Core Protocol Security Audit

Audit Overview

We were tasked with auditing the codebase of Vector Finance and in particular their Platypus Finance interfacing protocol implementation with multiple complex staking and reward components.

Over the course of the audit we were able to pinpoint multiple significant vulnerabilities ranging from improper integration to incorrect unit neutralization that can compromise the system severely.

Additionally, we were able to pinpoint several gas optimizations that we advise the Vector Finance team to consider and potentially alleviate along with all vulnerabilities identified in the report.

Post-Audit Conclusion

The Vector Finance team remediated most of the exhibits outlined in the report and rendered some of them null due to the extensive refactor they performed on the latest iteration.

Namely, they adjusted the Locker's contract behaviour and they also adjusted the ComputeAPR contract by a wide margin, both of which should not be considered in scope of the audit.

Minor integration changes at the MasterChefVTX level were performed, however, the rest of the contract as well as any logic in the Locker contract that remained unaffected should be considered under scope of the audit and has had all of the issues dealt with, rendering it production ready.

Contracts Assessed

Audit Synopsis

During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 36 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style