Summary
The code is well structured and implements an upgrade architecture similar to the diamond proxy upgrade pattern. The most critical subjects covered in our audit are functional correctness and arithmetic correctness. The most severe issues is an incorrectly calculated redeem (Incomplete fund transfer when withdrawing) and a double counted balance when swapping (double-counting in swap). All issues were addressed and resolved if necessary. We advised to increase the test suite as the issues could have been caught by e.g., testing redeems with strategies that partially fulfill the request.
The team was always very responsive and was clarifying all questions quickly and professionally. In summary, we find that the current codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Yelay Lite smart contracts
Yelay implements a dedicated vault system that directs all yield into a yield extractor. Users will be rewarded outside of the protocol from the respective clients. The vault is for approved projects only.
Working with ChainSecurity was a great experience due to their pragmatic approach. Unbiased and thorough, the team genuinely strives to understand the business case behind the smart contracts. While meticulously highlighting all potential security risks, they always keep the business objectives in focus
Konstantin Samarin, Solidity Developer at Yelay