Support

## Understanding RebaseToken Design Flaws and Introducing Cross-Chain Concepts Before we dive into making our demonstration `RebaseToken` contract work across different blockchains using Chainlink CCIP, it's crucial to address a couple of design considerations present in the current version. Please remember, this `RebaseToken` is **purely for demonstrative purposes**. It's a learning tool, **not production-ready code**, and has **absolutely not been audited**. These points are highlighted not as critical bugs preventing the demo, but as insights into smart contract design incentives and implementation nuances. ## Flaw 1: Exploitable Interest Rate Inheritance One aspect of the current `RebaseToken` design relates to how user-specific interest rates (`s_userInterestRate`) are handled during token transfers. **The Intended Mechanism:** * When a user deposits tokens for the first time (implied via a `mint` function), they are assigned the current global interest rate (`s_interestRate`) as their personal `s_userInterestRate`. * The global `s_interestRate` is designed to only decrease as more total tokens are deposited into the contract over time. * During a `transfer` or `transferFrom`, the contract checks if the recipient already holds a balance. **The Code Logic (Simplified from `transfer`):** ```solidity // Inside the transfer function... // Check if the recipient currently holds no tokens if (balanceOf(_recipient) == 0) { // If it's their first time receiving tokens, assign the sender's interest rate s_userInterestRate[_recipient] = s_userInterestRate[msg.sender]; } // ... proceed with the transfer execution via super.transfer(...) ``` A similar check exists within the `transferFrom` function. **The Design Incentive Flaw:** This logic creates an unintended incentive that can be exploited: 1. **Early Small Deposit:** A user (Wallet A) deposits a very small amount early on when the global interest rate is high. Wallet A's `s_userInterestRate` is now locked at this favorable rate. 2. **Rate Decrease:** Time passes, more users deposit, and the global `s_interestRate` decreases significantly. 3. **Later Large Deposit:** The same user employs a second wallet (Wallet B) to deposit a large amount of tokens. Wallet B receives the current, much lower global interest rate. 4. **Consolidation Transfer:** The user transfers the large balance from Wallet B to Wallet A. 5. **Exploit Execution:** Because Wallet A already had a non-zero balance from the initial small deposit, the `if (balanceOf(_recipient) == 0)` condition is false. Wallet A's original, high `s_userInterestRate` is *not* overwritten. 6. **Outcome:** Wallet A now holds a large balance (small initial deposit + large transferred amount) that accrues interest at the initial high rate, effectively bypassing the lower rate that should have applied to the bulk of the funds deposited later. This undermines the intended incentive for users to make *large* deposits early to secure better rates. ## Flaw 2: Unintended Interest Compounding The second point concerns the interest calculation mechanism. The intention for this demonstration contract was to implement simple *linear* interest, where interest accrues only on the original principal amount. However, the current implementation inadvertently introduces compounding. **The Calculation Mechanism:** The `balanceOf` function is overridden to show the user's balance including accrued interest: ```solidity function balanceOf(address _user) public view override returns (uint256) { // Fetch the user's principal balance (tokens actually minted) uint256 principalBalance = super.balanceOf(_user); // Calculate the interest accumulated since the last update uint256 interestFactor = _calculateUserAccumulatedInterestSinceLastUpdate(_user); // Return principal multiplied by the interest factor (adjusted for precision) return principalBalance * interestFactor / PRECISION_FACTOR; } ``` **The Compounding Flaw:** The issue arises because most state-changing functions (`burn`, `transfer`, `transferFrom`, `mint`, etc.) call an internal helper function, `_mintAccruedInterest`, *before* executing their main logic. ```solidity // Example within the burn function _mintAccruedInterest(_from); // Calculate and mint interest FIRST _burn(_from, _amount); // Then burn the requested amount // Example within the transfer function _mintAccruedInterest(msg.sender); // Mint interest for sender _mintAccruedInterest(_recipient); // Mint interest for recipient // ... then perform the super.transfer ... ``` This `_mintAccruedInterest` function calculates the interest earned since the user's last interaction and *mints* these interest tokens directly to the user's balance. This increases their underlying principal (`super.balanceOf(_user)`). **The Result:** The next time `balanceOf` is called (or the next time `_mintAccruedInterest` is triggered), the interest calculation factor is applied to this newly increased principal (original principal + previously minted interest). This causes the interest to compound with each interaction, deviating from the strictly linear model intended for this simplified demo. While not a critical vulnerability for our purposes, frequent small interactions (like repeated tiny transfers or burns) could slightly accelerate this compounding effect. In a real-world scenario aiming for linear interest, this would need correction. If compound interest *were* the goal (as is common in production rebase tokens), it would typically require more complex mathematical implementations (like Taylor or Binomial expansions) to achieve accuracy efficiently, which is beyond the scope of this example. ## Introduction to Cross-Chain Functionality Having acknowledged these design aspects of our demo `RebaseToken`, we can now look ahead to the primary goal: enabling cross-chain functionality. The upcoming lessons will introduce key concepts required to bridge our token to other blockchains using Chainlink's infrastructure. We will explore: 1. **Bridging:** The fundamental concept of transferring assets or arbitrary data securely and reliably between distinct blockchain networks. 2. **Chainlink CCIP (Cross-Chain Interoperability Protocol):** Chainlink's specific solution providing a secure and standardized way for smart contracts to communicate, send data, and transfer tokens across different chains. 3. **Cross-Chain Token Standard:** A standard developed by Chainlink, built upon CCIP. This standard offers a powerful advantage: it allows token developers to make their existing ERC20 (or similar) tokens compatible with CCIP in a **permissionless** manner. Developers can deploy associated pool contracts and enable cross-chain transfers without needing direct integration or approval from the Chainlink team, while retaining full ownership and control over their token contracts and liquidity pools. These concepts form the foundation for making our `RebaseToken` accessible and usable across multiple blockchain ecosystems.

Vulnerabilities And-cross-chain-intro

An insightful introduction to Understanding RebaseToken Design Flaws and Introducing Cross-Chain Concepts - Delve into potential exploits and interest calculation issues within a sample RebaseToken. Explore bridging, Chainlink CCIP, and permissionless token standards for cross-chain applications.

Course Overview

About the course

What you'll learn

Advanced smart contract development

How to develop a stablecoin

How to develop a DeFi protocol

How to develop a DAO

Advanced smart contracts testing

Fuzz testing

Manual verification

Course Description

Who is this course for?

Engineers
Smart Contract Security researchers

Potential Careers

Web3 Developer Relations

$85,000 - $125,000 (avg. salary)

Web3 developer

$60,000 - $150,000 (avg. salary)

Smart Contract Engineer

$100,000 - $150,000 (avg. salary)

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Security researcher

$49,999 - $120,000 (avg. salary)

Meet your instructors

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Guest lecturers:

Juliette Chevalier

Lead Developer relations at Aragon

Ciara Nightingale

Developer relations at Cyfrin

Vasiliy Gualoto

Developer relations at ThirdWeb

Nader Dabit

Director of developer relations at EigenLayer

Ally Haire

Developer relations at Protocol Labs

Harrison

Founder at GasliteGG

Vitto Rivabella

CPO at Cyfrin

Last updated on April 4, 2025

Thanks for checking us out

Start learning for free

Start for free

Solidity Developer

Advanced Foundry

Section 1: Develop an ERC20 Crypto Currency

Duration: 36min

Section 2: Develop an NFTs Collection

Duration: 3h 06min

Section 3: Develop a DeFi Protocol

Duration: 5h 02min

Section 4: Cross Chain Rebase Token

Duration: 6h 02min

1. Introduction

An in-depth overview to Introduction to Building a Cross-Chain Rebase Token - Explore the design and implementation of a cross-chain rebase token utilizing Foundry and Chainlink CCIP for development and interoperability. Delve into rebase mechanics, burn-and-mint bridging, vault interactions, and advanced Foundry testing techniques like fork testing. Duration: 3min

2. What Is-a-rebase-token

A demystifying explanation to Understanding Rebase Tokens - Uncover why some token balances change automatically by exploring the mechanics of rebase tokens. Learn about automatic supply adjustments, different types, and real-world applications like Aave's yield-bearing aTokens. Duration: 2min

3. Rebase Token-code-structure

A foundational introduction to Introduction to Building a Rebase Token - Set up your development environment with Foundry and define core design principles for a rebase token. Covers vault mechanics, dynamic balance calculations, and a unique interest rate system favoring early adopters. Duration: 9min

4. Writing The-rebase-token-contract

An essential setup guide to Building a Rebase Token: Initial Implementation in Solidity - Establish the foundation for a rebase token in Solidity using Foundry and OpenZeppelin. Define key state variables, handle fixed-point math, and implement the core dynamic balance calculation by overriding `balanceOf`. Duration: 33min

5. Mintinterest And-burn-functions

A crucial look into Implementing Interest Accrual and Burning in a Rebase Token - Understand the necessity of synchronizing principal and actual balances via `_mintAccruedInterest` in rebase tokens, and learn to implement the `burn` function, leveraging the Max Uint Pattern for complete withdrawals. Duration: 9min

6. Finish Rebase-token-contract

An in-depth walkthrough to Finalizing the RebaseToken: Integrating ERC20 Functionality - Integrate standard ERC20 features into a custom RebaseToken, overriding key functions like `balanceOf` and `transfer` to account for accrued interest. Address the specific challenges and design choices for rebase token mechanics. Duration: 16min

7. Access Control

An essential lesson on Securing Smart Contracts with OpenZeppelin Access Control - Explore why access control is critical and implement robust security using `Ownable` and `AccessControl`. Master single-owner restrictions and flexible role-based permissions for your Solidity projects. Duration: 12min

8. Vault And-natspec

A foundational walkthrough to Building a Secure Vault Contract in Solidity - Learn to construct a Solidity Vault contract for managing ETH deposits/redemptions and interacting with a token contract. Implement key security patterns like Checks-Effects-Interactions and best practices for robust DeFi development. Duration: 14min

9. Rebase Token-tests-part-1

A foundational setup guide to Setting Up Foundry Tests for Your Rebase Token - Learn to create the initial test file and configure the Foundry environment using the `setUp` function, including contract deployment and resolving common type-casting issues. Outline the structure for testing linear interest accrual in a rebase token system. Duration: 11min

10. Rebase Token-test-part-2

An in-depth guide to Advanced Smart Contract Testing: Rebase Token Fuzzing and Debugging - Explore advanced Foundry techniques like fuzzing with `vm.bound`, debugging precision issues, and testing custom error reverts using `vm.expectPartialRevert`. Learn to build robust tests for deposit, redemption, and interest accrual logic in a rebase token. Duration: 43min

11. Vulnerabilities And-cross-chain-intro

12. Bridging

A comprehensive explanation of Understanding Blockchain Bridges: Connecting the Islands - Explore how bridges link isolated blockchains, detailing mechanisms like burn-and-mint and lock-and-mint for asset transfers. Contrast native vs. third-party and centralized vs. decentralized models, outlining benefits and security implications. Duration: 8min

13. CCIP

A comprehensive introduction to Understanding Chainlink CCIP - Delve into the core architecture and security features of Chainlink's Cross-Chain Interoperability Protocol (CCIP). Discover how it tackles blockchain isolation, enabling secure token and data transfers via its unique components like the Risk Management Network. Duration: 12min

14. The CCT Standard

A comprehensive overview to Understanding the Cross Chain Token (CCT) Standard - Delve into Chainlink's Cross Chain Token (CCT) Standard, a CCIP-based solution tackling liquidity fragmentation and enhancing developer control. Discover its permissionless integration, advanced security features, programmable transfers, and architectural components. Duration: 13min

15. Circle CCTP

An informative exploration of Circle's Cross-Chain Transfer Protocol (CCTP) - Learn how CCTP facilitates secure, native USDC transfers across blockchains using its unique burn-and-mint mechanism. Understand its advantages over traditional bridges and key features like standard versus fast transfers. Duration: 12min

16. Pool Contract

A detailed walkthrough to Enabling Cross-Chain Rebasing Tokens with Custom CCIP Pools - Learn how to construct a bespoke Chainlink CCIP token pool using Foundry for rebasing tokens. Implement the Burn/Mint mechanism to securely transfer tokens while preserving user-specific data like interest rates. Duration: 31min

17. Finish Pool Contract

An iterative approach to Debugging and Compiling the RebaseTokenPool Contract - Learn how to use `forge build` to identify and resolve common Solidity compilation errors in Foundry projects. Follow an iterative process to fix issues like incorrect import paths, function argument mismatches, and type errors. Duration: 1min

18. Chainlink Local-and-fork-tests

A comprehensive introduction to Setting Up Local Fork Tests for Chainlink CCIP with Foundry - Master Foundry's fork testing cheatcodes to replicate multiple blockchain states locally for cross-chain development. Integrate Chainlink Local's simulator to test CCIP interactions realistically between these forked environments. Duration: 11min

