How could we handle any exploit on "Exponential Price Decay Contract"?

thinkingape.eth · February 1, 2022, 3:52pm

I would like to raise the concern of the auction contract being exploited. For example, any bugs/flaws in the implementation potentially cause domain names being sniped at a lower or $0 price.

I appreciate the due-diligence which has been done by the devs. I work for a large software corporation. Based on my experience, it is a good practice to have a mitigation plan. Also, the floating number is error-prone.

So, what could be done if the contract is exploited? As a blackbox mitigation, is it feasible to do an emergency deployment to revert the contract back to the linear $100K (or even higher) solution?

Thank you!

thinkingape.eth · February 1, 2022, 3:59pm

Also, thanks for such a quick implementation. Given the importance and the complexity of the contract, would the dev add some unit test cases?

github.com

ensdomains/ens-contracts/blob/05fc157414596c1d4253e01e99f4015132604175/contracts/ethregistrar/ExponentialPremiumPriceOracle.sol

pragma solidity >=0.8.4;

import "./SafeMath.sol";
import "./StablePriceOracle.sol";

contract ExponentialPremiumPriceOracle is StablePriceOracle {
    uint256 constant GRACE_PERIOD = 90 days;
    uint256 constant START_PREMIUM = 100000000 * 1e18; // $100 mil start price
    uint256 constant END_VALUE = 372529029846191406; // $0.372...

    constructor(AggregatorInterface _usdOracle, uint256[] memory _rentPrices)
        public
        StablePriceOracle(_usdOracle, _rentPrices)
    {}

    uint256 constant PRECISION = 1e18;
    uint256 constant SECONDS_IN_DAY = 86400;
    uint256 constant bit1 = 999989423469314432; // 0.5 ^ 1/65536 * (10 ** 18)
    uint256 constant bit2 = 999978847050491904; // 0.5 ^ 2/65536 * (10 ** 18)
    uint256 constant bit3 = 999957694548431104;

This file has been truncated. show original

matoken.eth · February 1, 2022, 4:26pm

Isn’t the unit test at ens-contracts/TestExponentialPremiumPriceOracle.js at 05fc157414596c1d4253e01e99f4015132604175 · ensdomains/ens-contracts · GitHub ?

thinkingape.eth · February 1, 2022, 6:54pm

oh, nice. thanks for pointing this out.

nick.eth · February 1, 2022, 9:55pm

We’ve also run an exhaustive test - evaluating the function for every second between 0 and 28 days. The end results were an average error (between Solidity and JS implementation) of 0.0005%, and a maximum error of 0.001%.