Summary
The most critical subjects covered in our audit are function correctness, access control and integration with Symbiotic. The general subjects covered are gas efficiency, documentation and upgradeability. Security regarding the aforementioned subjects is good but improvable.
The most notable issues found were:
- Broken Queue Accounting
- Withdrawal Request Claiming Manipulation
- Bank Run on Excess Funds in Vault Prior to Slashing Event
- Migration can be DoSed
Note that the first two issues have been resolved through code correction. For the third and the fourth item, the risk has been accepted. Note that some other issues have been only partially corrected or their risk has been accepted.
Further, we provide some considerations for migration in Migration Considerations. See also the Notes for other considerations.
In summary, we find that the codebase provides a good but improvable level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Mellow Symbiotic Vaults
Mellow Finance implements simple LRTs to tokenize deposits in Symbiotic.
"Mellow LRT is an innovative liquid restaking primitive allowing permissionless creation of modular LRTs. Mellow offers a series of vault smart contracts tailored to different risk profiles, managed by LRT curators."
Mellow Protocol has really complex contracts and codebase. Our team was very happy to work with Chainsecurity. We were impressed by the professionalism and depth of the smart contracts study by Chainsecurity. The team's versatile approach helped us improve our codebase's security and effectiveness and added confidence before our protocol launch.
Nick S, contributor @ Mellow Protocol