VFAT is a yield Agrigator that uses the Natt Smart Contract Wallet for yield agriculture. Reduce complex tasks such as input and termination, complex or re -adjustment in the position.
The protocol team participated in the Ackee Blockchain Security and conducted a security review of the farm strategy smart contract with a total of 12 days of donation for 12 days between May 19 and June 3, 2025.
Second, the revision review of the previous revision was conducted.
We are grateful for the optimism of the subsidies and VFAT’s previous audit.
methodology
We started reviewing using static analysis tools, including Wake. Then I dive about the logic of the contract.
During the review, we paid special attention later.
- The arithmetic guarantee of the system is correct.
- Reinvision detection possible in the code;
- Safety confirmation of using delegateCall;
- Access control is not too comfortable or strict.
- Accuracy confirmation of implementation of the possibility of upgrade; and
- We are looking for common problems such as data verification.
range
The first audit was performed for the commit. d85b2cd
And the range is as follows:
contracts/connectors/uniswap/UniswapV3Connector.sol
contracts/connectors/velodrome/SlipstreamGaugeConnector.sol
contracts/connectors/velodrome/SlipstreamNftConnector.sol
contracts/connectors/velodrome/VelodromeGaugeRegistry.sol
contracts/strategies/FarmStrategy.sol
contracts/strategies/MultiFarmStrategy.sol
contracts/strategies/NftFarmStrategy.sol
contracts/strategies/SweepStrategy.sol
contracts/libraries/ZapLib.sol
contracts/libraries/NftZapLib.sol
The focus of this gratitude was to review the integration with the external protocol of the protocol and the Belodrome.
The second review was carried out for a given commit. e5ff820
. The scope of the second review was limited to modifications of the problems found in the previous revision, and no other code change was not audited. Five problems have been solved and customers have recognized seven problems.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review results have emerged 12 DiscoveryFrom information to intermediate seriousness. The most serious was M1, which is a frontal problem that malicious actors can be stolen by users’ funds. But this is unlikely to happen. Most of the results are associated with exemplary case violations, code quality problems and trust models.
The second security review was limited to the problems found in the first security review, and no other code change was not appreciated.
Threshold
There was no important serious problem.
The severity is high
There is no high severe serious problem.
Intermediate
M1: front run Sickle
Distribution provides an opportunity for an attacker to specify arbitrary. approved
and referralCode
controversy
Low severity
L1: The billing fee can be bypassed for multiple functions.
Significance of warning
W1: The withdrawal of funds can be blocked Collector
Contract by not accepting tokens
W2: The connector is a single failure point
W3: Use function inplace=True
In the gauge using NFT, the debate always fails.
W4: missing CompoundFor
Fees
W5: block.timestamp
Used on the swap deadline
W6: Incorrect price calculations
Information seriousness
I1: Missing Natspec Comments
I2: Potential misconduct calculation
i3: Unexpected reversal increase
function
i4: Event missing MultiFarmStrategy
Trust model
This protocol must trust the manager who controls important parameters (fare, white list, connector update) and automatically running the task on behalf of himself. The user maintains the centralized control point while the user controls the Nat instance and the location settings. Trust risks are partially relaxed through hard -coded limits and multi -IG requirements. However, users must accept the risk of centralized control and potential trading manipulation of automatic devices that can control transaction timing.
conclusion
Ackee Blockchain Security recommended VFAT.
- verification
approved
factordeposit
If the same, it functionsSickle.approved
; - Make a trust model more without permission.
- use
prices
Instead functiongetPoolPrice
For price calculation; - Read and review a complete audit report. and
- Solve all identified problems.
You can find the entire VFAT Farm Strategic Audit Report of AcKee Blockchain Security. here.
We were happy to be grateful for VFAT again, and we look forward to working with them in the future.