Summary
The most critical subjects covered in our audit are the isolation of the pools, asset solvency and functional correctness.
The general subjects covered are usability, oracle security, access control, adherence to the specification and general design issues.
All issues uncovered during the review process have been addressed with suitable fixes. We believe the codebase to have a satisfactory level of security. The high complexity and extensibility of the project present a large attack surface. VESU internally relies primarily on one smart contract developer which, even though supported by external reviewers, limits the ability for internal QA. During the audit timeline, significant improvements in design and overall code quality have been achieved, but some novel issues and regressions remained present during the last review cycle. In our experience, these factors combined present an elevated risk of undiscovered vulnerabilities in the current codebase.
Continuing to allocate sufficient time and resources, strengthening the robustness of the design, and introducing internal security-focused quality assurance practices such as thorough unit- and regression-testing can significantly increase the level of security of the codebase and our confidence in it.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Vesu Protocol Smart Contracts
VESU implements a fully permissionless DeFi lending protocol. Anyone can deploy and configure a pool. A core contract called Singleton holds all funds and manages all pools. All operations go through theSingleton, each pool has an extension which is called before/after any operation and defines the values for the operation. A default extension is provided, arbitrary extensions and/or misconfigured parameters can break their respective pools without affecting the rest of the protocol.