VFAT is a yield aggregator that uses the Sickle smart contract wallet for yield farming. It reduces complex operations such as entering and exiting positions, compounding, or rebalancing, into single transactions.<\/p>\n
The protocol team engaged Ackee Blockchain Security to perform a security review of Farm Strategies smart contracts with a total time donation of 12 engineering days in a period between May 19 and June 3, 2025.<\/p>\n
A second, fix review was performed of the fixes from the previous revision.<\/p>\n
We thank Optimism<\/a> for approving a grant that partly funded this and a previous audit of VFAT.<\/p>\n We began our review using static analysis tools, including Wake<\/a>. We then took a deep dive into the logic of the contracts.<\/p>\n During the review, we paid special attention to:<\/p>\n The first audit was performed on the commit The focus of this audit was to review the integration of the protocol with external protocols Uniswap and Velodrome.<\/p>\n The second review was done on the given commit The classification of a security finding is determined by two ratings: <\/span>impact<\/b> and <\/span>likelihood<\/b>. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span>medium<\/span><\/i> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the W<\/em><\/span>arning<\/span><\/i> or I<\/em><\/span>nformational<\/span><\/i> severity ratings.<\/span><\/p>\n Our review resulted in 12 findings<\/strong>, ranging from Info to Medium severity. The most severe one was M1, which is a front-running issue through which users’ funds could be stolen by a malicious actor. However, the likelihood of this happening is low. Most findings are related to violations of best practices, code quality issues, and the trust model.<\/p>\n The second security review was limited to issues found in the first security review and no other code changes were audited.<\/p>\n No critical severity issues were found.<\/p>\n No high severity issues were found.<\/p>\n M1: Front-run of L1: The charge fee can be bypassed for several functions<\/p>\n W1: Withdrawal of funds can be blocked by W2: Connectors are a single point of failure<\/p>\n W3: Usage of function with W4: Missing W5: W6: Incorrect price calculation<\/p>\n I1: Missing NatSpec comments<\/p>\n I2: Potential incorrect fee calculation<\/p>\n I3: Unexpected revert in I4: Missing events in The protocol requires users to trust administrators who control critical parameters (fees, whitelists, Connector updates) and Automators who execute operations on their behalf. While users control their Sickle instances and position settings, the system maintains centralized control points. Trust risks are partially mitigated through hardcoded limits and multisig requirements; however, users must accept risks of centralized control and potential transaction manipulation by Automators who can control transaction timing.<\/p>\nMETHODOLOGY<\/span><\/h2>\n
\n
SCOPE<\/span><\/h2>\n
d85b2cd<\/code> and the scope was the following:<\/p>\n\n
contracts\/connectors\/uniswap\/UniswapV3Connector.sol<\/code><\/li>\ncontracts\/connectors\/velodrome\/SlipstreamGaugeConnector.sol<\/code><\/li>\ncontracts\/connectors\/velodrome\/SlipstreamNftConnector.sol<\/code><\/li>\ncontracts\/connectors\/velodrome\/VelodromeGaugeRegistry.sol<\/code><\/li>\ncontracts\/strategies\/FarmStrategy.sol<\/code><\/li>\ncontracts\/strategies\/MultiFarmStrategy.sol<\/code><\/li>\ncontracts\/strategies\/NftFarmStrategy.sol<\/code><\/li>\ncontracts\/strategies\/SweepStrategy.sol<\/code><\/li>\ncontracts\/libraries\/ZapLib.sol <\/code><\/li>\ncontracts\/libraries\/NftZapLib.sol<\/code><\/li>\n<\/ul>\ne5ff820<\/code>. The scope of the second review was limited to the fixes of issues found in the previous revision and no other code changes were audited. 5 issues were fixed, 7 issues acknowledged by the client.<\/p>\nFINDINGS<\/span><\/h2>\n
Critical severity<\/span><\/h3>\n
High severity<\/span><\/h3>\n
Medium severity<\/span><\/h3>\n
Sickle<\/code> deployment gives an opportunity for attacker to specify arbitrary approved<\/code> and referralCode<\/code> arguments<\/p>\nLow severity<\/span><\/h3>\n
Warning severity<\/span><\/h3>\n
Collector<\/code> contract by not accepting tokens<\/p>\ninplace=True<\/code> argument always fails in gauges that use NFTs<\/p>\nCompoundFor<\/code> fee calculation<\/p>\nblock.timestamp<\/code> is used for swap deadline<\/p>\nInformational severity<\/span><\/h3>\n
increase<\/code> function<\/p>\nMultiFarmStrategy<\/code><\/p>\nTRUST MODEL<\/span><\/h2>\n
CONCLUSION<\/span><\/h2>\n