Slab V2
RarityCalculatorV2.sol
This document summarizes the security-focused review of RarityCalculatorV2.sol. The contract is small and pure, so most risk is in cross-contract assumptions (how SlabMachineV2 and SlabLocker use its outputs). Findings are ordered by severity; each includes context, impact, and a recommended fix where applicable.
SlabLocker and SlabMachineV2 use this calculator in two different contexts:
calculateRarity(seed)for pull outcomes (SlabMachineV2.randomNumberCallback)calculateRarityByPrice(insuredValue)for per-machine rarity indexing inSlabLocker
That split is coherent and intentional. However, protocol behavior depends on both mappings being stable and understood by operators. Any calculator replacement is a protocol-level change and should be treated as such.
Findings
No direct security vulnerabilities were identified in RarityCalculatorV2.sol.
The implementation is simple, deterministic, and side-effect free:
calculateRarity(seed)maps a seed to one of fiveSlabRarityvalues.calculateRarityByPrice(price)maps insured value (USDC 6 decimals) to one of fiveSlabRarityvalues.
Both functions are pure, do not perform external calls, and do not mutate state.
[LOW] Configuration Rigidity Is an Operational Footgun
All rarity distribution bands and insured-value thresholds are hardcoded:
- Pull distribution: 80% / 15% / 4% / 0.99% / 0.01%
- Price tiers:
<60,<110,<250,<500,>=500(USDC with 6 decimals)
If market conditions change, or if inventory shape changes materially, operators must deploy a new calculator and re-point machines. That is not a code exploit, but it is an operational sharp edge.
Recommended Solution
Keep this contract immutable if that is your design goal, but document and rehearse the operational runbook:
- Deploy new calculator.
- Update each machine to use the new calculator (if supported by architecture).
- Reconcile rarity pools in the locker.
If flexibility is required, use a governed config-based calculator with strict validation and timelock controls.
Summary
| Severity | Count | Focus |
|---|---|---|
| High | 0 | None identified in this contract. |
| Medium | 0 | None identified in this contract. |
| Low | 1 | Operational rigidity (hardcoded thresholds). |
| Informational | 1 | Boundary behavior clarity/testing. |
RarityCalculatorV2 is technically straightforward and low risk by itself. Residual risk comes from integration assumptions and operational changes around calculator upgrades.