Summary
For this assessment Yearn redesigned the Yearn Vault system for voting escrow locked CRV tokens. This new yCRV Vault allows unidirectional conversion of CRV and old yveCRV tokens into new yCRV Vault tokens. Another contract is ZapYCRV – a helper converter that allows conversions between different CRV and yCRV related tokens. Using it, users can convert allowed tokens into lp-yCRV and st-yCRV – Curve StableSwap CRV/yCRV LP token and staked autocompounded yCRV token versions.
The most critical subjects covered in our audit are solvency, functional correctness and compatibility with external systems. Security regarding system solvency is high after the fix of a critical bug that caused users not to receive their tokens, see LPYCRV Outputs Not Transferred to User. Functional correctness is high. Compatibility with external systems is satisfactory, due to a justified potential delay of CRV tokens being locked, see CRV Not Locked When Used to Mint YCRV.
The general subjects covered are specification and error handling. Documentation and Specification are outdated and require significant extension, since system intentions and features are not fully describe. Error handling is extensive.
In summary, we find that the codebase provides a satisfactory level of security. Discovered findings have been fixed or their risks were accepted by the Yearn. We advice revisiting and addressing the issues for wich the risks were accepted. In addition, prior the deployment, we suggest using extensive testing techniques like property based testing and forked mainnet testing to avoid potential problems with the upgrade of the yveCRV system.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Yearn Finance yCRV and ZapYCRV
Yearn Finance is “a suite of DeFi tools and products in an interconnected financial ecosystem running on various smart contracts. The yEarn Finance ecosystem is community-controlled and governed via a governance token called YFI.”