Back to Overview

Summer Earn Protocol

download report
Quotation mark icon

We continue to be grateful for the comprehensive audits by the ChainSecurity team. Their distinctive understanding of the DeFi space brings an unmatched level of confidence to the audits they employ for us. We are looking forward to continuing working together to bring DeFi forward.

Frank Brinkkemper
Product Manager @ Summer.fi
external-link

Summary

The most critical subjects covered in our audit are asset solvency, internal accounting, functional correctness, and access control. Security regarding all the aforementioned subjects is good. Please note that several issues have been marked as risk accepted.

Security regarding internal accounting has been improved after fixing the issue State Not Updated Before Staking. Security regarding asset solvency has been improved after fixing the issue Disembarking AaveV3Ark Can Fail. Security regarding functional correctness has been improved after fixing the issues Tip Not Collected and Wrong Order Assumption in Withdrawable Arks Caching. The most critical issues have been addressed after the first intermediate report but some issues were introduced with the fixes, see Wrong Direction for Buffer Adjustment Checks.

The general subjects covered are gas efficiency, trustworthiness, specification, and code complexity. Security and quality regarding all the aforementioned subjects is high. Gas efficiency is good but can be enhanced further, see Gas Optimizations. See Power of AdmiralsQuarters role, Power of Governance and How to choose auction parameters for findings regarding privileged actions. See BuyTokens Can Revert From Frontrunning and Sequencer Downtime Can Influence Auction Price for findings regardingMEV. See Misnaming of Quadratic Decay Function for findings on terminology.

We want to highlight the assumptions over the governor role, i.e. the governor role is unique and is controlled only by the DAO, and its power over the system, see Roles and Trust Model and Power of Governance. We also want to highlight the limited use cases of PendlePtOracleArk, see SystemOverview and Excluded from scope.

In summary, we find that the codebase provides a good level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.

About Summer Earn Protocol

Summer.fi primarily implements an investment protocol, where users can deposit their funds in a so called "fleet" which is bound to an underlying asset. The liquidity of each fleet is then managed by some trusted manager. The whole protocol is globally managed by a DAO controlled by the Summer token. Summer.fi also implements dutch auctions and rewards distribution for Summer Earn, an ark for PendlePT token, a contract to batch user interactions with the system, and a contract to manage the vesting of Summer token.