← Back to Audits

Yield Contracts - Mevvy

Prepared by:

Halborn Logo

HALBORN

Last Updated 04/01/2025

Date of Engagement: March 26th, 2025 - April 1st, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

27

Critical

0

High

1

Medium

3

Low

7

Informational

16

Table of Contents

1. Introduction

Mevvy engaged Halborn to conduct a security assessment on their smart contracts beginning on March 17th, 2025 and ending on March 21st, 2025. The security assessment was scoped to the smart contracts provided to Halborn. Commit hashes and further details can be found in the Scope section of this report.


The Mevvy codebase in scope consists of a strategy implementation that automatically routes funds to highest yielding protocols, including Aave, Compound and Morpho.

2. Assessment Summary

Halborn was provided 5 days for the engagement and assigned 1 full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.


The purpose of the assessment is to:

    • Identify potential security issues within the smart contracts.

    • Ensure that smart contract functionality operates as intended.


In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Mevvy team. The main ones are the following:

    • The _withdrawOptimally() function should be updated to correctly handle its input parameter as the remaining amount needed from protocols, without recalculating or double-subtracting the contract's balance.

    • Modify the _deposit() function to include TVL limit checks similar to those in _depositToProtocols().

    • Modify the first deposit logic to respect TVL limits by calculating the maximum allowed amount based on the protocol's limit, even for first deposits.


3. Test Approach and Methodology

Halborn performed a combination of manual review of the code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of smart contracts and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

    • Research into architecture, purpose and use of the platform.

    • Smart contract manual code review and walkthrough to identify any logic issue.

    • Thorough assessment of safety and usage of critical Solidity variables and functions in scope that could led to arithmetic related vulnerabilities.

    • Local testing with custom scripts (Foundry).

    • Fork testing against main networks (Foundry).

    • Static analysis of security for scoped contract, and imported functions (Slither).


4. Static Analysis Report

4.1 Description

Halborn used automated testing techniques to enhance the coverage of certain areas of the smart contracts in scope. Among the tools used was Slither, a Solidity static analysis framework. After Halborn verified the smart contracts in the repository and was able to compile them correctly into their abis and binary format, Slither was run against the contracts. This tool can statically verify mathematical relationships between Solidity variables to detect invalid or inconsistent usage of the contracts' APIs across the entire code-base.


The security team assessed all findings identified by the Slither software, however, findings with related to external dependencies are not included in the below results for the sake of report readability.

4.2 Output

The findings obtained as a result of the Slither scan were reviewed, and many were not included in the report because they were determined as false positives.











5. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.
The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.
The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.
The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.
The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

5.1 EXPLOITABILITY

Attack Origin (AO):
Captures whether the attack requires compromising a specific account.
Attack Cost (AC):
Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.
Attack Complexity (AX):
Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.
Metrics:
EXPLOITABILITY METRIC (mem_e)METRIC VALUENUMERICAL VALUE
Attack Origin (AO)Arbitrary (AO:A)
Specific (AO:S)		1
0.2
Attack Cost (AC)Low (AC:L)
Medium (AC:M)
High (AC:H)		1
0.67
0.33
Attack Complexity (AX)Low (AX:L)
Medium (AX:M)
High (AX:H)		1
0.67
0.33
Exploitability EE is calculated using the following formula:

E=meE = \prod m_e

5.2 IMPACT

Confidentiality (C):
Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.
Integrity (I):
Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.
Availability (A):
Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.
Deposit (D):
Measures the impact to the deposits made to the contract by either users or owners.
Yield (Y):
Measures the impact to the yield generated by the contract for either users or owners.
Metrics:
IMPACT METRIC (mIm_I)METRIC VALUENUMERICAL VALUE
Confidentiality (C)None (C:N)
Low (C:L)
Medium (C:M)
High (C:H)
Critical (C:C)		0
0.25
0.5
0.75
1
Integrity (I)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)		0
0.25
0.5
0.75
1
Availability (A)None (A:N)
Low (A:L)
Medium (A:M)
High (A:H)
Critical (A:C)		0
0.25
0.5
0.75
1
Deposit (D)None (D:N)
Low (D:L)
Medium (D:M)
High (D:H)
Critical (D:C)		0
0.25
0.5
0.75
1
Yield (Y)None (Y:N)
Low (Y:L)
Medium (Y:M)
High (Y:H)
Critical (Y:C)		0
0.25
0.5
0.75
1
Impact II is calculated using the following formula:

I=max(mI)+mImax(mI)4I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}

5.3 SEVERITY COEFFICIENT

Reversibility (R):
Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.
Scope (S):
Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.
Metrics:
SEVERITY COEFFICIENT (CC)COEFFICIENT VALUENUMERICAL VALUE
Reversibility (rr)None (R:N)
Partial (R:P)
Full (R:F)		1
0.5
0.25
Scope (ss)Changed (S:C)
Unchanged (S:U)		1.25
1
Severity Coefficient CC is obtained by the following product:

C=rsC = rs

The Vulnerability Severity Score SS is obtained by:

S=min(10,EIC10)S = min(10, EIC * 10)

The score is rounded up to 1 decimal places.
SeverityScore Value Range
Critical9 - 10
High7 - 8.9
Medium4.5 - 6.9
Low2 - 4.4
Informational0 - 1.9

6. SCOPE

REPOSITORY
(a) Repository: mevvy-yield-contracts
(b) Assessed Commit ID: 50762c5
(c) Items in scope:
  • contracts/core/libraries/WadRayMath.sol
  • contracts/protocols/aave/src/AaveAdapter.sol
  • contracts/protocols/compound/src/CompoundAdapter.sol
↓ Expand ↓
Out-of-Scope: Mocks and interfaces., Third party dependencies and economic attacks.
Remediation Commit ID:
Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

0

High

1

Medium

3

Low

7

Informational

16

Security analysisRisk levelRemediation Date
Impossibility to withdraw assets across protocolsHighSolved - 03/21/2025
Missing TVL limit check in default protocol depositsMediumRisk Accepted - 03/26/2025
TVL limit bypass on first depositMediumSolved - 03/25/2025
Revenue loss due to missing fee processing in withdrawFees()MediumSolved - 03/23/2025
Unallocated funds without notification when protocols reach TVL limitsLowSolved - 03/25/2025
TVL limit bypass after complete withdrawalLowSolved - 03/25/2025
Single step ownership transfer processLowSolved - 03/26/2025
Use of non-compliant tokens may break contract functionalityLowSolved - 03/26/2025
Default protocol removal handling issueLowSolved - 03/26/2025
Missing _disableInitializers() function callLowSolved - 03/23/2025
Permission revocation failure in blockCompound functionLowSolved - 03/23/2025
Missing pausing/unpausing mechanismInformationalSolved - 03/26/2025
Missing index update in withdrawFees functionInformationalSolved - 03/23/2025
Unoptimized for loopsInformationalSolved - 03/28/2025
Inconsistent reentrancy protection pattern in admin functionsInformationalSolved - 03/27/2025
Missing eventsInformationalSolved - 03/28/2025
Unhandled return valuesInformationalAcknowledged - 03/26/2025
Inconsistent withdrawal pattern in withdrawFees() functionInformationalSolved - 03/21/2025
Missing input validationInformationalSolved - 03/27/2025
Ordering for nonReentrant modifierInformationalSolved - 03/25/2025
Public functions can be marked externalInformationalSolved - 03/27/2025
Use of revert strings instead of custom errorsInformationalSolved - 03/28/2025
Lack of named mappingsInformationalSolved - 03/27/2025
Use of magic numbersInformationalSolved - 03/27/2025
Lack of upgradeable storage management patternInformationalSolved - 03/27/2025
Floating pragmaInformationalSolved - 03/28/2025
Unnecessary gas consumption due to suboptimal coding patternsInformationalSolved - 03/28/2025

8. Findings & Tech Details

8.1 Impossibility to withdraw assets across protocols

//

High

Description
Proof of Concept
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/9/commits/cd86b8e67e38fa1833e16067bcb2bc089f6236e3
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L194-L215
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L167

8.2 Missing TVL limit check in default protocol deposits

//

Medium

Description
BVSS
Recommendation
Remediation Comment
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L519-L526
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L129-L144

8.3 TVL limit bypass on first deposit

//

Medium

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/14/commits/2a481b8c41ddff010553f322fdeb3cc396013c8c
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L160C1-L171C6

8.4 Revenue loss due to missing fee processing in withdrawFees()

//

Medium

Description
Proof of Concept
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/10/commits/1e14a856cd7342775d78fbe076c853aab1bb124d
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L120-L139

8.5 Unallocated funds without notification when protocols reach TVL limits

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/17/commits/aaa4675d40762fb97119133f9aa84ffed211b518
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L146-L187

8.6 TVL limit bypass after complete withdrawal

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/14/commits/2a481b8c41ddff010553f322fdeb3cc396013c8c
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L146-L187

8.7 Single step ownership transfer process

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/18/commits
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15

8.8 Use of non-compliant tokens may break contract functionality

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/19/commits/1b2c320a8980551eae0180dd778ae6ef95f788a7
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L96
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L116
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L98
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L104
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L149
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L133
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L169
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L205
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L227

8.9 Default protocol removal handling issue

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/16/commits/bdcb598a1dc0a99a782509a66f2213c2df18c023
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L104-L112

8.10 Missing _disableInitializers() function call

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/13/commits/68d8ece4f4db8544c18096b4cd7a1ca21449e505
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L12

8.11 Permission revocation failure in blockCompound function

//

Low

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/11/commits/6b1910b74422f95057934c78ff0e89c57071b088
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L95-L97

8.12 Missing pausing/unpausing mechanism

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/20/commits/132ee341b05d9797650362d2c1094b4c875e7283
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L13

8.13 Missing index update in withdrawFees function

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/12/commits/0a4a25679d22a7df3e7477a22eea110a077403d6
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.14 Unoptimized for loops

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/31/commits/da8e0b50ce845bb525449514840cd05bd3b1eefc
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L197
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L67
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L204
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L239
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L252
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L257
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L312
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L363
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L395
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L400
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L444
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L468-L489

8.15 Inconsistent reentrancy protection pattern in admin functions

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/22/commits/8a259ee5f0fde468b0c142d71091e0b5fe81ed97
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.16 Missing events

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/30/commits/af549c9321b85556b44ceb2c6dffa5f9b1de2fdb
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L54
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L93
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L108
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L127
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L51
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L94
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L112
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L131
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L50
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L60
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L100
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L118
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L132
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L85
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L95
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L120
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L179
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L192
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L161

8.17 Unhandled return values

//

Informational

Description
BVSS
Recommendation
Remediation Comment
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L139-L145
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L107
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L127
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L134
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L62
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L210
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L268

8.18 Inconsistent withdrawal pattern in withdrawFees() function

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/9/commits/cd86b8e67e38fa1833e16067bcb2bc089f6236e3
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.19 Missing input validation

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/21/commits/dac746857bdc1662942b9448dba28c6b55bb0732
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L91-L97
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L103-L106

8.20 Ordering for nonReentrant modifier

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/15/commits/6714e009d8840bda22018061ea8f4c1c7250d543
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L93
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L112
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L132
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L94
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L116
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L136
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L100
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L122
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L137
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L192
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L238

8.21 Public functions can be marked external

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/25/commits/971941967736d00fa1976a596cd1f487e647c4b5
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L148
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L156
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L129

8.22 Use of revert strings instead of custom errors

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/29/commits/96b722d129b399c3a8824ca242e5510819465b4e
References
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L110
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L113
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L130-L134
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L178-L185
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L82
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L94
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L114
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L133
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L64
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L82
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L96-L98
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L118
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L138-L139
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L88
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L102-L104
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L124
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L138
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L25
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L41
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L52
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L130-L133
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L151
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L162
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L193-L205
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L214
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L224
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L40
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L56
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L92-L93
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L293
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L304
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L340
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L345
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L354
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L504
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L520-L521

8.23 Lack of named mappings

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/24/commits/729370cc4c2c09e60a507c6424e76ef5f07099ac
References
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L24
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L23
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L22
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L23
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L13
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L15-L18

8.24 Use of magic numbers

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/26/commits/e0fb94fc01e2f748bff7a35e1c13a38b19deb18f
References
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L70
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L70
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L76

8.25 Lack of upgradeable storage management pattern

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/27/commits/6a77b17ec725188d06e95183f5929579738d20f8
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15

8.26 Floating pragma

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/33/commits/596c64949986321b67f0ea85f1ea44560f4c29dd
References
SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L2
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol

8.27 Unnecessary gas consumption due to suboptimal coding patterns

//

Informational

Description
BVSS
Recommendation
Remediation Comment
Remediation Hash
https://github.com/SiloMEV/mevvy-yield-contracts/pull/32/commits/d9f69740db501176f0ce1e4d9fc0486b86ee2ccb
References
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L392-L393
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L399
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L306
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L340
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L345
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L504
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L520
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L56
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L92
SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L293

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

Yield Contracts

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed