If you notice some outdated information please let us know!
Process Quality Review (0.8)
Yield Yak
FAIL
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the audit looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here is my smart contract on the blockchain
- You can see it matches a software repository used to develop the code
- Here is the documentation that explains what my smart contract does
- Here are the tests I ran to verify my smart contract
- Here are the audit(s) performed to review my code by third party experts
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Smart Contracts & Team
36%
This section looks at the code deployed on the relevant chain that gets reviewed and its corresponding software repository. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
Smart contract addresses for Yield Yak can NOT be found in their smart-contracts repository. An easy fix would be to list the addresses somewhere within the GitBook with the addresses explicitly written. Contracts were eventually located in Snowtrace. A screenshot of the smart contract files can be found in the appendix.
2. How active is the primary contract? (%)
These contracts receive more than 10 interactions a month.
3. Does the protocol have a public software repository? (Y/N)
Location: https://github.com/yieldyak.
4. Is there a development history visible? (%)
Yield Yak's smart-contracts repository logs 284 commits with 3 branches, earning the protocol 100%.
5. Is the team public (not anonymous)?
The Yield Yak team constitutes of members operating under anonymity.
Documentation
94%
This section looks at the software documentation. The document explaining these questions is here.
7. Is the protocol's software architecture documented? (Y/N)
The protocol's software architecture is somewhat documented within the smart-contract README.md file but there are just brief touches on smart contract interactions. This is extremely limited due the lack of information on completeness of the architecture documentation. This should be fixed.
8. Does the software documentation fully cover the deployed contracts' source code? (%)
Software functions are documented within the respective repositories' README.md files. Here is an example, the yak-aggregator repository README.md.
9. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
Implicit traceability can be made by cross-referencing the contract names to the software functions. For that matter, the protocol earns a 60%.
Testing
52%
10. Has the protocol tested their deployed code? (%)
Yield Yak's test files record a 63% testing to code (TtC). Generally a good test to code ratio is over 100%. However, the reviewer's best judgement is the final deciding factor. The protocol earns 40% on this score based on TtC.
11. How covered is the protocol's code? (%)
There is no documented code coverage, but because of the 63% Test-to-Code ratio, some tests are evident, but not complete. Therefore, the protocol earns 30%.
12. Does the protocol provide scripts and instructions to run their tests? (Y/N)
Scripts/Instructions location: [https://github.com/yieldyak/yak-aggregator#run-tests(https://github.com/yieldyak/yak-aggregator#run-tests) for the Yak Aggregator, https://github.com/yieldyak/farm-contracts#tests for the farm contracts, etc.
13. Is there a detailed report of the protocol's test results?(%)
A report of the protocol's test results can be found in the Actions tab of the farm-contracts repository here. This earns the protocol 100%.
14. Has the protocol undergone Formal Verification? (Y/N)
This protocol has not undergone formal verification.
15. Were the smart contracts deployed to a testnet? (Y/N)
There's traces of testnet deployment on avascan testnet.
Security
20%
This section looks at the 3rd party software audits done. It is explained in this document.
16. Is the protocol sufficiently audited? (%)
YieldYak is unaudited as mentioned here.
17. Is the bounty value acceptably high (%)
Yield Yak promotes a bug bounty of 100 YAK for disclosure of bugs. Since the bug bounty is only on the Yield Yak platform, it is considered as inactive. At the time of writing, 1 YAK is worth $247USD, totalling $24 700 in total bounty value. This earns the protocol 20%.
Admin Controls
76%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
18. Is the protocol's admin control information easy to find?
The protocol's admin control information is easy to find, it can be found in the Treasury section of its docs.
19. Are relevant contracts clearly labelled as upgradeable or immutable? (%)
Relevant contracts are identified as upgradeable but this is not applicable for every contract; the protocol earns 50% for covering some of the contracts' upgradeability.
20. Is the type of smart contract ownership clearly indicated? (%)
The Opinionated Treasury mentions the treasury funds to be governed by a multisig and a Yak Deployer (OnlyOwner) can temporarily hold treasury funds as well as wield special rights to claim revenue on behalf of the platform. Other accounts mentioned are YY Contributors, YY Ecosystem and YY Team with MultiSig ownership.
However, not all contracts have their ownership identified; the rest can be found in the code. For that matter, the protocol earns 75% for covering part of the ownership explicitly in their docs.
21. Are the protocol's smart contract change capabilities described? (%)
Smart contract change capabilities are clearly mentioned in the Treasury section of its documentation.
22. Is the protocol's admin control information easy to understand? (%)
The language used for admin control information is easy to understand.
23. Is there sufficient Pause Control documentation? (%)
There is no evidence of Pause Control documentation.
24. Is there sufficient Timelock documentation? (%)
The protocol touches upon timelocks in their "Timelock Protects Users" section, where a timelock is identified. Within the timelock contract, the duration is specified to be 2 days for asset recovery, 4 days for ownership transfer and 8 hours for fee changes. However, due to the absence of information on the affected contracts for the timelock , the protocol earns 60%.
25. Is the Timelock of an adequate length? (Y/N)
The timelock durations found in the contract range between 8 hours and 4 days, which is enough to score 100% on this question.
Oracles
13%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
26. Is the protocol's Oracle sufficiently documented? (%)
There is no documentation on Oracle usage.
27. Is front running mitigated by this protocol? (Y/N)
A front-running protection mechanism is described for the reinvest button function in their "Protection Mechanism" section.
28. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
There is no documentation of flashloan attack mitigation techniques for the protocol.
Appendices
1// SPDX-License-Identifier: MIT
2pragma solidity 0.8.13;
3
4import "../lib/Ownable.sol";
5import "../lib/SafeMath.sol";
6import "../lib/SafeERC20.sol";
7
8/**
9 * @title YY Staking
10 * @author Yield Yak
11 * @notice YyStaking is a contract that allows ERC20 dpeosits and receives rewards from token balances which may be
12 * transferred in without an additional function call. The contract is based on StableJoeStaking from Trader Joe.
13 * Users deposit X and receive a share of what has been sent based on their participation of the total deposits.
14 * It is similar to a MasterChef, but we allow for claiming of different reward tokens.
15 * Every time `updateReward(token)` is called, We distribute the balance of that tokens as rewards to users that are
16 * currently staking inside this contract, and they can claim it using `withdraw(0)`
17 */
18contract YyStaking is Ownable {
19 using SafeMath for uint256;
20 using SafeERC20 for IERC20;
21
22 /// @notice Info of each user
23 struct UserInfo {
24 uint256 amount;
25 mapping(IERC20 => uint256) rewardDebt;
26 /**
27 * @notice We do some fancy math here. Basically, any point in time, the amount of deposit tokens
28 * entitled to a user but is pending to be distributed is:
29 *
30 * pending reward = (user.amount * accRewardPerShare) - user.rewardDebt[token]
31 *
32 * Whenever a user deposits or withdraws. Here's what happens:
33 * 1. accRewardPerShare (and `lastRewardBalance`) gets updated
34 * 2. User receives the pending reward sent to his/her address
35 * 3. User's `amount` gets updated
36 * 4. User's `rewardDebt[token]` gets updated
37 */
38 }
39
40 /// @notice Farm deposit token
41 IERC20 public depositToken;
42
43 /// @dev Internal balance of depositToken, this gets updated on user deposits / withdrawals
44 /// this allows to reward users with depositToken
45 uint256 public internalBalance;
46
47 /// @notice Array of tokens that users can claim
48 IERC20[] public rewardTokens;
49 mapping(IERC20 => bool) public isRewardToken;
50
51 /// @notice Last reward balance of `token`
52 mapping(IERC20 => uint256) public lastRewardBalance;
53
54 address public feeCollector;
55
56 /// @notice The deposit fee, scaled to `DEPOSIT_FEE_PERCENT_PRECISION`
57 uint256 public depositFeePercent;
58
59 /// @dev The precision of `depositFeePercent`
