Summary
The most critical subjects covered in our audit are functional correctness, accounting correctness, and the integration with external systems (Bridge and Morpho vaults).
Functional correctness is good, after missing conversions between asset amounts and share amounts have been fixed, see drainVault Cannot Withdraw All Assets and Missing Asset-Share Conversions in Vaults. Accounting correctness is good, as related issues have been fixed, see drainVault Locks Assets. Security regarding integration with external systems is high.
In summary, we find that the codebase provides a good level of security.The Notes section highlights behavior that users should be aware of.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Polygon Vault Bridge Token
Polygon implements an extension of the Unified Bridge (formerly LxLy Bridge) that enables the bridging of assets that have been deposited into an ERC-4626 yield-generating vault. Additionally, Polygon provides a Native Converter deployed on Layer Y that allows assets that were natively bridged (not via the VaultBridgeToken extension) to be converted to vault-bridged tokens, with the underlying token being bridged back to Layer X.
“Polygon is a decentralised Ethereum scaling platform that enables developers to build scalable user-friendly dApps with low transaction fees without ever sacrificing on security.”
ChainSecurity holds a special place in my heart, only positive experiences with them and they always go above and beyond. During one of our audits, they actually found a bug in an OpenZeppelin contract we were using, 99% of auditors wouldn't bother looking there.
Gretzke.eth, Software Engineering Lead @ Polygon