The SwapHelper is a Venus periphery contract that enables secure, backend-authorized token swaps. It provides an atomic multicall interface with EIP-712 signature verification, allowing the Venus backend to authorize specific swap operations while preventing arbitrary execution.
Token swaps in leverage operations require interaction with external DEX protocols. The SwapHelper provides a controlled execution environment where:
Backend Authorization : All swap operations must be signed by the authorized backend signer
Atomic Execution : Multiple operations execute atomically via multicall
Replay Protection : Each signed payload is single-use via salt tracking
Time-Bounded : Signatures include a deadline to prevent stale quote execution
The contract is designed to be called by the LeverageStrategiesManager during flash loan callbacks, though it can also be used independently for authorized token operations.
Copy ┌─────────────────────────┐
│ Venus Swap API │
│ (Backend Service) │
└───────────┬─────────────┘
│ Signs multicall payload
▼
┌─────────────────────────┐
│ Frontend / User │
│ │
└───────────┬─────────────┘
│ Passes signed data to LSM
▼
┌─────────────────────────┐
│ LeverageStrategiesManager│
│ (Flash Loan Callback) │
└───────────┬─────────────┘
│ Calls multicall
▼
┌─────────────────────────┐
│ SwapHelper │
│ - Verifies signature │
│ - Executes calls │
└───────────┬─────────────┘
│ genericCall
▼
┌─────────────────────────┐
│ DEX Router │
│ (Uniswap, 1inch, etc.) │
└─────────────────────────┘ EIP712 - EIP-712 typed data hashing for signature verification
Ownable - Access control for admin functions
ReentrancyGuard - Reentrancy protection
State Variables
Address authorized to sign multicall operations
Tracks used salts for replay protection
Executes multiple calls atomically with backend signature verification.
Parameters
Array of encoded function calls to execute on this contract
Unix timestamp after which the transaction will revert
Unique value ensuring this multicall can only be executed once
EIP-712 signature from the backend signer
Execution Flow
Validate calls array is not empty
Check block.timestamp <= deadline
Verify signature is provided
Check salt has not been used
Recover signer from EIP-712 digest (including caller address) and verify against backendSigner
Execute each call atomically
Emit MulticallExecuted event
Typical Call Structure
A multicall for a swap operation typically contains:
Events
MulticallExecuted(caller, callsCount, deadline, salt) on success
Errors
NoCallsProvided if calls array is empty
DeadlineReached if block.timestamp > deadline
MissingSignature if signature length is zero
SaltAlreadyUsed if salt has been used before
Unauthorized if recovered signer does not match backendSigner
Executes an arbitrary call to an external contract. Only callable via multicall or by the owner.
Parameters
Address of the contract to call
Encoded function call data
Events
GenericCallExecuted(target, data) on success
Access Requirements
Only callable by owner or contract itself (via multicall)
Errors
CallerNotAuthorized if caller is not owner or contract itself
Transfers the entire balance of an ERC-20 token to a specified recipient.
Parameters
ERC-20 token contract to sweep
Recipient address for the swept tokens
Events
Swept(token, to, amount) on execution (emits even if amount is 0)
Access Requirements
Only callable by owner or contract itself (via multicall)
Errors
CallerNotAuthorized if caller is not authorized
Grants maximum approval of an ERC-20 token to a spender.
Parameters
ERC-20 token contract to approve
Address to grant approval to
Events
ApprovedMax(token, spender) on success
Access Requirements
Only callable by owner or contract itself (via multicall)
Errors
CallerNotAuthorized if caller is not authorized
setBackendSigner
Updates the authorized backend signer address.
Parameters
New backend signer address
Events
BackendSignerUpdated(oldSigner, newSigner) on success
Access Requirements
Only callable by contract owner
Errors
ZeroAddress if newSigner is address(0)
Event
Parameters
Description
Backend signer address changed
caller, callsCount, deadline, salt
Multicall successfully executed
Tokens transferred out of contract
Transaction deadline has passed
Signature verification failed
Zero address provided as parameter
Salt has already been used (replay protection)
Caller is not owner or contract itself
Empty calls array in multicall
Signature is required but empty
Security Considerations
Signature Verification
All multicall operations require a valid EIP-712 signature from the backendSigner. The signature covers:
The caller address (prevents cross-address replay)
This prevents:
Unauthorized swap execution
Cross-address signature replay attacks
Replay attacks (via salt tracking)
Stale quote execution (via deadline)
Functions that interact with external contracts (genericCall, sweep, approveMax) are protected by onlyOwnerOrSelf:
Direct calls require owner privileges
Calls within multicall are authorized via backend signature
Reentrancy Protection
The multicall function is protected by OpenZeppelin's nonReentrant modifier, preventing reentrant calls during execution.
The contract initializes with:
This domain separation ensures signatures are specific to this contract and version.
SwapHelper is currently deployed on BNB Chain Mainnet. See Deployed Contractsarrow-up-right for current addresses.
Deployments on additional networks are planned. The contract is designed to be deployed on any EVM-compatible network where Venus Protocol operates.
With LeverageStrategiesManager
The SwapHelper is the designated swap executor for the LeverageStrategiesManager. During leverage operations:
Frontend obtains signed swapData from Venus Swap API
User calls LeverageStrategiesManager entry function with swapData
LSM transfers tokens to SwapHelper during flash loan callback
LSM calls swapHelper.call(swapData) which invokes multicall
SwapHelper executes the swap and sweeps output tokens back to LSM
LSM validates received amount against slippage protection
SwapHelper exposes a clear interface for integration:
Signature Generation
When generating signatures for the multicall function, the backend must include the caller address in the EIP-712 digest:
This ensures signatures are specific to the address calling multicall and cannot be replayed from a different address.
Swap API Request
When integrating with the Venus Swap API, include:
Destination token address
LeverageStrategiesManager address
Unix timestamp for expiry
Address that will call multicall
The API returns encoded multicall parameters with the backend signature that includes the caller address.
SwapHelper undergoes security audits before mainnet deployment. Audit reports are available in the venus-periphery repositoryarrow-up-right .
