)
15. Flashbots integration (item #17)
**Low Priority (Future Work)**:
16. KMS/HSM integration (item #7)
17. Template system (item #8)
18. Testing coverage (items #28-30)
19. Documentation (items #31-32)
Reference in New Issue View Git Blame Copy Permalink