19. Deploy Token-test

A foundational setup guide to Deploying Tokens in a Foundry CCIP Test Environment - Learn the initial steps of setting up a Foundry test for cross-chain token deployment using Chainlink CCIP. Deploy `RebaseToken` contracts on both Sepolia and Arbitrum Sepolia forks, managing forks and deployers. Duration: 4min

20. CCIP Setup-test

A foundational setup guide to Setting Up CCIP Burn & Mint Tokens in Foundry - Deploy custom rebase tokens and Chainlink Token Pools on forked testnets using Foundry setup scripts. Configure CCIP permissions, register tokens with the admin registry, and link them to their pools for Burn & Mint testing. Duration: 11min

21. Configure Pool-test

A crucial guide to Chainlink CCIP: Configuring Token Pools in Tests - Learn the vital configuration step after deploying Token Pools but before testing cross-chain transfers. Understand how to use `applyChainUpdates` in Hardhat/Foundry to link pools across chains. Duration: 10min

22. Bridge Function-test

A practical guide to Testing Cross-Chain Token Transfers with Chainlink CCIP and Foundry - Build and thoroughly test a reusable Solidity function for bridging tokens using Chainlink CCIP within a Foundry environment. Leverage the local simulator to verify cross-chain transfers and handle LINK fees between simulated networks. Duration: 21min

23. First Cross-chain-test

A hands-on implementation to Implementing Your First CCIP Cross-Chain Test in Foundry - Discover how to write a Foundry test for CCIP cross-chain transfers using a local simulator for forked networks. Implement and utilize a `bridgeTokens` helper function to test a complete round-trip bridging scenario. Duration: 11min

24. Vault Deployment-script

A practical Forge scripting guide to Creating a Vault Deployer Script with Forge - Learn to build a Solidity deployment script using Foundry/Forge to deploy a `Vault` contract. Covers structuring the script, using cheatcodes for broadcasting, and granting necessary permissions. Duration: 4min

25. Token And-pool-deployer

A comprehensive walkthrough to Deploying Rebase Tokens and CCIP Pools with Foundry - Learn how to create a Foundry script to deploy custom RebaseToken and RebaseTokenPool contracts. Automatically configure the necessary Chainlink CCIP settings to enable cross-chain token transfers using the Burn & Mint standard. Duration: 9min

26. Pool Config-script

A detailed guide to Configuring CCIP Token Pools with a Forge Script - Learn to write a Solidity Forge script (`ConfigurePool.s.sol`) for post-deployment Chainlink CCIP Token Pool setup. Configure inter-chain connections and crucial rate-limiting parameters by running the script on both chains. Duration: 8min

27. Bridging Script

A step-by-step guide to Creating a CCIP Token Bridging Script - Learn to build a Foundry script (`BridgeTokens.s.sol`) for Chainlink CCIP token bridging, focusing on token-only transfers. Understand how to construct the CCIP message, calculate fees, manage ERC20 approvals, and initiate the cross-chain send. Duration: 13min

28. Build Scripts

A foundational preparation to Preparing for Testnet Deployment and Testing - Correct Solidity build errors such as missing 'memory' keywords and address the Foundry `vm.warp`/`via_ir` testing bug. Solidify your project codebase, ensuring it compiles reliably for Sepolia and zkSync deployment. Duration: 4min

29. Run Scripts-on-testnet

A detailed deployment guide to Deploying Your Cross-Chain Application to Testnets - Master deploying smart contracts across Ethereum and zkSync testnets using a hybrid Bash and Foundry strategy. Secure testnet funds, configure environments, and initiate a token bridge via Chainlink CCIP. Duration: 15min

30. Cross Chain-message-sucess

An essential guide to Verifying Your Cross-Chain Token Transfer with CCIP Explorer and MetaMask - Learn how to use the CCIP Explorer to confirm successful cross-chain transfers and examine transaction specifics. Verify token arrival on the destination chain by importing the contract into your MetaMask wallet. Duration: 3min

31. Outro

A comprehensive overview to Building a Cross-Chain Rebase Token with CCIP - Recaps creating a custom Rebase Token with interest accrual and CCIP integration using Token Pools. Details the Foundry testing strategies, deployment scripting, and live cross-chain execution process. Duration: 3min

Section 5: Airdrop and Signatures

Duration: 2h 47min

Section 6: Upgradeable Smart Contracts

Duration: 1h 23min

Section 7: Account Abstraction

Duration: 4h 28min

Section 8: DAOs

Duration: 1h 19min

Section 9: Security

Duration: 1h 10min