First of all, thanks for improving the IndexPool ecossystem! 🚀👨🏻🚀👩🏻🚀
All contributions, including feature suggestions, bug reports and PRs with new bridges are much appreciated.
Bug reports and suggestions for new integrations can be posted in GitHub’s issue tracker. You can also ping us on Twitter or Discord.
If you find a security vulnerability, please do not open an issue or publicize it; please send a private email to [email protected] or to any members of team.
For contributing with a new bridge please fork our repository and open a PR following the guidelines below.
We use Yarn as a dependency manager and Hardhat as a development environment for compiling, testing, and deploying our contracts. For these, the following commands are available:
- Install:
yarn
- Compile:
yarn compile
- Testing:
yarn test
- Coverage:
yarn coverage
Before opening a PR to our repository, please make sure that the recommendations below are followed.
- Work from the
dev
branch so we can review and audit the code with more ease before merging to themain
branch. - The
Wallet
contracts always usedelegatecall
for calling the Bridge's functions. Because of this, a in-depth review for backdoors and best security practices should be done for avoiding calls to ill-behaved and malicious contracts.- Please run Slither in your code and address all relevant warnings. In case it is a false positive, please justify it with a comment in the corresponding line.
- Coverage of tests should be 100%.
- Make sure that rewards are deposited in the corresponding Wallet rather than the EOA/contract owning the wallet.
- Do not forget that functions in the Bridges will be executed by a delegate call from the Wallet: most of the time you will want to use
address(this)
instead ofmsg.sender
in order to use the address of the calling Wallet rather than using the bridge address.
- Do not forget that functions in the Bridges will be executed by a delegate call from the Wallet: most of the time you will want to use
- Check if functions of 3rd-party contracts revert before emitting an event in the bridge.
- In case it does not revert, please add a check to see if the operation was successful.
- Do not forget to add an option to claim rewards from the protocol - which should be called when withdrawing assets from the Wallet.
- Example: see function claimRewards to claim rewards from Harvest.
- Use underscores in numbers to make them easier to read, e.g. “100_000”
- In case of a swapping-token bridge, please make sure to expose the relevant arguments in the external functions so the slippage can be user-defined.
- Bridges are going to be deployed only once by DeFi Basket, so prioritize reducing gas costs at execution rather than deployment.
- Make sure that ERC20 approvals always get back to 0 after transferences are complete.
- Test the
for
-loops in your code to avoid out-of-gas behavior. - Consider using unchecked increments in
for
-loops that you know the iterator won’t overflow. - Take care when integrating with proxy contracts, and only allow safe functions to be called in the bridge. Note that an unsafe double
delegatecall
can set up the address of the proxy contract implementation to a malicious contract. - In case your bridge integrates with contracts compiled with a different version of Solidity, use an interface with a proper pragma version.
-
Example: see AaveV2DepositBridge/interfaces/IAaveIncentivesController.sol
-
Note: public arrays generates a getter function that returns a single element instead of the entire array:
```solidity contract Example { address[] public rewardTokens; } interface IExample { // Getter function that will be generated by compiler: function rewardTokens(uint i) external returns (address); // Note that is NOT // function rewardTokens() external returns (address[] memory); } ```
-