# Audit Parameters for GoGoPool Protocol ## Scope The following contracts are in-scope for this audit: ### NON-UPGRADEABLE TokenGGP.sol Storage.sol Vault.sol ### UPGRADEABLE Base.sol BaseAbstract.sol BaseUpgradeable.sol ClaimNodeOp.sol ClaimProtocolDAO.sol MinipoolManager.sol MultisigManager.sol Ocyticus.sol Oracle.sol ProtocolDAO.sol RewardsPool.sol Staking.sol TokenggAVAX.sol ## Architecture `Storage.sol` -- The GoGoPool smart contract architecture is based around techniques from [RocketPool](https://github.com/rocket-pool/rocketpool). The `Storage.sol` contract is non-upgradeable, and contains generic getters/setters to access it's storage. Other contracts are "registered" with the storage contract as a "Network Contract", and can then use it to read and write typed key/value pairs. In this way, other contracts can be upgraded at will, as they contain no local storage of their own. `Vault.sol` is a non-upgradeable contract used to store AVAX/ERC20 tokens on behalf of other network contracts. `MultisigManager.sol` implements a registry of TSS (Threshold Signatures) wallets that are allowed to extract protocol funds and deploy them into yield-bearing staking transactions on the Avalanche P-chain. `Ocyticus.sol` implements a protocol emergency pause feature, such that any one of a specified group of "Defenders" can pause the entire protocol should that be necessary. `TokenGGP.sol` implements a fixed-supply, non-upgradeable GGP utility token. `TokenggAVAX.sol` implements an upgradeable (via OpenZeppelin proxy) ERC4626 yield-bearing liquid staking token. ## Areas of Concern ### ERC4626 TokenggAVAX is our liquid staking token that represents a claim on AVAX that is locked in the Avalanche protocol earning validation rewards. We implemented it as an ERC4626 that streams rewards to users continually on a 14 day cycle. We chose 14 days because GoGoPool validators will be on a 14 day validation cycle, so will be receiving AVAX rewards from the Avalanche protocol every 14 days. Due to the novelty of the ERC4626 standard we felt is was important for the token to be upgradeable (via OpenZeppelin UUPSUpgradeable), so that is another area of complexity in the code. ### GGP Rewards The Avalanche Protocol requires node operators to lock up at least 2,000 AVAX tokens for a minimum of 14 days to become a validator. The GoGoPool Protocol allows node operators to create a validator ("minipool") for only 1,000 AVAX, plus some amount of GGP tokens they must stake as a bond against a successful validation period. They are matched with 1,000 AVAX from users who purchased yield-bearing ggAVAX tokens. If the node operator does not earn any validation rewards from the Avalanche Protocol, then their GGP bond will be slashed in order to pay the expected rewards to ggAVAX holders. A node operators GGP bond must be at least 10% of the amount AVAX they were assigned from the liquid staker pool. The GoGoPool Protocol will also reward node operators with GGP tokens. The GGP reward cycle is 28 days, and a set amount of GGP is minted and distributed to node operators in proportion to their GGP stake. The rules are as follows: - NodeOps are eligible for a reward cycle if they have had at least 1 active minipool for a minimum amount of days. - GGP rewards are earned based on the amount of GGP staked (up to 150% collaterization), and the largest amount of AVAX they were assigned during a reward cycle - The GoGoPool protocol releases a set number of GGP tokens each rewards cycle, and these are distributed to eligible NodeOps, in proportion to their GGP staked. ## Out of Scope There are several privileged actors in the protocol, and there are contract functions which are only callable by those actors. If there is an exploit which can only be executed by these priviledged actors we do not consider that to be in scope for this particular audit. Just by the nature of their permissions they can cause damage without the need for a contract exploit. If a non-priviledged actor can gain access to a priviledged function that would be entirely in-scope. ### Guardian The "guardian" account has God-like powers in the protocol, and will be managed via a Gnosis Safe multisig on mainnet launch. They will be the deployer of all the contracts, most of which are upgradeable by design for phase 1 of the protocol. ### Rialto TSS Multisig The "rialto" account will be responsible for interacting with various smart-contracts, and ultimately will receive AVAX which it will then move from the C-Chain to the P-Chain and issue the validation transaction which makes a minipool's nodeID into a Validator on the Avalanche platform for a specific amount of time (2 weeks in the initial phases of the protocol). At the end of the validation period, the AVAX plus any AVAX validation rewards are sent back to the C-chain and deposited via the MinipoolManager contract. ### Oracle Rialto will also function as an Oracle, and will be reporting the price of GGP to the protocol for collateralization and rewards calculations. ### Libraries We utilize several libraries from solmate and openzeppelin and these are out of scope.