Trail of Bits
Audit Open Original ↗

Yearn v2 Vaults

Type

Security review

Client

Yearn Finance

Date

2021-04

Domain

Blockchain

Effort

6 wks

Section

Ethereum/EVM

Trail of Bits's security review of Yearn Finance (Apr 2021) identified 19 issues: 4 high, 4 medium, 7 low, and 4 informational.

Findings · 19

  1. 1 Shares are indirectly transferable to 0x0 Low
  2. 2 Use of zero or contract address as rewards address can block fee computations Low
  3. 3 Division rounding may afect issuance of shares Medium
  4. 4 revokeStrategy function can be error-prone Low
  5. 5 Vault initialize function does not validate ERC20 decimals Informational
  6. 6 Vault deposits can bypass guest list deposit limits Informational
  7. 7 Strategy owner can reduce or bypass loss penalty High
  8. 8 setWithdrawalQueue allows for duplicated strategies Low
  9. 9 Strategy migrations can be problematic and should be avoided High
  10. 10 Large withdrawals can block other users from making withdrawals Medium
  11. 11 Current debt calculations can difer depending on context Medium
  12. 12 Registry cache is not verified when registry address is updated High
  13. 13 name, symbol, and decimals functions can change during the lifetime of yToken Medium
  14. 14 A strategy declaring a loss can keep excess debt Informational
  15. 15 Performance fees can exceed 100% Informational
  16. 16 Management fees can be avoided Low
  17. 17 Vaults should not use inlationary or delationary ERC20 tokens High
  18. 18 PR 273 introduces multiple issues Low
  19. 19 Front-running opportunities Low

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related