Omniscia Ultra Yield Audit
Vault Contracts Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| b4cf59242d | August 24th 2025 | 5c55e478f9 |
| 28f2785396 | September 3rd 2025 | e02b460316 |
| 2d9651dbd7 | September 8th 2025 | 37c6ba829e |
| 2d9651dbd7 | September 10th 2025 | be347e896e |
Audit Overview
We were tasked with performing an audit of the Ultra Yield codebase and in particular their vault contract implementations.
The system implements two types of EIP-4626 vaults; one integrates as a wrapper contract on top of another vault whereas the other functions as the base vault implementation of the system.
Both implementations adhere to the EIP-4626 standard as well as the EIP-7540 and EIP-7575 standards to facilitate a delayed withdrawal mechanism via redemption requests.
Over the course of the audit, we identified certain EIP compliancy issues, a cumulative truncation problem, as well as a significant issue in how deposits are handled in the UltraVault contract.
We advise the Ultra Yield team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Ultra Yield team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Ultra Yield and have identified that a certain exhibit has not been adequately dealt with. We advise the Ultra Yield team to revisit the following exhibit: BCA-01M
Additionally, the following informational findings remain partially addressed and should be revisited: UVR-04C, BCA-02C
Post-Audit Conclusion (2d9651dbd7)
The Ultra Yield team proceeded with updating their codebase to rectify the three remaining issues outlined in the previous summary.
We evaluated the alleviations provided for those items and assessed them as fully addressed.
We consider all outputs of the audit report properly consumed by the Ultra Yield team with no outstanding remediative actions remaining.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 25 | 24 | 0 | 1 |
 | 4 | 3 | 0 | 1 |
 | 3 | 2 | 0 | 1 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 29 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: