Summary
The most critical subjects covered in our review are asset solvency, functional correctness, access control and front-running. The security regarding functional correctness and front-running still has some potential to improve, see Implementation Mismatch With ERC-4626 and Possible to Frontrun the First Deposit in Pool. The security regarding other subjects is good.
Although we did not identify critical or highly severe issues during this review, we highlight that sandwiching attacks are important for the system as the curve’s shape changes when Pool parameters get updated by privileged accounts, or when rates of underlying assets change significantly. Possible sandwiching attacks are described in section Notes.
Given the complexity of the system, we highly recommend extending significantly the test suite and only apply changes to the system after rigorous testing.
In summary, we currently find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Yearn yETH Smart Contract
Yearn implements a modified StableSwap pool for liquid staking derivatives and a staking vault. The pool token is yETH and can be staked into the Staking contract to earn rewards.
—
Yearn Finance is “a suite of DeFi tools and products in an interconnected financial ecosystem running on various smart contracts. The yEarn Finance ecosystem is community-controlled and governed via a governance token called YFI.”