Mellow Protocol Security Audit

Download Audit Report
Summary

Mellow Finance offers an investment protocol that pools investors funds and manages these funds according to an investment strategy smart contract.

The overall system has certain parameters managed by The ProtocolGovernance smart contract. Different vaults are responsible to keep the funds and/or invest them in other DeFi protocols like AAVE, YEARN or Uniswap. A root vault is the overarching connector for all vaults. The root vault is the entry point for a user to invest funds. Strategy contracts balance the ratios of tokens held in the vaults and between the vaults.

A user who wants to invest funds will send the funds to the root vault. The root vault will in return issue a corresponding amount of liquidity provider tokens to track the user’s investment to the user. The funds will end up in a special vault which acts as a cash position. As soon as a strategy manager invokes the vault rebalancing in the connected strategy, the strategy will distribute the funds from the cash vault to the investment/integration vaults. These vaults will use the funds to invest into the third party DeFi protocols like Aave. When a user decides to redeem/withdraw their liquidity provider tokens for the corresponding share of tokens, the root vault will drain the cash vault and if needed take more money from the investment/integration vaults.

About Mellow Protocol

“Mellow Protocol is permissionless vaults ecosystem for capital efficiency. The Protocol provides the layer for creating liquidity rebalancing strategies and helps to focus on models instead of infrastructure.
Mellow permissionless vaults are a set of smart contracts that allow anyone to create a multi-ERC20 token Vault and a Strategy on top of different DeFi protocols (like Uniswap, Yearn, etc.) and blockchains (like Ethereum, Optimism, etc.)

Vaults are smart contracts that put liquidity into different underlying protocols. The underlying protocol could be some well-known DeFi protocol like Uniswap, Sushiswap, Yearn, Compound, etc., or another Vault.
The tokens managed by Vault are fixed and immutable, i.e. Vault cannot start managing additional tokens or stop managing existing tokens. Each Vault can only put liquidity into one fixed underlying protocol.
When the Liquidity provider deposits liquidity into the Vault, he receives LP tokens back (or NFT token – that depends on a particular Vault). On withdrawal, the Liquidity provider burns the LP tokens and receives his liquidity and earned profits back.

The Strategy can only redistribute ERC-20 tokens between protocols. The tokens can leave the Vault only when the Liquidity provider withdraws it.”

 

Source: Mellow Protocol team

Mellow Protocol has really complex contracts and codebase. Our team was very happy to work with Chainsecurity. We were impressed by the professionalism and depth of the smart contracts study by Chainsecurity. The team's versatile approach helped us improve our codebase's security and effectiveness and added confidence before our protocol launch.

A huge thanks to the whole team and especially to Nico, Enis and Emilie for their patience and hard work!
Nick S, contributor @ Mellow Protocol