Oct. 7, 2024: Audit Trail - Fee Splitter 🕵️👣
Oct. 7, 2024: Audit Trail - Fee Splitter 🕵️👣
ChainSecurity's Curve audit includes Vyper snekmate module
It’s audit season! Audits for the Curve Fee Splitter and permissionless lending markets (“Llama Lend”) have been made public in the past week.
In this article we highlight what the diligent auditors found. Today we recap the audit of Fee Splitter, tomorrow we’ll cover Llama Lend.
Fee Splitter
The Fee Splitter contracts, used for the upcoming st-crvUSD, received a thorough audit from ChainSecurity.
We recently walked through the Fee Splitter to provide a high level overview of the codebase, which may be provide background for this article.
Not included in the scope of the audit was the actual vault for st-crvUSD, because this code’s critical functionality was forked from the Yearn v3 Vault
A major takeaway from both article is that these contracts are quite legible, and quite comprehensible to even non-technical readers, given they are written in Vyper. Vyper’s mission statement enshrines “auditability” one of its core three pillars.
It’s of course difficult to make a perfect comparison with Solidity audits because all smart contracts are different, but some snek-pilled advocates have hypothesized auditors can work about 20% faster in Vyper given its lack of things like inline assembly. We’d be eager to interview auditors who have anecdotal (or quantitative) data on this subject!
For the sake of Fee Splitter, it passed this audit with flying colors. ChainSecurity found “the codebase provides a high level of security.”
The audit surfaced 5 low severity findings, all of which were corrected by the final release version.
The most exciting aspect of the codebase passing with flying colors is that the auditors gave a green light not just to Curve code, but also a notable “test-in-prod” usage of the Vyper 0.4 era module system. This includes the highly useful snekmate libraries falling within the scope of the audit.
One of the reasons Solidity is so commonly used is that organizations like OpenZeppelin have provided a variety of open source templates that make it quick to import starter code for everything from memecoins to NFTs. Vyper had sample contracts, but nothing so modular.
Vyper waited for the 0.4 era to allow external imports of libraries to be handled in what the team considered to be a robust, safe, and legible manner. We wrote more about Vyper 0.4 from its official release this summer:
With the official launch of Vyper 0.4, it’s time for the snekmate repository to shine! The FeeSplitter shows off use of snekmate’s authorization module, simplifying the process of giving the Curve DAO admin control over the Fee Splitter.
Now, thanks its inclusion in the Curve codebase, the auth module is gaining cred for usage in audit and prod. The audit folder of Snekmate is no longer empty:
Coders should check out the legendary pcaversaccio’s snekmate repository, which includes simple imports for all the building blocks you might want in Vyper.
The full audit did not even find low severity issues with the snekmate repository. The issues uncovered were mostly design issues from an earlier draft of Fee Splitter, with all notable issues corrected by the second release.
The audit as a whole is worth a read, given that you, the Curve DAO, are now funding these thorough audits, whereas before they were paid out of pocket by Swiss Stake. So too is it worth reviewing the business case for st-crvUSD, which justifies the expenditure of dev time in launching the yield-bearing stablecoin.
Audits are great, but note that nothing in cryptocurrency can ever be considered “safu.” Exercise your judgement, and use these as readings to inform your research.
Stick around tomorrow for the latest audits of Llama Lend! Help us out by sharing this article on 𝕏
