Yield Contracts - Mevvy

Prepared by:

HALBORN

Last Updated 04/01/2025

Date of Engagement: March 26th, 2025 - April 1st, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Static analysis report

4.1 Description
4.2 Output

5. Risk methodology
6. Scope
7. Assessment summary & findings overview
8. Findings & Tech Details

8.1 Impossibility to withdraw assets across protocols
8.2 Missing tvl limit check in default protocol deposits
8.3 Tvl limit bypass on first deposit
8.4 Revenue loss due to missing fee processing in withdrawfees()
8.5 Unallocated funds without notification when protocols reach tvl limits
8.6 Tvl limit bypass after complete withdrawal
8.7 Single step ownership transfer process
8.8 Use of non-compliant tokens may break contract functionality
8.9 Default protocol removal handling issue
8.10 Missing _disableinitializers() function call
8.11 Permission revocation failure in blockcompound function
8.12 Missing pausing/unpausing mechanism
8.13 Missing index update in withdrawfees function
8.14 Unoptimized for loops
8.15 Inconsistent reentrancy protection pattern in admin functions
8.16 Missing events
8.17 Unhandled return values
8.18 Inconsistent withdrawal pattern in withdrawfees() function
8.19 Missing input validation
8.20 Ordering for nonreentrant modifier
8.21 Public functions can be marked external
8.22 Use of revert strings instead of custom errors
8.23 Lack of named mappings
8.24 Use of magic numbers
8.25 Lack of upgradeable storage management pattern
8.26 Floating pragma
8.27 Unnecessary gas consumption due to suboptimal coding patterns

1. Introduction

Mevvy engaged Halborn to conduct a security assessment on their smart contracts beginning on March 17th, 2025 and ending on March 21st, 2025. The security assessment was scoped to the smart contracts provided to Halborn. Commit hashes and further details can be found in the Scope section of this report.

The Mevvy codebase in scope consists of a strategy implementation that automatically routes funds to highest yielding protocols, including Aave, Compound and Morpho.

2. Assessment Summary

Halborn was provided 5 days for the engagement and assigned 1 full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

Identify potential security issues within the smart contracts.
Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Mevvy team. The main ones are the following:

The _withdrawOptimally() function should be updated to correctly handle its input parameter as the remaining amount needed from protocols, without recalculating or double-subtracting the contract's balance.
Modify the _deposit() function to include TVL limit checks similar to those in _depositToProtocols().
Modify the first deposit logic to respect TVL limits by calculating the maximum allowed amount based on the protocol's limit, even for first deposits.

3. Test Approach and Methodology

Halborn performed a combination of manual review of the code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of smart contracts and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

Research into architecture, purpose and use of the platform.
Smart contract manual code review and walkthrough to identify any logic issue.
Thorough assessment of safety and usage of critical Solidity variables and functions in scope that could led to arithmetic related vulnerabilities.
Local testing with custom scripts (Foundry).
Fork testing against main networks (Foundry).
Static analysis of security for scoped contract, and imported functions (Slither).

4. Static Analysis Report

4.1 Description

Halborn used automated testing techniques to enhance the coverage of certain areas of the smart contracts in scope. Among the tools used was Slither, a Solidity static analysis framework. After Halborn verified the smart contracts in the repository and was able to compile them correctly into their abis and binary format, Slither was run against the contracts. This tool can statically verify mathematical relationships between Solidity variables to detect invalid or inconsistent usage of the contracts' APIs across the entire code-base.

The security team assessed all findings identified by the Slither software, however, findings with related to external dependencies are not included in the below results for the sake of report readability.

4.2 Output

The findings obtained as a result of the Slither scan were reviewed, and many were not included in the report because they were determined as false positives.

5. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.

The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.

The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.

The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.

The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

5.1 EXPLOITABILITY

Attack Origin (AO):

Captures whether the attack requires compromising a specific account.

Attack Cost (AC):

Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.

Attack Complexity (AX):

Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.

Metrics:

EXPLOITABILITY METRIC ( $m_e$ )	METRIC VALUE	NUMERICAL VALUE
Attack Origin (AO)	Arbitrary (AO:A) Specific (AO:S)	1 0.2
Attack Cost (AC)	Low (AC:L) Medium (AC:M) High (AC:H)	1 0.67 0.33
Attack Complexity (AX)	Low (AX:L) Medium (AX:M) High (AX:H)	1 0.67 0.33

Exploitability

E

is calculated using the following formula:

$E = \prod m_e$

5.2 IMPACT

Confidentiality (C):

Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.

Integrity (I):

Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.

Availability (A):

Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.

Deposit (D):

Measures the impact to the deposits made to the contract by either users or owners.

Yield (Y):

Measures the impact to the yield generated by the contract for either users or owners.

Metrics:

IMPACT METRIC ( $m_I$ )	METRIC VALUE	NUMERICAL VALUE
Confidentiality (C)	None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C)	0 0.25 0.5 0.75 1
Integrity (I)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Availability (A)	None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C)	0 0.25 0.5 0.75 1
Deposit (D)	None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C)	0 0.25 0.5 0.75 1
Yield (Y)	None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C)	0 0.25 0.5 0.75 1

Impact

I

is calculated using the following formula:

$I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}$

5.3 SEVERITY COEFFICIENT

Reversibility (R):

Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.

Scope (S):

Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.

Metrics:

SEVERITY COEFFICIENT ( $C$ )	COEFFICIENT VALUE	NUMERICAL VALUE
Reversibility ( $r$ )	None (R:N) Partial (R:P) Full (R:F)	1 0.5 0.25
Scope ( $s$ )	Changed (S:C) Unchanged (S:U)	1.25 1

Severity Coefficient

C

is obtained by the following product:

$C = rs$

The Vulnerability Severity Score

S

is obtained by:

$S = min(10, EIC * 10)$

The score is rounded up to 1 decimal places.

Severity	Score Value Range
Critical	9 - 10
High	7 - 8.9
Medium	4.5 - 6.9
Low	2 - 4.4
Informational	0 - 1.9

6. SCOPE

REPOSITORY

(a) Repository: mevvy-yield-contracts

(b) Assessed Commit ID: 50762c5

contracts/core/libraries/WadRayMath.sol
contracts/protocols/aave/src/AaveAdapter.sol
contracts/protocols/compound/src/CompoundAdapter.sol

↓ Expand ↓

Out-of-Scope: Mocks and interfaces., Third party dependencies and economic attacks.

Remediation Commit ID:

Out-of-Scope: New features/implementations after the remediation commit IDs.

7. Assessment Summary & Findings Overview

Critical

High

Medium

Low

Informational

Security analysis	Risk level	Remediation Date
Impossibility to withdraw assets across protocols	High	Solved - 03/21/2025
Missing TVL limit check in default protocol deposits	Medium	Risk Accepted - 03/26/2025
TVL limit bypass on first deposit	Medium	Solved - 03/25/2025
Revenue loss due to missing fee processing in withdrawFees()	Medium	Solved - 03/23/2025
Unallocated funds without notification when protocols reach TVL limits	Low	Solved - 03/25/2025
TVL limit bypass after complete withdrawal	Low	Solved - 03/25/2025
Single step ownership transfer process	Low	Solved - 03/26/2025
Use of non-compliant tokens may break contract functionality	Low	Solved - 03/26/2025
Default protocol removal handling issue	Low	Solved - 03/26/2025
Missing _disableInitializers() function call	Low	Solved - 03/23/2025
Permission revocation failure in blockCompound function	Low	Solved - 03/23/2025
Missing pausing/unpausing mechanism	Informational	Solved - 03/26/2025
Missing index update in withdrawFees function	Informational	Solved - 03/23/2025
Unoptimized for loops	Informational	Solved - 03/28/2025
Inconsistent reentrancy protection pattern in admin functions	Informational	Solved - 03/27/2025
Missing events	Informational	Solved - 03/28/2025
Unhandled return values	Informational	Acknowledged - 03/26/2025
Inconsistent withdrawal pattern in withdrawFees() function	Informational	Solved - 03/21/2025
Missing input validation	Informational	Solved - 03/27/2025
Ordering for nonReentrant modifier	Informational	Solved - 03/25/2025
Public functions can be marked external	Informational	Solved - 03/27/2025
Use of revert strings instead of custom errors	Informational	Solved - 03/28/2025
Lack of named mappings	Informational	Solved - 03/27/2025
Use of magic numbers	Informational	Solved - 03/27/2025
Lack of upgradeable storage management pattern	Informational	Solved - 03/27/2025
Floating pragma	Informational	Solved - 03/28/2025
Unnecessary gas consumption due to suboptimal coding patterns	Informational	Solved - 03/28/2025

8. Findings & Tech Details

8.1 Impossibility to withdraw assets across protocols

High

Description

Proof of Concept

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:M/I:N/D:H/Y:N (8.8)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/9/commits/cd86b8e67e38fa1833e16067bcb2bc089f6236e3

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L194-L215

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L167

8.2 Missing TVL limit check in default protocol deposits

Medium

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:M (6.3)

Recommendation

Remediation Comment

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L519-L526

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L129-L144

8.3 TVL limit bypass on first deposit

Medium

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (5.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/14/commits/2a481b8c41ddff010553f322fdeb3cc396013c8c

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L160C1-L171C6

8.4 Revenue loss due to missing fee processing in withdrawFees()

Medium

Description

Proof of Concept

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:M/Y:N (5.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/10/commits/1e14a856cd7342775d78fbe076c853aab1bb124d

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L120-L139

8.5 Unallocated funds without notification when protocols reach TVL limits

Low

Description

BVSS

AO:A/AC:L/AX:M/R:N/S:U/C:N/A:N/I:M/D:N/Y:M (4.2)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/17/commits/aaa4675d40762fb97119133f9aa84ffed211b518

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L146-L187

8.6 TVL limit bypass after complete withdrawal

Low

Description

BVSS

AO:A/AC:L/AX:M/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (3.4)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/14/commits/2a481b8c41ddff010553f322fdeb3cc396013c8c

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L146-L187

8.7 Single step ownership transfer process

Low

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:H/I:H/D:H/Y:H (2.6)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/18/commits

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15

8.8 Use of non-compliant tokens may break contract functionality

Low

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:C/I:C/D:N/Y:N (2.5)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/19/commits/1b2c320a8980551eae0180dd778ae6ef95f788a7

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L96

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L116

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L98

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L104

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L149

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L133

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L169

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L205

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L227

8.9 Default protocol removal handling issue

Low

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:H/I:H/D:H/Y:N (2.3)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/16/commits/bdcb598a1dc0a99a782509a66f2213c2df18c023

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L104-L112

8.10 Missing _disableInitializers() function call

Low

Description

BVSS

AO:A/AC:M/AX:M/R:N/S:U/C:N/A:M/I:N/D:N/Y:N (2.2)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/13/commits/68d8ece4f4db8544c18096b4cd7a1ca21449e505

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L12

8.11 Permission revocation failure in blockCompound function

Low

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:M/I:H/D:M/Y:N (2.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/11/commits/6b1910b74422f95057934c78ff0e89c57071b088

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L95-L97

8.12 Missing pausing/unpausing mechanism

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:M/I:M/D:M/Y:M (1.8)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/20/commits/132ee341b05d9797650362d2c1094b4c875e7283

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L13

8.13 Missing index update in withdrawFees function

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:M/D:N/Y:M (1.3)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/12/commits/0a4a25679d22a7df3e7477a22eea110a077403d6

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.14 Unoptimized for loops

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:M/I:L/D:N/Y:N (1.1)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/31/commits/da8e0b50ce845bb525449514840cd05bd3b1eefc

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L197

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L67

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L204

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L239

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L252

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L257

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L312

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L363

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L395

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L400

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L444

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L468-L489

8.15 Inconsistent reentrancy protection pattern in admin functions

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:L/Y:N (0.6)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/22/commits/8a259ee5f0fde468b0c142d71091e0b5fe81ed97

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.16 Missing events

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (0.5)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/30/commits/af549c9321b85556b44ceb2c6dffa5f9b1de2fdb

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L54

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L93

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L108

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L127

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L51

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L94

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L112

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L131

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L50

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L60

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L100

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L118

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L132

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L85

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L95

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L120

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L179

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L192

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L161

8.17 Unhandled return values

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (0.5)

Recommendation

Remediation Comment

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L139-L145

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L107

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L127

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L134

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L62

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L210

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L268

8.18 Inconsistent withdrawal pattern in withdrawFees() function

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (0.5)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/9/commits/cd86b8e67e38fa1833e16067bcb2bc089f6236e3

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L213-L230

8.19 Missing input validation

Informational

Description

BVSS

AO:S/AC:L/AX:L/R:N/S:U/C:N/A:N/I:L/D:N/Y:N (0.5)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/21/commits/dac746857bdc1662942b9448dba28c6b55bb0732

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L91-L97

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L103-L106

8.20 Ordering for nonReentrant modifier

Informational

Description

BVSS

AO:S/AC:H/AX:H/R:N/S:U/C:N/A:N/I:M/D:N/Y:N (0.1)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/15/commits/6714e009d8840bda22018061ea8f4c1c7250d543

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L93

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L112

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L132

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L94

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L116

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L136

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L100

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L122

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L137

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L192

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L238

8.21 Public functions can be marked external

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/25/commits/971941967736d00fa1976a596cd1f487e647c4b5

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L148

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L156

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L129

8.22 Use of revert strings instead of custom errors

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/29/commits/96b722d129b399c3a8824ca242e5510819465b4e

References

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L110

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L113

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L130-L134

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L178-L185

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L82

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L94

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L114

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L133

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L64

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L82

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L96-L98

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L118

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L138-L139

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L88

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L102-L104

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L124

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L138

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L25

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L41

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L52

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L130-L133

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L151

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L162

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L193-L205

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L214

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L224

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L40

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L56

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L92-L93

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L293

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L304

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L340

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L345

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L354

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L504

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L520-L521

8.23 Lack of named mappings

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/24/commits/729370cc4c2c09e60a507c6424e76ef5f07099ac

References

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L24

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L23

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L22

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L23

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L13

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L15-L18

8.24 Use of magic numbers

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/26/commits/e0fb94fc01e2f748bff7a35e1c13a38b19deb18f

References

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L70

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L70

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L76

8.25 Lack of upgradeable storage management pattern

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/27/commits/6a77b17ec725188d06e95183f5929579738d20f8

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L15

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L15

8.26 Floating pragma

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/33/commits/596c64949986321b67f0ea85f1ea44560f4c29dd

References

SiloMEV/mevvy-yield-contracts/contracts/core/StrategyTokenBase.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/protocols/aave/src/AaveAdapter.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/protocols/compound/src/CompoundAdapter.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/protocols/morpho/src/MorphoAdapter.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/protocols/ProtocolBaseAdapterHandler.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/strategies/deployment/HighestAPYUnbondedStrategy.sol#L2

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol

8.27 Unnecessary gas consumption due to suboptimal coding patterns

Informational

Description

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

Remediation Comment

Remediation Hash

https://github.com/SiloMEV/mevvy-yield-contracts/pull/32/commits/d9f69740db501176f0ce1e4d9fc0486b86ee2ccb

References

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L392-L393

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L399

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L306

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L340

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L345

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L504

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L520

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L56

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L92

SiloMEV/mevvy-yield-contracts/contracts/strategies/logic/HighestAPYUnbondedStrategyBase.sol#L293

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Static analysis report

4.1 Description
4.2 Output

5. Risk methodology
6. Scope
7. Assessment summary & findings overview
8. Findings & Tech Details

8.1 Impossibility to withdraw assets across protocols
8.2 Missing tvl limit check in default protocol deposits
8.3 Tvl limit bypass on first deposit
8.4 Revenue loss due to missing fee processing in withdrawfees()
8.5 Unallocated funds without notification when protocols reach tvl limits
8.6 Tvl limit bypass after complete withdrawal
8.7 Single step ownership transfer process
8.8 Use of non-compliant tokens may break contract functionality
8.9 Default protocol removal handling issue
8.10 Missing _disableinitializers() function call
8.11 Permission revocation failure in blockcompound function
8.12 Missing pausing/unpausing mechanism
8.13 Missing index update in withdrawfees function
8.14 Unoptimized for loops
8.15 Inconsistent reentrancy protection pattern in admin functions
8.16 Missing events
8.17 Unhandled return values
8.18 Inconsistent withdrawal pattern in withdrawfees() function
8.19 Missing input validation
8.20 Ordering for nonreentrant modifier
8.21 Public functions can be marked external
8.22 Use of revert strings instead of custom errors
8.23 Lack of named mappings
8.24 Use of magic numbers
8.25 Lack of upgradeable storage management pattern
8.26 Floating pragma
8.27 Unnecessary gas consumption due to suboptimal coding patterns

// Download the full report

Yield Contracts

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

Yield Contracts

Mevvy

Table of Contents

1. Introduction

2. Assessment Summary

3. Test Approach and Methodology

4. Static Analysis Report

4.1 Description

4.2 Output

5. RISK METHODOLOGY

5.1 EXPLOITABILITY

Attack Origin (AO):

Attack Cost (AC):

Attack Complexity (AX):

Metrics:

5.2 IMPACT

Confidentiality (C):

Integrity (I):

Availability (A):

Deposit (D):

Yield (Y):

Metrics:

5.3 SEVERITY COEFFICIENT

Reversibility (R):

Scope (S):

Metrics:

6. SCOPE

7. Assessment Summary & Findings Overview

8. Findings & Tech Details

8.1 Impossibility to withdraw assets across protocols

Description

Proof of Concept

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.2 Missing TVL limit check in default protocol deposits

Description

BVSS

Recommendation

Remediation Comment

References

8.3 TVL limit bypass on first deposit

Description

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.4 Revenue loss due to missing fee processing in withdrawFees()

Description

Proof of Concept

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.5 Unallocated funds without notification when protocols reach TVL limits

Description

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.6 TVL limit bypass after complete withdrawal

Description

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.7 Single step ownership transfer process

Description

BVSS

Recommendation

Remediation Comment

Remediation Hash

References

8.8 Use of non-compliant tokens may break contract functionality