Aborean Finance

Introduction

Aborean Finance is a fork of Velodrome adapted for deployment on Abstract. The project rebranded protocol components (to ABX/Aborean), replaced NFT art with custom assets, and reworked pool deployment from Clones to a Create2 pattern to ensure deterministic addresses under zkSync’s evolving environment.

The protocol combines dual AMM styles (constant product and concentrated liquidity) with token-gated governance and a ve(3,3) incentive model.

Key Protocol Roles

• Liquidity Providers: Provide assets across both v2-style and concentrated v3-style pools, earning swap fees and emissions.
• veABX Voters: Lock ABX tokens to direct emissions toward chosen pools.
• Traders: Execute swaps across the slipstream AMM ecosystem.
• Gauge Participants: Earn rewards from emissions based on governance-aligned liquidity.

Scope of the Engagement

Three Sigma executed a focused audit on Aborean’s Velodrome fork modifications between 19 September 2025.

The review involved:

• Diff-checking Aborean’s repo against Aerodrome’s reference commit (a5fae2e87e490d6b10f133e28cc11bcc58c5346a).
• Examining pool deployment logic, specifically migration from Clones to Create2.
• Validating router behavior (Router.poolFor) after the change from Clones.predictDeterministicAddress to PoolFactory.getPool.

Auditors: 2

Effort: 0.4 person-weeks

The primary objectives were to:

• Validate Create2 deployment patterns for pools and slipstream concentrated liquidity contracts.
• Check for functional regressions in Router.poolFor behavior and downstream call sites.
• Identify leftover Velodrome/Aerodrome naming inconsistencies post-rebrand.
• Confirm unused or removed functions in PoolFactory posed no risk.

Challenges in Securing Forked AMM Protocols

Deployment Consistency

Forked AMMs often adapt factory and pool deployment logic. Small deviations in address derivation or initialization can break determinism, create duplicate pools, or cause liquidity fragmentation. Ensuring predictable and immutable pool addresses is critical.

Governance & Tokenomics Alignment

Protocols inheriting ve(3,3)-style mechanics must verify that emissions, voting weight, and reward flows remain consistent after rebranding or contract modifications. Even minor naming or scaling mismatches can lead to unfair emissions distribution or locked governance power.

Integration with Concentrated Liquidity

Combining Uniswap v2-style and v3-style pools introduces complexity in fee accounting, tick initialization, and reward gauges. Ensuring that liquidity is tracked accurately across both pool types is essential to prevent double-counting or missing rewards.

Results and Findings

Notable Informational Issues

Unused Import in CLGaugeFactory

Description: CLGaugeFactory imported OpenZeppelin’s Clones.sol despite no longer relying on Clones.

• Impact: None (maintenance overhead only).
• Resolution: Import removed in commit #cdcbd0.

Inconsistent Naming in IMinter.sol and NFTDescriptor.sol

Description: References to "aero" and "Aerodrome" persisted despite project-wide renaming to "abx" and "Aborean".

• Impact: None (semantic/UI consistency).
• Resolution: All names updated in commit #cdcbd0.

In conclusion

The engagement confirmed that Aborean’s fork-specific changes, renaming, NFT replacement, and Create2-based deployment, were correctly implemented without introducing security regressions.

Key improvements included:

• Safer pool existence checks via PoolFactory.getPool.
• Removal of unused imports.
• Consistent branding/naming across the codebase.

Overall, Aborean Finance’s code aligns with Velodrome’s security model while addressing Abstract/zkSync-specific deployment challenges.

Three Sigma’s Value

Our review went beyond surface-level diffing to assess the deployment semantics and business logic of Aborean’s Create2 migration. We ensured that subtle differences, like non-zero addresses from Clones vs. zero-address returns from PoolFactory, did not propagate unintended behaviors.

By identifying and fixing inconsistencies, we helped the Aborean team streamline their fork and maintain a cleaner, more predictable deployment surface.

We specialize in fork audits for AMMs and governance-heavy DeFi protocols. If your project builds on Velodrome, Aerodrome, or similar ve(3,3)-based systems, we can harden it before launch. Contact us to discuss securing your fork and protecting your liquidity.