{"id":1002,"date":"2025-02-25T13:29:31","date_gmt":"2025-02-25T11:29:31","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1002"},"modified":"2025-02-28T12:25:47","modified_gmt":"2025-02-28T10:25:47","slug":"cian-yield-layer-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/cian-yield-layer-audit-summary\/","title":{"rendered":"Cian Yield Layer Audit Summary"},"content":{"rendered":"

Cian protocol’s yield layer allows users to deposit assets into a Vault contract to earn yield via multiple strategies. The protocol is interoperable cross-chain, offering pools on various chains that can hold a representation of the Vault token. This can be exchanged for deposit tokens on the given chain.<\/span><\/p>\n

METHODOLOGY<\/span><\/h2>\n
    \n
  1. Verification of technical specification<\/b>
    \n<\/span>The audit scope is confirmed with the client, and auditors are onboarded to the project. Provided documentation is reviewed and compared to the audited system.<\/span><\/li>\n
  2. Tool-based analysis<\/b>
    \n<\/span>A deep check with Solidity static analysis tool <\/span>Wake<\/span><\/a> in companion with <\/span>Solidity (Wake)<\/span><\/a> extension is performed, flagging potential vulnerabilities for further analysis early in the process.<\/span><\/li>\n
  3. Manual code review<\/b>
    \n<\/span>Auditors manually check the code line by line, identifying vulnerabilities and code quality issues. The main focus is on recognizing potential edge cases and project-specific risks.<\/span><\/li>\n
  4. Local deployment and hacking<\/b>
    \n<\/span>Contracts are deployed in a local <\/span>    Wake<\/span><\/a> environment, where targeted attempts to exploit vulnerabilities are made. The contracts’ resilience against various attack vectors is evaluated.<\/span><\/li>\n
  5. Unit and fuzz testing<\/b>
    \n<\/span>Unit tests are run to verify expected system behavior. Additional unit or fuzz tests may be written using <\/span>    Wake<\/span><\/a> framework if any coverage gaps are identified. The goal is to verify the system\u2019s stability under real-world conditions and ensure robustness against both expected and unexpected inputs<\/span><\/li>\n<\/ol>\n

    We began our review using static analysis tools, including <\/span>Wake<\/span><\/a>. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we used the <\/span>Wake<\/span><\/a> testing framework. For more information on fuzzing, see the respective section in the <\/span>full audit report<\/span><\/a>.<\/span><\/p>\n

    During the review, we paid special attention to:\u00a0<\/span><\/p>\n