{"id":526,"date":"2023-06-27T09:45:38","date_gmt":"2023-06-27T07:45:38","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=526"},"modified":"2024-07-04T15:29:21","modified_gmt":"2024-07-04T13:29:21","slug":"pendle-finance-pendle-v2-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/pendle-finance-pendle-v2-audit-summary\/","title":{"rendered":"Pendle Finance: Pendle V2 audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/www.pendle.finance\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Pendle Finance<\/span><\/a><span style=\"font-weight: 400;\"> is a DeFi protocol based on Ethereum and Avalanche. It allows users to tokenize and trade the yield of yield-generating mechanisms.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Pendle engaged Ackee Blockchain to conduct a security review of Pendle V2 with a total time donation of <\/span><b>4 engineering weeks <\/b><span style=\"font-weight: 400;\">between <\/span><b>April 25<\/b><span style=\"font-weight: 400;\"> and <\/span><b>May 20, 2022.<\/b><\/p>\n<h2><b>METHODOLOGY<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools and then took a deep dive into the logic of the contracts. During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">checking if nobody can breach the protocol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">checking the correctness of the upgradeability implementation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">checking the arithmetics of Math libraries<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">and looking for common issues such as data validation.<\/span><\/li>\n<\/ul>\n<h2><b>SCOPE\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The scope included the following repository with a given commit <code class=\"codehl\">pendle-core-internal-v2 - 9d93fc1<\/code><\/span><\/p>\n<p><span style=\"font-weight: 400;\">All contracts under contracts folder was in-scope, except for the following:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">core\/PendleSCYImpl\/AaveV3\/WadRayMath.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">core\/RouterStatic.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">libraries\/ExpiryUtilsLib.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">libraries\/JoeLibrary.sol<\/span><\/li>\n<\/ul>\n<h2><b>FINDINGS<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">find<\/span><span style=\"font-weight: 400;\">i<\/span><span style=\"font-weight: 400;\">ngs<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Critical severity\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><b>High severity\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h3><b>Medium severity<\/b><\/h3>\n<p><b>M1: <\/b><span style=\"font-weight: 400;\">Insufficient data validation in PendleAaveV3SCY<\/span><\/p>\n<p><b>M2:<\/b><span style=\"font-weight: 400;\"> Integer overflow in Math library<\/span><\/p>\n<p><b>M3:<\/b><span style=\"font-weight: 400;\"> Usage of <code class=\"codehl\">solc<\/code> optimizer <\/span> <span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<h3><b>Low severity<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.<\/span><\/p>\n<h3><b>Warning severity <\/b><\/h3>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Potential front-running of several withdraw and mint functions<\/span><\/p>\n<p><b>W2:<\/b><span style=\"font-weight: 400;\"> Exotic tokens <\/span><\/p>\n<p><b>W3:<\/b><span style=\"font-weight: 400;\"> Dangerous callbacks <\/span><\/p>\n<p><b>W4:<\/b><span style=\"font-weight: 400;\"> Unintended change of the reentrancy lock state<\/span><\/p>\n<p><b>W5: <\/b><span style=\"font-weight: 400;\">Dynamic config potential inconsistency <\/span><\/p>\n<h3><b>Informational severity <\/b><\/h3>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Redundant cycle in RewardManager <\/span><\/p>\n<p><b>I2:<\/b><span style=\"font-weight: 400;\"> Same function names across the project <\/span><\/p>\n<p><b>I3: <\/b><span style=\"font-weight: 400;\">Unused code <\/span><\/p>\n<h2><b>CONCLUSION<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>11 findings<\/b><span style=\"font-weight: 400;\">, ranging from <\/span><i><span style=\"font-weight: 400;\">Informational<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Medium<\/span><\/i><span style=\"font-weight: 400;\"> severity.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ackee Blockchain <\/span><span style=\"font-weight: 400;\">recommends Pendle to:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> address all reported issues.\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Pendle <\/i><\/b><b>audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/pendle-finance\/pendle-core-v2-public\/blob\/main\/audits\/Ackee\/Ackee-Part%201.pdf\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Pendle<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pendle Finance is a DeFi protocol based on Ethereum and Avalanche. It allows users to tokenize and trade the yield of yield-generating mechanisms.\u00a0 Pendle engaged Ackee Blockchain to conduct a security review of Pendle V2 with a total time donation of 4 engineering weeks between April 25 and May 20, 2022. METHODOLOGY We began our review by using static analysis tools and&hellip;<\/p>\n","protected":false},"author":15,"featured_media":527,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80],"tags":[21,24,118,68],"class_list":["post-526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","tag-audit","tag-ethereum","tag-pendle","tag-solidity"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Pendle-audit-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/06\/Pendle-audit-1-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=526"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/526\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/527"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}