DESCRIPTION
The Mellow project provides an open platform for liquidity providers to earn rewards from their liquidities and strategists to earn performance fees by implementing active liquidity management strategies to manipulate the liquidities.
The core contracts covered in this audit include the Mellow Vault contracts in the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we did not find any critical issues within the audited codebase. However, we have identified nine non-critical issues that should be addressed. Additionally, we have put five recommendations to further strengthen the code logic. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 9 potential issues in the smart contract. We also have 5 recommendations and 0 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Low | Potential conflict of access control in LStrategy |
Software Security | Fixed |
| 2 | Low | Unchecked governance parameters | Software Security | Fixed |
| 3 | Medium | Lack of checks on the vault type for AggregateVault |
DeFi Security | Fixed |
| 4 | Low | Undetermined allocation for the liquidity mining rewards | DeFi Security | Acknowledged |
| 5 | Low | Potential dust tokens left in the vault | DeFi Security | Fixed |
| 6 | Medium | The delay mechanism to update the validator parameters could be disabled | DeFi Security | Fixed |
| 7 | Medium | Improper price calculation in the _getTvlToken0 function |
DeFi Security | Fixed |
| 8 | Low | Incorrect TVL calculation of the AAVE vault | DeFi Security | Fixed |
| 9 | Medium | Lack of access control for the new governance function | DeFi Security | Fixed |
| 10 | - | Remove unnecessary checks in ERC20RootVault | Recommendation | Acknowledged |
| 11 | - | Avoid using shadowed variables | Recommendation | Fixed |
| 12 | - | Use mulDiv to prevent precision losses |
Recommendation | Fixed |
| 13 | - | Fix incorrect event variables | Recommendation | Fixed |
| 14 | - | Inconsistent slippage checks in deposit and withdraw |
Recommendation | Acknowledged |
More details are provided in the audit report.