smart-contracts icon indicating copy to clipboard operation
smart-contracts copied to clipboard

Published 20 hours ago verified publisher icon KyberNetwork

Verify contract on base

Open 0xBigBoss opened this issue 8 months ago • 7 comments

Hi, we are looking at integrating with kyber aggregation router and found an undocumented, unverified address involved in the swaps. Can you verify this address on basescan? https://basescan.org/address/0xc7d3ab410d49b664d03fe5b1038852ac852b1b29

0xBigBoss avatar Mar 19 '25 13:03 0xBigBoss

Hi @0xBigBoss, that contract is not intended for public verification. For integration, please read the integration guide in our docs: link And here are the contract addresses of our MetaAggregationRouterV2 in multiple chains: which is the contract that you need to integrate.

qcuong98 avatar Mar 19 '25 14:03 qcuong98

Hi @qcuong98 , we see erc20 transfers to this address and are currently unable to provide our users answers on why they have erc20 transfers to this address after swapping through the mega agg router. Why not verify the contract and provide transparency to the end-users?

0xBigBoss avatar Mar 19 '25 15:03 0xBigBoss

That address belongs to the contract containing our routing algorithm, which is private to prevent potential copy-paste behavior by competitors.

Moreover, users do not need to trust that contract logic because the MetaAggregationRouterV2 already verifies that the returned amount is always no less than the user's minimum amount.

qcuong98 avatar Mar 19 '25 15:03 qcuong98

Hmmm, if we continue to send swaps through the aggregator, are there any other addresses that we should know about that addresses will transfer funds to?

We are just trying to provide transparency to our users who use erc20 transfer logs to do their accounting.

Also, I am having trouble finding the audits for MetaAggregationRouterV2, has it undergone an audit?

0xBigBoss avatar Mar 19 '25 15:03 0xBigBoss

The ERC20 token flow should be: User <-> Router <-> Executor (the hidden contract) <-> Liquidity_Sources (UniV3, UniV3, Curve, etc.) So the only hop address that is have yet to verify is the Executor as you mentioned.

There are only private audit rounds on MetaAggregationRouterV2 for now, the reason is Router is pretty straightforward, simple, and non-upgradable.

qcuong98 avatar Mar 19 '25 15:03 qcuong98

Thx @qcuong98 ! this is very helpful, for our purposes, we will just call it a router since that is technically the only address that needs the ERC20 approval.

Perhaps, small suggestion, you should label the address on Basescan just to show ownership. Not sure if they let you do that without publishing the source.

Appreciate the help.

0xBigBoss avatar Mar 19 '25 16:03 0xBigBoss

Basescan can support labeling without publishing the source code, we will be sure to do it.

Thanks for the suggestion!

qcuong98 avatar Mar 19 '25 16:03 qcuong98