60 uint256 internal constant DEPOSIT_FEE_PERCENT_PRECISION = 10000;
61
62 /// @notice Accumulated `token` rewards per share, scaled to `ACC_REWARD_PER_SHARE_PRECISION`
63 mapping(IERC20 => uint256) public accRewardPerShare;
64 /// @notice The precision of `accRewardPerShare`
65 uint256 public ACC_REWARD_PER_SHARE_PRECISION;
66
67 /// @dev Info of each user that stakes
68 mapping(address => UserInfo) private userInfo;
69
70 /// @notice Emitted when a user deposits
71 event Deposit(address indexed user, uint256 amount, uint256 fee);
72
73 /// @notice Emitted when feeCollector changes the fee collector
74 event FeeCollectorChanged(address newFeeCollector, address oldFeeCollector);
75
76 /// @notice Emitted when owner changes the deposit fee percentage
77 event DepositFeeChanged(uint256 newFee, uint256 oldFee);
78
79 /// @notice Emitted when a user withdraws
80 event Withdraw(address indexed user, uint256 amount);
81
82 /// @notice Emitted when a user claims reward
83 event ClaimReward(address indexed user, address indexed rewardToken, uint256 amount);
84
85 /// @notice Emitted when a user emergency withdraws
86 event EmergencyWithdraw(address indexed user, uint256 amount);
87
88 /// @notice Emitted when owner adds a token to the reward tokens list
89 event RewardTokenAdded(address token);
90
91 /// @notice Emitted when owner removes a token from the reward tokens list
92 event RewardTokenRemoved(address token);
93
94 constructor(
95 IERC20 _depositToken,
96 IERC20 _rewardToken,
97 address _feeCollector
98 ) {
99 require(address(_depositToken) != address(0), "YyStaking::depositToken can't be address(0)");
100 require(address(_rewardToken) != address(0), "YyStaking::rewardToken can't be address(0)");
101 require(_feeCollector != address(0), "YyStaking::feeCollector can't be address(0)");
102
103 depositToken = _depositToken;
104 feeCollector = _feeCollector;
105
106 isRewardToken[_rewardToken] = true;
107 rewardTokens.push(_rewardToken);
108 ACC_REWARD_PER_SHARE_PRECISION = 1e24;
109 }
110
111 /**
112 * @notice Deposit for reward token allocation
113 * @param amount The amount of depositToken to deposit
114 */
115 function deposit(uint256 amount) external {
116 _deposit(msg.sender, amount);
117 }
118
119 /**
120 * @notice Deposit on behalf of another account
121 * @param account Account to deposit for
122 * @param amount The amount of depositToken to deposit
123 */
124 function depositFor(address account, uint256 amount) external {
125 _deposit(account, amount);
126 }
127
128 /**
129 * @notice Deposit using Permit
130 * @param amount The amount of depositToken to deposit
131 * @param deadline The time at which to expire the signature
132 * @param v The recovery byte of the signature
133 * @param r Half of the ECDSA signature pair
134 * @param s Half of the ECDSA signature pair
135 */
136 function depositWithPermit(
137 uint256 amount,
138 uint256 deadline,
139 uint8 v,
140 bytes32 r,
141 bytes32 s
142 ) external {
143 depositToken.permit(msg.sender, address(this), amount, deadline, v, r, s);
144 _deposit(msg.sender, amount);
145 }
146
147 function _deposit(address _account, uint256 _amount) internal {
148 UserInfo storage user = userInfo[_account];
149
150 uint256 _fee = _amount.mul(depositFeePercent).div(DEPOSIT_FEE_PERCENT_PRECISION);
151 uint256 _amountMinusFee = _amount.sub(_fee);
152
153 uint256 _previousAmount = user.amount;
154 uint256 _newAmount = user.amount.add(_amountMinusFee);
155 user.amount = _newAmount;
156
157 uint256 _len = rewardTokens.length;
158 for (uint256 i; i < _len; i++) {
159 IERC20 _token = rewardTokens[i];
160 updateReward(_token);
161
162 uint256 _previousRewardDebt = user.rewardDebt[_token];
163 user.rewardDebt[_token] = _newAmount.mul(accRewardPerShare[_token]).div(ACC_REWARD_PER_SHARE_PRECISION);
164
165 if (_previousAmount != 0) {
166 uint256 _pending = _previousAmount
167 .mul(accRewardPerShare[_token])
168 .div(ACC_REWARD_PER_SHARE_PRECISION)
169 .sub(_previousRewardDebt);
170 if (_pending != 0) {
JavaScript Tests
Tests to Code: 9152 / 14506 = 63 %