CoinFabrik was requested to audit the contracts for the YFFII challenge. First we’ll present a abstract of our discoveries after which we’ll present the main points of our findings.

The contracts audited are the contracts deployed at 0x91a06884F6db45FF499cC2f7C6f3eb60a617D5AE and 0x900E9bAEc63BcdB9FBb0D9743326360e6AE4B2dB.


The audited contracts are:

  • Controller.sol (md5: 304e66a01ff2b10b81763a06f09bc6e2)
  • YearnRewards.sol (md5: a6937e2f61dcabc8bca2825bd45e485e)


The next analyses have been carried out:

  • Misuse of the totally different name strategies
  • Integer overflow errors
  • Division by zero errors
  • Outdated model of Solidity compiler
  • Entrance working assaults
  • Reentrancy assaults
  • Misuse of block timestamps
  • Softlock denial of service assaults
  • Features with extreme fuel price
  • Lacking or misused operate qualifiers
  • Needlessly complicated code and contract interactions
  • Poor or nonexistent error dealing with
  • Failure to make use of a withdrawal sample
  • Inadequate validation of the enter parameters
  • Incorrect dealing with of cryptographic signatures

Severity Classification

Safety dangers are labeled as follows:

  • Important: These are points that we handle to use. They compromise the system significantly. They should be mounted instantly.
  • Medium: These are doubtlessly exploitable points. Though we didn’t handle to use them or their affect just isn’t clear, they may symbolize a safety danger within the close to future. We propose fixing them as quickly as potential.
  • Minor: These points symbolize issues which might be comparatively small or tough to make the most of however might be exploited together with different points. These sorts of points don’t block deployments in manufacturing environments. They need to be taken under consideration and be mounted when potential.
  • Enhancement: These sorts of findings don’t symbolize a safety danger. They’re finest practices that we advise to implement.

This classification is summarized within the following desk:

Important Sure Sure Instantly
Medium Within the close to future Sure As quickly as potential
Minor Unlikely No Ultimately
Enhancement No No Ultimately

Important severity

No problems with essential severity discovered.

Medium severity

No problems with medium severity discovered

Minor severity

No problems with minor severity discovered


Outdated Solidity compiler model

The most recent Solidity compiler model at the moment obtainable is 0.7.4, switching from 0.5.x to 0.7.x entails modifying the code nevertheless on condition that the challenge continues to be small, we suggest contemplating to take action as it might assist you to benefit from the newest bug fixes and fuel optimization adjustments to the date.

In case you want to stick with the 0.5.16 model we suggest not utilizing a floating pragma because it permits older variations of 0.5.x for use, the next pragma is extra acceptable: pragma solidity 0.5.16;

Generally used require statements might be modified to modifiers

Presently the next require assertion might be seen in lots of features via the code:

This may be refactored into utilizing a modifier, in order that solely an additional phrase must be utilized in every operate header when wanted:

The identical might be finished with the next require assertion:

Like this:

This variation is merely for decreasing code complexity and doesn’t change the logic in any approach.

We discovered the contracts to be easy and simple and to have an total good high quality code.

A big a part of the logic is completed in exterior contracts, it is vitally essential that you just ensure to at all times use the right addresses referring to trusted and verified contracts, and that these cannot get modified by exterior events.

Disclaimer: This audit report just isn’t a safety guarantee, funding recommendation, or an approval of the YFFII challenge since CoinFabrik has not reviewed its platform. Furthermore, it doesn’t present a wise contract code faultlessness assure. Exterior contracts haven’t been audited by CoinFabrik and have been assumed to work correctly throughout this audit.


Please enter your comment!
Please enter your name here