VFAT is a yield Agrigator that uses the Natt Smart Contract Wallet for yield agriculture. Reduce complex tasks such as input and termination, complex or re -adjustment in the position.
The protocol team participated in the Ackee Blockchain Security and conducted a security review of the farm strategy smart contract with a total of 12 days of donation for 12 days between May 19 and June 3, 2025.
Second, the revision review of the previous revision was conducted.
We are grateful for the optimism of the subsidies and VFAT’s previous audit.
methodology
We started reviewing using static analysis tools, including Wake. Then I dive about the logic of the contract.
During the review, we paid special attention later.
- The arithmetic guarantee of the system is correct.
- Reinvision detection possible in the code;
- Safety confirmation of using delegateCall;
- Access control is not too comfortable or strict.
- Accuracy confirmation of implementation of the possibility of upgrade; and
- We are looking for common problems such as data verification.
range
The first audit was performed for the commit. d85b2cd And the range is as follows:
contracts/connectors/uniswap/UniswapV3Connector.solcontracts/connectors/velodrome/SlipstreamGaugeConnector.solcontracts/connectors/velodrome/SlipstreamNftConnector.solcontracts/connectors/velodrome/VelodromeGaugeRegistry.solcontracts/strategies/FarmStrategy.solcontracts/strategies/MultiFarmStrategy.solcontracts/strategies/NftFarmStrategy.solcontracts/strategies/SweepStrategy.solcontracts/libraries/ZapLib.solcontracts/libraries/NftZapLib.sol
The focus of this gratitude was to review the integration with the external protocol of the protocol and the Belodrome.
The second review was carried out for a given commit. e5ff820. The scope of the second review was limited to modifications of the problems found in the previous revision, and no other code change was not audited. Five problems have been solved and customers have recognized seven problems.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review results have emerged 12 DiscoveryFrom information to intermediate seriousness. The most serious was M1, which is a frontal problem that malicious actors can be stolen by users’ funds. But this is unlikely to happen. Most of the results are associated with exemplary case violations, code quality problems and trust models.
The second security review was limited to the problems found in the first security review, and no other code change was not appreciated.
Threshold
There was no important serious problem.
The severity is high
There is no high severe serious problem.
Intermediate
M1: front run Sickle Distribution provides an opportunity for an attacker to specify arbitrary. approved and referralCode controversy
Low severity
L1: The billing fee can be bypassed for multiple functions.
Significance of warning
W1: The withdrawal of funds can be blocked Collector Contract by not accepting tokens
W2: The connector is a single failure point
W3: Use function inplace=True In the gauge using NFT, the debate always fails.
W4: missing CompoundFor Fees
W5: block.timestamp Used on the swap deadline
W6: Incorrect price calculations
Information seriousness
I1: Missing Natspec Comments
I2: Potential misconduct calculation
i3: Unexpected reversal increase function
i4: Event missing MultiFarmStrategy
Trust model
This protocol must trust the manager who controls important parameters (fare, white list, connector update) and automatically running the task on behalf of himself. The user maintains the centralized control point while the user controls the Nat instance and the location settings. Trust risks are partially relaxed through hard -coded limits and multi -IG requirements. However, users must accept the risk of centralized control and potential trading manipulation of automatic devices that can control transaction timing.
conclusion
Ackee Blockchain Security recommended VFAT.
- verification
approvedfactordepositIf the same, it functionsSickle.approved; - Make a trust model more without permission.
- use
pricesInstead functiongetPoolPriceFor price calculation; - Read and review a complete audit report. and
- Solve all identified problems.
You can find the entire VFAT Farm Strategic Audit Report of AcKee Blockchain Security. here.
We were happy to be grateful for VFAT again, and we look forward to working with them in the future.