YearnAgnostic Smart Contract Final Audit Report.

Introduction

✅Updated contracts:

🔹https://github.com/Yearn-Agnostic/contracts/blob/develop/contracts/YFIAGToken/TokenYFIAG.sol
[Commit ID: 75cd8dec70a475907b7138a469daab88d50f5a4a]

Overview of YearnAgnostic:

YearnAgnostic Finance supports decentralized finance (DeFi) projects deployed on Ethereum blockchain, Binance smart chain, Tron chain etc., focusing on simplicity, user experience, security and privacy. YearnAgnostic Finance is a DeFi yield aggregator platform providing a classical way to optimally earn yield or maximize profits on assets. YearnAgnostic Finance is a token-based ecosystem, and the underline token is YFIAG Token.

Scope of Audit:

The scope of this audit was to analyse YearnAgnostic smart contract codebase for quality, security, and correctness. Following is the list of smart contracts:

Checked Vulnerabilities:

We have scanned Yearn Agnostic smart contracts for commonly known and more specific vulnerabilities. Here are some of the commonly known vulnerabilities that we considered:

Techniques and Methods

Structural Analysis:

In this step, we have analysed the design patterns and structure of smart contracts. A thorough check was done to ensure the Smart contract is structured in a way that will not result in future problems.

Static Analysis:

Static Analysis of smart contracts was done to identify contract vulnerabilities. In this step series of automated tools are used to test the security of smart contracts.

Code Review / Manual Analysis:

Manual Analysis or review of code was done to identify new vulnerability or verify the vulnerabilities found during the static analysis. Contracts were completely manually analysed, their logic was checked and compared with the one described in the whitepaper. Besides, the results of the automated analysis were manually verified.

Gas Consumption:

In this step, we have checked the behaviour of smart contract in production. Checks were done to know how much gas gets consumed and the possibilities of optimization of code to reduce gas consumption.

Tools and Platforms used for Audit:

Remix IDE, Truffle, Truffle Team, Ganache, Solhint, Mythril, Manticore, Slither, SmartCheck.

Assessment Summary and Findings Overview

High Severity Issues:

A high severity issue or vulnerability means that your smart contract can be exploited. Issues on this level are critical to the smart contract’s performance or functionality, and we recommend these issues be fixed before moving to a live environment.

Medium Severity Issues:

The issues marked as medium severity usually arise because of errors and deficiencies in the smart contract code. Issues on this level could potentially bring problems, and they should still be fixed.

Low Severity Issues:

Low-level severity issues can cause minor impact and or are just warnings that can remain unfixed for now. It would be better to fix these issues at some point in the future.

Informational:

These are severity four issues that indicate an improvement request, a general question, a cosmetic or documentation error, or a request for information. There is low-to-no impact.

Findings and Tech Details

High Severity Issues:

None.

Medium Severity Issues:

1. Reentrancy
One of the major dangers of calling external contracts is that they can take over the control flow, and make changes to your data that the calling function wasn’t expecting. It’s recommended that the calls to external functions/events should happen after any changes to state variables in your contract, so your contract is not vulnerable to a reentrancy exploit. When control is transferred to the recipient, care must be taken to not create reentrancy vulnerabilities. OpenZeppelin has its own mutex implementation you can use called ReentrancyGuard. This library provides a modifier you can apply to any function called nonReentrant that guards the function with a mutex.
Consider using ReentrancyGuard or the checks-effects-interactions pattern.

Most Recent DeFi Reentrancy Attack: DFORCE
Code Lines:

▪️yVault.sol: deposit(uint256) [#142–158]
Auditor remarks: Fixed
▪️yWETH.sol: depositETH() [#21–35]
Auditor remarks: Fixed
▪️VotingPowerFees.sol: _withdrawFeesFor(address) [#82–98]
Auditor remarks: Fixed
▪️VotingPowerFeesAndRewards.sol: getReward() [#135–142]
Auditor remarks: Fixed
▪️Controller.sol: setStrategy(address,address) [#159–167]
Auditor remarks: Fixed
▪️Governance.sol: withdraw(uint256) [#290–295]
Auditor remarks: Fixed

Low Severity Issues:

1. The compiler version should be fixed
Solidity source files indicate the versions of the compiler they can be compiled with. It’s recommended to lock the compiler version in code, as future compiler versions may handle certain language constructions in a way the developer did not foresee. It is recommended to use any fixed compiler version from 0.6.12.
Auditor remarks: Fixed
Except for TokenYFIAG.sol, the compiler version is fixed. TokenYFIAG.sol — has a compiler version in a range.

Informational:

1. Overpowered owner
The contract is tightly coupled to the owner, making some functions callable only by the owner’s address. This poses a serious risk: if the private key of the owner gets compromised, then an attacker can gain control over the contract.

Automated Testing

SmartCheck

SmartCheck is a tool for automated static analysis of Solidity source code for security vulnerabilities and best practices. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. SmartCheck shows significant improvements over existing alternatives in terms of false discovery rate (FDR) and false negative rate (FNR).

Mythril

Mythril is a security analysis tool for EVM bytecode. It detects security vulnerabilities in smart contracts built for Ethereum. It uses symbolic execution, SMT solving and taint analysis to detect a variety of security vulnerabilities.

Remix IDE

Remix is a powerful, open-source tool that helps you write Solidity contracts straight from the browser. Written in JavaScript, Remix supports both usage in the browser and locally.

Closing Summary

Overall, the smart contract code is extremely well documented, follows a high-quality software development standard, contains many utilities and automation scripts to support continuous deployment/ testing/ integration, and does NOT contain any obvious exploitation vectors that QuillAudits was able to leverage within the timeframe of testing allotted. Overall, the smart contracts adhered to ERC20 guidelines. No critical or major vulnerabilities were found in the audit. One issue of medium severity and several issues of low severity were found and reported during the audit. A few of them are fixed now.

Disclaimer

QuillHash audit is not a security warranty, investment advice, or an endorsement of the YearnAgnostic platform. This audit does not provide a security or correctness guarantee of the audited smart contracts. The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them. Securing smart contracts is a multistep process. One audit cannot be considered enough. We recommend that the YearnAgnostic Team put in place a bug bounty program to encourage further analysis of the smart contract by other third parties.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store