ChainSecurity performed a smart contract audit of Curve Finance’s Tricrypto system, which extends their exchanges to swap 3 coins instantly, where the coins no longer need to be equivalent in value. The system consists of three relevant smart contracts written in the Vyper programming language.
Generally, Curve is a variant of a decentralized exchange (DEX) that relies on automated market making (AMM). Curve and similar AMM projects build upon the concept of liquidity pools and an invariant to determine the ratio/price to swap one coin vs another. A liquidity pool consists of multiple tokens. The tokens are added to the pool by so called liquidity providers. In return, liquidity providers receive a token that represents a share of the funds they own of the pool. Providing liquidity is incentivized by trading fees that the liquidity provider will receive when users trade (the fees are paid out indirectly by increasing the pool’s value). By having a certain amount of tokens, trades can be executed immediately in one transaction. The execution can be done immediately because no counter-party is needed.
Curve modified their function compared to e.g. Uniswap in a way that the price is more robust by introducing a modified invariant. This is achieved by flattening the curve around the equilibrium and shifting the curve given certain conditions are met. This new version aims to protect liquidity providers better, increase their profit and increase liquidity. The main invention of the new invariant is that the prices are included into the invariant. Additionally, conditional price updates are performed to shift the curve if desired.