Summary
Throughout the engagement, the communication and cooperation with the Curve and Yearn teams were excellent. The Curve team was responsive and provided the necessary information to conduct the audit efficiently. Besides the audit we also supported the Curve team with questions and feedback on the codebase.
The general subjects covered were proper use of Yearn vault, access control, and correct accounting.Security regarding all the aforementioned subjects is high.
In summary, we find that the codebase provides a high level of security. Yet, it is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Curve scrvUSD
Curve adopted Yearn's vault to distribute rewards to crvUSD holders that deposit their tokens in the vault. The rewards' origin from fees generated by Curve's stablecoin system. If the vault registers a profit, the profit is paid to the users over time by issuing shares to the vault backed by the profit and burning these shares over time.
Curve allows users (and smart contracts like 1inch, Paraswap, Totle and Dex.ag) to trade between DAI and USDC with a bespoke low slippage, low fee algorithm designed specifically for stablecoins and earn fees. Behind the scenes, the liquidity pool is also supplied to the Compound protocol or yearn.finance where it generates even more income for liquidity providers.”
We appreciate ChainSecurity for their very deep and thoughtful analysis!
Michael Egorov, CEO @ Curve Finance