Yearn
YearnDetails
Scope
My Submission
Reward Amounts
Critical
200,000 USDC maximum payout
Payout shall not exceed 10% of funds at risk at time of submission
Severity Criteria
Critical Definition
- Definite and significant loss of funds without limitations of external conditions
- Definite and significant freezing of funds for >1 year without limitations of external conditions
General Notes
- Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
- A coded Proof of Concept (POC) with instructions to run the POC is required
- If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage
The base contracts Vault.vy, TokenizedStrategy.sol, and BaseStrategy.sol are covered on Immunefi. Duplicate issues will not be considered as new reports.
Platform Rule
Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.
Previous Audits
The base contracts Vault.vy, TokenizedStrategy.sol, and BaseStrategy.sol have been audited. You can find the audit reports here:
However, the actual contracts within the current scope have not been audited by external firms.
Additional Context
What is Yearn V3?
Yearn V3 uses ERC4626 vaults that allocate user-deposited funds to yield sources and auto-compounds them.
Detailed explanation on Yearn V3:
https://docs.yearn.fi/developers/v3/overview
Generalized accepted risks and assumptions:
- Some strategies can sell rewards with
minimumAmountOutof "0" or not a realistic value. In such cases, the risk of sandwich attacks is accepted. We use MEV relayers to prevent MEV attacks. - Some strategies may sell reward tokens in very low TVL pools, which is an accepted risk. We will run keeper bots to sell the reward tokens in small amounts in such cases.
- All the governance roles in Yearn code are trusted.
- External protocols pausing is accepted
- External protocol admins setting critical values on the strategy's yield source is an accepted risk.
- External protocol upgrades are also accepted. These upgrades may require us to develop a new strategy for adaptability, which is also accepted since we actively monitor external protocol activities.
Vault specific accepted risks for vaults and assumptions
SingleSidedPTcore (yPT Vaults)
-
When the PT price fluctuates before a harvest, users can exploit the timing by withdrawing early and leaving the losses for other depositors.
-
Even in expiry 1 PT is not 1 SY exactly because of the PT treasury fees Link to Pendle contract this means we should not set the
bufferSlippageBPSto "0" when a market is expired and rollover hasn't happened yet
Scope
All strategies can be reviewed on Yearn's frontend page here. Note that the scope includes only the contracts listed below.
https://yearn.fi/v3
yPT Yearn Auto-Rolling Pendle PT Strategies
Description
Strategy invests into Pendle PT Markets and automatically rolls them gas-free into the next maturity upon expiry.
Addresses
All chains
https://github.com/mil0xeth/yearn-v3-Pendle/tree/80b3c17d58f43cb6df27500dd3ae69294c648308
AAVE Lenders
Description
Strategy lends base asset to AAVE markets earns interest and sells rewards via swappers if there are any
Addresses:
Mainnet
AAVE V3 USDC Lender:
0xf766c7293f4e0265dDfA8369F78a808dF8AC70c1
AAVE V3 USDT Lender:
0xe5baF8b6Be442811211e9339d9fbC1B8fb7D66dF
AAVE V3 DAI Lender:
0xF0825750791A4444c5E70743270DcfA8Bb38f959
AAVE V3 crvUSD Lender:
0xb0154f71912866Bb69fE26fFc44779D99B9CAE85
AAVE V3 WETH Lender:
0x90759801579208B28D2D36D13b1ED7443D1b717F
AAVE V3 Lido Market WETH Lender:
0xC7baE383738274ea8C3292d53AfBB3b42B348DF0
AAVE V3 USDS Lender:
0x832c30802054F60f0CeDb5BE1F9A0e3da2a0Cab4
AAVE V3 Lido Market USDS Lender:
0xC08d81aba10f2dcBA50F9A3Efbc0988439223978
Compound V3 Lenders
Description
Strategy lends base asset to Compound V3 markets earn interest and sells COMP rewards if there are any
Addresses
Mainnet
Compound V3 USDC Lender:
0x7eE351aA702C8fC735D77Fb229b7676AC15D7c79
Compound V3 USDT Lender:
0x206db0A0Af10Bec57784045e089A418771D20227
Compound V3 WETH Lender:
0x23eE3D14F09946A084350CC6A7153fc6eb918817
Spark Lenders
Description
Strategy lends base asset to Spark markets earns interest and sells rewards via swappers if there are any
Addresses
Mainnet
Spark USDT Lender:
0xED48069a2b9982B4eec646CBfA7b81d181f9400B
Spark DAI Lender:
0x1fd862499e9b9402DE6c599b6C391f83981180Ab
Spark USDC Lender:
0x25f893276544d86a82b1ce407182836F45cb6673
Spark WETH Lender:
0x365cC9c28Df1663fA37C565A3aC1Addc3A219e15
Gearbox V3 Lenders
Description
Strategy lends underlying asset to Gearbox V3 pools to earn interest and extra rewards which sells for more underlying asset
Addresses
Mainnet
Gearbox V3 DAI Lender:
0x6164045FC2b2b269ffcaB2197736A74B1725B6C6
Gearbox V3 crvUSD Lender:
0xbf2e5BeD692C09aF8B39677e315F36aDF39bD685
Gearbox V3 WETH Lender:
0xe92ade9eE76681f96C8BB0b352d5410ca5b35D70
Gearbox USDC Lender:
0xf6E2d36c489e5B361CdC962D4568ceA663AD5ddC
Sturdy Compounders
Description
Supplies underlying asset to the corresponding Sturdy aggregator earning the underlying yield and compounding the rewards
Addresses
Mainnet
Sturdy crvUSD Compounder:
0x05329AAb081B125eEF7FbbC8b857428D478E692B
Sturdy WETH Swell Compounder:
0x5f76526390d9cd9944d65C605C5006480FA1bFcB
Across Lenders
Description
Strategy deposits underlying asset to Across pools to earn swap fees and rewards which is compounded back to underlying asset
Addresses
Mainnet
Across WETH Lender:
0x9861708f2ad2BD1ed8D4D12436C0d8EB1ED36f1c
LST Accumulator
Description
Strategy converts or swaps the underlying asset to LST and holds it
Addresses
Mainnet
stETH Accumulator:
0x288991C055F94E9A0dcF0Ad08Ee3496E96E68142
USDC to yvUSDS Depositor
Description
Strategy converts USDC to USDS through DAI-Lite PSM then converts DAI to USDS and deposits USDS to yearn yvUSDS vault.
Addresses
Mainnet
0x602DA189F5aDa033E9aC7096Fc39C7F44a77e942
DAI to yvUSDS Depositor
Description
Strategy converts DAI to USDS through DAI-USDS Converter and deposits USDS to Yearn yvUSDS vault.
Addresses
Mainnet
0x6acEDA98725505737c0F00a3dA0d047304052948
Sky Rewards Compounder
Description
Strategy stakes USDS in Sky program to receive SKY rewards which compounds it back to more USDS
Addresses
Mainnet
0x4cE9c93513DfF543Bc392870d57dF8C04e89Ba0a
Sky Savings Rate
Description
Strategy stakes stakes USDS to sUSDS with referral to earn Sky savings rate
Addresses
Mainnet
Max Rewards
200,000 USDCStatus
Live since
Last updated
LIVE
Nov 1, 2024, 2:39 PM
Nov 1, 2024, 2:39 PM