Shadow Arena #011: Gravita Protocol

Gravita is the textbook multi-collateral Liquity V1 fork. VesselManager is TroveManager renamed, StabilityPool keeps the P/S/scale decay machinery, redemptions keep the base-rate decay with the same MINUTE_DECAY_FACTOR = 999037758833783000 (12-hour half-life) — but every per-system accumulator (L_ETH, totalStakes, baseRate, lastFeeOperationTime) is now a per-asset mapping keyed by collateral address. Three audits graded the code in April-May 2023: Dedaub (1 Medium + 5 Low + 2 Centralization), Omniscia (3 Major + 4 Medium), and Hats Finance (3 Medium + 11 Low). You just finished the Liquity V1 Build module — single-collateral, one set of accumulators, one base rate. Gravita is what you ship next: same architecture, but now mapping(address => uint256) on every accumulator. The audits caught the places the multi-collateral refactor forgot to re-scope: oracle plumbing that silently returns stale prices, a try/catch designed to be robust that becomes a gas grief vector, a setter without access control, a redistribution path that drives totalStakes to zero, and a whitelisted-minting backdoor that Liquity never had. Find the bugs the diff introduced.

Scope (4885 SLOC)

File	SLOC	Description
contracts/BorrowerOperations.sol	798	openVessel / adjustVessel / closeVessel — Trove operations with multi-collateral asset routing, fee triggering, and Recovery-Mode validation
contracts/VesselManager.sol	746	Vessel state, redistribution accumulators L_Colls/L_Debts (per-asset mapping), totalStakes (per-asset), baseRate (per-asset), redemption fee math
contracts/VesselManagerOperations.sol	999	batchLiquidateVessels, liquidateVessels, redeemCollateral and the partial-redemption hint flow
contracts/StabilityPool.sol	951	Multi-collateral StabilityPool — P/S/scale decay machinery, multi-asset gain accounting, _sendGainsToDepositor
contracts/PriceFeed.sol	320	Chainlink-based PriceFeed with TIMEOUT = 4 hours, oracle queue/timelock, native rETH and wstETH pricing paths
contracts/AdminContract.sol	480	Per-collateral parameter management (MCR/CCR/borrowingFee/MIN_NET_DEBT per asset), longTimelock and shortTimelock gates
contracts/DebtToken.sol	175	GRAI stablecoin — ERC-20 with three minting paths: BorrowerOperations, VesselManager, and an admin-managed whitelist of arbitrary contracts
contracts/FeeCollector.sol	416	Refundable borrowing-fee accounting, distinct from Liquity's burn-on-borrow model — per-vessel fee records with time-based decay
contracts/ActivePool.sol	165	Per-asset balance tracking, sendAsset, increaseDebt — analogue of Liquity's ActivePool with multi-collateral routing
contracts/DefaultPool.sol	122	Holds the pending L_Colls / L_Debts share for inactive vessels, per asset
contracts/SortedVessels.sol	493	Per-asset doubly-linked list sorted by NICR

Documentation

Source Code Protocol Docs

Part of the Liquity V1 Path

This shadow audit connects to the Liquity V1 Build module. Students who built the CDP protocol have an advantage because they understand Trove accounting, Stability Pool P/S decay, redistribution liquidations, and redemption-driven peg mechanics.

View Build Module

Duration14 days

Total Findings13

Scope4885 SLOC

PriceFree