Timelock & Security in Dracula Protocol
There have been several questions about Timelock and how we have transferred MasterVampire contract ownership. Let me explain it in two parts.
First of all, our main MasterVampire smart-contract contains several particular roles. They are:
Owner, PoolRewardUpdater, VictimRewardDrain, Developer.
'Developer' is the address, that receives developer fee, and the only function that is available to 'Developer' is to change the address for developer fee.
'VictimRewardDrain' is the address, that in future will receive a part of victim's claimed reward and ETH from their sale. At this moment, this role is inactive.
'PoolRewardUpdater' is a distinct role, that allows changing every pool reward minting rate. At this moment, we are manually controlling the reward rate through this role. However, in two weeks or so, we will deploy a smart-contract, that will automatically calculate the necessary reward rate based on our TVL, TVL of our victim and victim's APY.
'Owner' is the most powerful role, 'Owner' of MasterVampire can add new pools, change the adapters for existing pools, change the addresses for other roles, change the upper limit for pool rewards and so on.
Now, every role except 'Owner' could not potentially do any harm to the users of Dracula Protocol. For instance, deploy a malicious Vampire Adapter, or make an infinite number of fake pools.
Our development philosophy is that we are not asking our users to trust us. So, our code is written in a way, that any potentially dangerous action should be visible to our users and that users will always have time for deciding before such action is performed.
Precisely for that purpose, we have inherited our MasterVampire contract from Timelock contract that was written initially by Compound team. [https://github.com/Dracula-Protocol/contracts/blob/main/MasterVampire.sol#L16]
Since https://etherscan.io/tx/0x3cfd71bb8790868af0a850f078dddf2ea5af977eea59e2099d394fc36ade9e96#eventlog transaction, the 'Owner' role is set to the MasterVampire contract itself. That means that only MasterContract itself is able to invoke functions that require 'Owner' role.
Yes, we are still the admin of the Timelock part of the contract, but we are no more the 'Owner' of the MasterVampire. So, whenever we want to call a function that is accessible only for the 'Owner', we should push it through the TimeLock part. The Timelock contract itself is written in a way, that anyone can see what are we want to do with the MasterVampire contract with 24 hours delay.
One might ask, why haven't we deployed a separate Timelock contract and transferred ownership to it? The answer to that question is simple. Lately, DeFi community have seen a lot of smart-contract bugs that effectively lock user's funds on the contracts, renders them inoperable. We don't want that to happen. In the unlikely case, where we have made a mistake in one of our smart-contract, the very same Timelock mechanism would allow us to transfer user's funds back to users.
Indeed, this mechanism might be maliciously used by us as well, but that is precisely the reason why there is a delay imposed on any of our action. We believe that 24 hours is sufficient enough delay for any user to make an educated decision whether they should withdraw their funds from our contract or not.
Contracts are protected with timelock with 24 hours delay on any action. We made some deviations from default timelock, to ensure that user funds are 100% safe and to be able to reach them even in case of emergency. Transfer ownership transaction.
https://etherscan.io/tx/0x3cfd71bb8790868af0a850f078dddf2ea5af977eea59e2099d394fc36ade9e96#eventlog
Rebalance weight for pools formulas used:
APY used - victim pool APY. TVL_victim_pool * APY^0.5 TVL_victim_pool * APY^0.65 TVL_our_pool^0.3 * TVL_victim_pool^0.7 * APY^0.65 TVL_our_pool^0.6 * TVL_victim_pool^0.4 * APY^0.85 TVL_our_pool^0.65 * TVL_victim_pool^0.35 * APY^0.75 TVL_our_pool^0.65 * TVL_victim_pool^0.35 * APY^0.85 TVL_our_pool^0.65 * TVL_victim_pool^0.35 * APY^0.85
Website:
Audits: