Back to Overview

Multivault Smart Contracts

download report

Summary

The most critical subjects covered in our audit are asset solvency, functional correctness, and frontrunning. The general subjects covered are upgradeability, unit testing, documentation, and trustworthiness. Note that testing is insufficient and that some of the uncovered issues could've been caught by testing.

The most notable findings are:

  • The Incorrect Valuation of ERC-4626 that leads to incorrect share prices potentially leading to a loss of funds.
  • An Escalation of Privileges that could allow addresses with low privileges to drain the protocol.
  • Architectural problems such as Pending Assets Become Claimed During Withdrawal and Insufficient Limitations for Strategies that could have led to DoS scenarios
  • Integration issues such as Operator Undelegations Are Not Accounted for that could've led to loss of funds.

All issues have been resolved through code corrections or specification change. Some lower severity issues have been acknowledged, and their risk has been accepted.

Additionally, please consult Notes, Assessment Overview and Trust Model and Roles for considerations that could be out of scope.

In summary, we find that the codebase provides a good but improvable level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.

About Mellow Multivault Smart Contracts

Mellow Finance implements an upgrade to the previously audited vaults to support multiple LRTs at once as well as other ERC-4626 compliant protocols. The multivault architecture implements a modular integration framework by leveraging adapters for integrations and strategies for allocations. Given the delayed withdrawals for LRTs, specialized withdrawal queues have been implemented.

"Mellow LRT is an innovative liquid restaking primitive allowing permissionless creation of modular LRTs. Mellow offers a series of vault smart contracts tailored to different risk profiles, managed by LRT curators."

#Source:

Mellow Protocol has really complex contracts and codebase. Our team was very happy to work with Chainsecurity. We were impressed by the professionalism and depth of the smart contracts study by Chainsecurity. The team's versatile approach helped us improve our codebase's security and effectiveness and added confidence before our protocol launch.
Nick S, contributor @ Mellow Protocol
external-link