88mph V3

Findings · 17

1. 1 The interest oracle’s money market is not validated upon DInterest initialization Medium
2. 2 Lack of return value check on transfer and transferFrom Informational
3. 3 Lack of two-step process for contract ownership transfers Informational
4. 4 Users cannot specify a minimum desired interest Medium
5. 5 Withdrawing from Yearn to DInterest in a single step can save gas Informational
6. 6 Linearization of exponential compounding could lead to insolvency High
7. 7 Initialization functions can be front-run High
8. 8 Lack of contract existence check on delegatecall Informational
9. 9 Inconsistent validation of money markets’ rewards address Low
10. 10 Solidity compiler optimizations can be problematic Undetermined
11. 11 Redundant addition of zero value in the Harvest money market Informational
12. 12 Lack of documentation concerning Rescuable base contract could result in exploitable modifications Informational
13. 13 Modifications make the safeApprove function unsafe Informational
14. 14 Transferring the entire balance of a contract has unintended consequences Low
15. 15 Users are not informed of the pitfalls of using Yearn vaults Medium
16. 16 Sponsor payout uses two transfers when only one is required Informational
17. 17 ERC20Wrapper’s transferFrom function ignores the sender argument High

Findings extracted from the published report PDF. See the full report below for details and remediation.