Runtime Verification audits Yieldly's Multi-token Staking Pool

Posted on February 3rd, 2022 by Runtime Verification
Posted in Audits

Runtime Verification audits Yieldly's Multi-token Staking Pool

Runtime Verification is thrilled to announce the audit completion of Yieldly's Multi-token Staking Pool smart contract. Yieldly is a suite of DeFi products built on the Algorand blockchain offering liquidity mining, multi-asset staking, cross-chain swapping, and no-loss prize games to their users.

Audit scope

Our team already had the pleasure of working closely with the Yieldly team auditing another set of contracts prior to this audit. This time around, our team audited Yieldly's Multi-token Staking Pool smart contract.

The scope of this audit is limited to “staking.teal” smart contract code source, written in TEALv5. The contract function uses inner transactions to pay out staking rewards and close users' shares in Yieldly's LP pools.In addition, Yieldly's team provided a description of atomic transaction groups and flowcharts to facilitate the audit and review of the overall code.

Methodology

Runtime Verification conducted a best effort audit on Yieldly's Multi-token Staking Pool smart contract for a period of two weeks and published a detailed report on December 2nd, 2021.

The first stage of the audit consisted of understanding the code and its logic through the documentation while keeping an open and regular conversation with the Yieldly team to ask about any doubts that arose during the review process.

The next step consisted of performing a manual code review of the contract's implementation in TEAL. During the code review, a series of potential attack vectors were identified and it was necessary to take some extra steps to be sure if they were a real issue in the code and needed to be fixed by the Yieldly team as soon as possible. Then, our team set up a private Algorand network and deployed the smart contract in a safe environment before proceeding to test if the problematic scenarios analyzed before were, in fact, valid.

In addition, the rewards calculation logic was analyzed to identify any potential problems introduced by rounding errors and a Python model was built to simulate the rewards unlocking logic where a series of potential improvements were identified. Before finishing the audit, a final review of the code was conducted to look for any additional potential attack scenarios.

Results

The audit identified and highlighted some issues along with a number of informative findings. Yieldly team addressed all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contract.

When conducting a best effort audit, auditors work against the clock to look for dangerous attack vectors and find issues. Some parts of the code will often need to be prioritized over others, depending on potential risks or clients' preferences. Best efforts audits are useful to identify and mitigate risks when updating or introducing new products to a platform but have limitations due to time constraints and code length. Our auditors identified several issues during the short period of two weeks and worked alongside the Yieldly team to minimize as much as possible any scenarios where an attack could occur.

Users interested in a more detailed and technical explanation about the findings can go over the full report in our GitHub repository.

About Yieldly

As the first and largest DeFi platform built on Algorand, Yieldly is at the forefront of trailblazing products for the ecosystem to truly flourish. Yieldly’s multi-audited product suite includes liquidity mining, staking, cross-chain bridge, and no-loss prize games. Even with multiple ASA partnerships, $155M TVL ATH, 3.2M+ transactions processed, and the highest rewards on Algorand, Yieldly is only just getting started. Expect plenty more from Yieldly in 2022, including Algorand’s first native end-to-end launchpad.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.