Skip to main content

Vesper Strategies Delta

Smart Contract Security Assessment

December 14, 2022

Vesper

SUMMARY

ID
Description
STATUS
A1
Gas optimization
resolved
A2
Code reuse in CompoundV3
info
A3
Compiler bugs
info

ABSTRACT

Dedaub was commissioned to perform a security audit of several smart contract modules of the Vesper finance protocol.

This audit includes newly developed Strategies under the at-the-time private repository bloqpriv/vesper-contracts/vesper-strategies, at commit hash 027b64513697a79967444c332d18a2e78353a619.

Two auditors worked on the codebase on the following contracts:

vesper-strategies/contracts/strategies/
  • Strategy.sol
  • alpaca/
    • Alpaca.sol
    • AlpacaBNB.sol
  • compound/v3/
    • CompoundV3.sol
    • CompoundV3VesperXy.sol
    • CompoundV3Xy.sol
  • dot-dot/
    • DotDot.sol
  • ellipsis/
    • Ellipsis.sol
  • wombat/
    • Wombat.sol

SETTING & CAVEATS

The audit’s main target is security threats, i.e., what the community understanding would likely call "hacking", rather than the regular use of the protocol. Functional correctness (i.e. issues in "regular use") is a secondary consideration. Typically it can only be covered if we are provided with unambiguous (i.e. full-detail) specifications of what is the expected, correct behavior. In terms of functional correctness, we often trusted the code’s calculations and interactions, in the absence of any other specification. Functional correctness relative to low-level calculations (including units, scaling and quantities returned from external protocols) is generally most effectively done through thorough testing rather than human auditing.


VULNERABILITIES & FUNCTIONAL ISSUES

This section details issues affecting the functionality of the contract. Dedaub generally categorizes issues according to the following severities, but may also take other considerations into account such as impact or difficulty in exploitation:

Category
Description
CRITICAL
Can be profitably exploited by any knowledgeable third-party attacker to drain a portion of the system’s or users’ funds OR the contract does not function as intended and severe loss of funds may result.
HIGH
Third-party attackers or faulty functionality may block the system or cause the system or users to lose funds. Important system invariants can be violated.
MEDIUM
Examples:
  • User or system funds can be lost when third-party systems misbehave.
  • DoS, under specific conditions.
  • Part of the functionality becomes unusable due to a programming error.
LOW
Examples:
  • Breaking important system invariants but without apparent consequences.
  • Buggy functionality for trusted users where a workaround exists.
  • Security issues which may manifest when the system evolves.

Issue resolution includes “dismissed” or “acknowledged” but no action taken, by the client, or “resolved”, per the auditors.


CRITICAL SEVERITY

[No critical severity issues]


HIGH SEVERITY

[No high severity issues]


MEDIUM SEVERITY

[No medium severity issues]


LOW SEVERITY

[No low severity issues]


OTHER / ADVISORY ISSUES

This section details issues that are not thought to directly affect the functionality of the project, but we recommend considering them.

A1

Gas optimization

A1ADVISORY
Gas optimization
resolved

The function _approveToken is called twice in Strategy::approveToken, first to set it to zero, then to MAX_UINT_VALUE. This is because OpenZeppelin’s safeApprove requires the previous approval to be zero. Although this is generally good practice, in this context there is no security issue with directly setting the value to MAX_UINT_VALUE, so some gas can be saved by using a custom safeApprove function and performing a single call.

A2

Code reuse in CompoundV3

A2ADVISORY
Code reuse in CompoundV3
info

A large part of the code is shared between Compound and CompoundV3. To improve code readability and maintenance, it might be worth reusing the code by having a common base class.

A3

Compiler bugs

A3ADVISORY
Compiler bugs
info

The code is compiled with Solidity 0.8.9. Version 0.8.9, in particular, has some known bugs, which we do not believe affect the correctness of the contracts.



DISCLAIMER

The audited contracts have been analyzed using automated techniques and extensive human inspection in accordance with state-of-the-art practices as of the date of this report. The audit makes no statements or warranties on the security of the code. On its own, it cannot be considered a sufficient assessment of the correctness of the contract. While we have conducted an analysis to the best of our ability, it is our recommendation for high-value contracts to commission several independent audits, a public bug bounty program, as well as continuous security auditing and monitoring through Dedaub Security Suite.


ABOUT DEDAUB

Dedaub offers significant security expertise combined with cutting-edge program analysis technology to secure some of the most prominent protocols in DeFi. The founders, as well as many of Dedaub's auditors, have a strong academic research background together with a real-world hacker mentality to secure code. Protocol blockchain developers hire us for our foundational analysis tools and deep expertise in program analysis, reverse engineering, DeFi exploits, cryptography and financial mathematics.