Auxo (Diff)

Summary

This diff-audit is based on Quantstamp’s previous AUXO Governance audit. In scope are only the modified `PRV.sol` and the newly added `PRVMerkleVerifier.sol` files. No logical changes were performed in the contracts that were scope in the last audit, except some name changes. Since the initial audit, two of the three tokens have been rebranded. The `veAUXO` governance token is now called `ARV` and `xAUXO`, the liquid staking derivative of staked `AUXO`, is now called `PRV`. In the codebase’s state of the previous audit, `AUXO`tokens could never be unstaked, so the conversion to the `PRV` liquid staking derivative was only possible in one way and not back. We pointed out our concerns regarding the economical incentives for such a design in AUX-12 of the initial audit. In the updated code of the `PRV` contract, such a conversion back to `AUXO` is now possible if the withdrawing user can provide a valid claim to burn some of their `PRV` and withdraw the equivalent amount of `AUXO`. The verification of claims via merkle trees is handled by the newly added `PRVMerkleVerifier` contract. The amount of `AUXO` that can be withdrawn depends on an off-chain calculation that assures that the cumulative price of the locked `AUXO` remains close to the net asset value of the treasury of the protocol. If `AUXO` were to trade at a significant premium so that the summed locked assets exceed the treasury’s funds, a new window in the `PRVMerkleVerifier` contract would be instantiated that enables users to withdraw a portion of the total locked `AUXO`, if they can provide a appropriate claim signed by the DAO . Each user’s withdraw eligibility depends on the amount associated with each claim. No new major issues were identified and the code and test quality of the new files continue to be high.

Project

Auxo (Diff)