Omniscia Euler Finance Audit
Earn Yield Aggregator Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| ea4161d5d0 | October 1st 2024 | 7abdb886da |
| e163c5cd23 | October 23rd 2024 | 40f902c556 |
Audit Overview
We were tasked with performing an audit of the Euler Finance codebase and in particular their Earn (Yield Aggregator) module.
The system implements an EIP-4626 vault that is meant to integrate multiple EIP-4626 strategies all relying on the same underlying asset.
Any profit or loss that the strategies beneath the Yield Aggregator incur are not realized immediately, and a harvest system is set in place that is triggered based on certain conditions.
Additionally, realized profits are not immediately captured by the Yield Aggregator and are instead gradually released to shareholders throughout a smear period to avoid abrupt jumps in the vault's exchange rate.
During the audit, we validated that the Yield Aggregator conforms to its technical specification as well as whitepaper definition and ensured that it complies with the relevant EIP standards it is meant to adhere to.
The gradual gulp of positive yields over the smear period acts as a built-in security mechanism against first-deposit inflationary attacks that EIP-4626 vaults are commonly prone to in addition to the virtual share system that the vault inherits from its OpenZeppelin dependency.
The vault's deposit mechanisms also support the Permit2 system natively, doing so securely by ensuring that the user the funds are extracted from is always the authorized caller (be it through the EVC or directly) of the deposit functions.
Over the course of the audit, we identified two distinct medium-severity issues:
- Positive yields that are pending distribution are not accounted by the deposit mechanisms of the vault thus permitting them to be arbitraged
- A known edge case of the vault's harvest cooldown system can be exacerbated in certain vault configurations and should be an optional security feature
We advise the Euler Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Euler Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Euler Finance and have confirmed that all exhibits have either been safely acknowledged or properly alleviated.
We consider all outputs of the audit report properly consumed by the Euler Finance team with no outstanding remediative actions remaining.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 1 | 0 | 0 | 1 |
 | 17 | 9 | 0 | 8 |
 | 4 | 2 | 0 | 2 |
 | 2 | 0 | 0 | 2 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 21 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: