The Weekly Yax #21: C4 Audit Review

yAxis Project
7 min readSep 20, 2021

--

The Weekly Yax is the easiest way to keep up with the yAxis Project. Every Sunday, we highlight major news and developments, alongside key takeaways from the week’s episode of Ya Herd?

Major News & Developments

Ya Herd? Week #21 Key Takeaways

This week’s episode was motivated by the conclusion of yAxis’s C4 smart contract audit contest. yAxis utilized this week’s Ya Herd as an opportunity to highlight the outputs from the C4 process and discuss the pathway for resolving the issues found and moving toward the v3 guarded launch.

Recap — why did yAxis choose C4?

The uniqueness of the C4 approach enabled greater time and cost flexibility than a traditional audit. In addition, the incentive structure established by C4’s contest infrastructure ensures a direct linkage between findings and compensation, as opposed to traditional audits, which are not required to find any issues. Furthermore, yAxis was attracted by C4’s ability to provide broad exposure to a diverse group of smart contract security experts, each bringing with them their own perspective to yield a more robust security review than one or two personnel from an audit firm.

Initial Reaction to Findings

The yAxis team and champs are super excited about the thoroughness of the C4 security review and the host of associated findings, which affirms yAxis’s belief that security reviews prior to product launches are imperative. If you don’t believe us, just listen to follow-up commentary from the Thorchain hacker “Disable [the product] until audits are complete…audits are not a nice to have…do not rush code that controls 9 figures.” Timmy Toes, an active yAxis community member, reinforced this philosophy during our v3 Audit and Launch Strategy Forum Discussion. Timmy reminded the yAxis community that guarded launch or not, security diligence is still important as yAxis only has one reputation.

Not only did the C4 outputs align with the sentiment above and validate yAxis’s commitment to sound security procedures, the value provided by the C4 process exceeded our expectations. The robustness of C4’s contest design led to a higher quality security review than yAxis received from audits on prior product releases. Not only were issues identified, but in many cases further detail was provided, such as a PoC of an attack vector and a recommended mitigation pathway. These details will help enable yAxis to arrive at effective resolutions quicker and reduce the need for back and forth/additional review. Moreover, the C4 Wardens also identified a wide range of non-bug UX improvements, which is another exceptional value-add. yAxis was already bought into the C4 approach heading into the contest, but now leaves even more appreciative of the opportunity to engage with such an innovative security review methodology.

Issues and Suggested Improvements

The recent C4 Audit Review article is a great resource for a high-level overview of the C4 Wardens’ findings and subsequent resolution process. During this week’s Ya Herd? we dove a little deeper into the various issues and improvements uncovered by the C4 Wardens. The primary high-risk issues identified were related to arbitrage opportunities between stablecoins. Multi-asset support within the same vault is a UX that yAxis is committed to providing, but that functionality does add complexity — hence why other yield aggregators, such as Badger and Yearn, tend to opt for single-asset vaults. The resolutions the arbitrage issues revolve around more robust accommodation of real-time price fluctuations in the stables the vault accepts to ensure that users cannot arbitrage between them.

The ability for harvests, the mechanism by which the vault takes the accumulated governance token from farming a given strategy and compounding that governance token back into the strategy, to be frontrun/sandwiched was another issue identified. Lastly, there were also a suite of findings related to switching between strategies, which is again a competitive advantage for yAxis to provide multi-asset and multi-strategy support within the same vault, but comes with additional complexity to implement effectively.

Furthermore, as a co-benefit from the C4 review, the Wardens suggested a variety of improvements to consolidate the code base and optimize gas usage. These improvements will help yAxis deliver better product performance and UX, aligning with the ethos of the Project.

A number of other issues identified were redundances — many Wardens identified arbitrage risk — or intentional ways of operation/non-actionable. For instance, accommodating an insurance event was referred to as “dead code,” but insurance functionality is something that was always planned to be built out after launch. Another issue raised was the belief that a harvest could be called by anyone, which is inaccurate as only whitelisted addresses are granted that ability.

Pathway Forward

The yAxis development team has worked diligently through the weekend to sift through the security review and identify issues that require resolution, weed out redundancies, and dispute any misinformed findings. Following this feedback process, C4 will distribute the contest pool to the Wardens and compile the relevant findings into a public report. As a reminder, you can view the other reports C4 has produced here. The dev team has also begun resolving necessary issues and is working to provide visibility into an updated guarded launch date. More issues were found, and thus more resolution time will be needed than originally anticipated.

The volume of findings is an indication of the thoroughness of C4’s approach and the talent of its security researchers. Many projects seek an audit certificate to slap on their website. yAxis is built different. We understand the value of an actual security review. A recent yAxis tweet highlights this security-first philosophy. While an upfront time investment, resolving the C4 findings prior to the guarded launch is incredibly important and positions yAxis to further strengthen its reputation and user trust, create a more secure product, and provide a superior UX.

The upcoming Haechi audit beginning September 28th will be on the reviewed code as an extra layer of diligence on any resolutions implemented coming out of the C4 process. The guarded launch will likely begin exclusive to the v3 stablecoin vault with potential consideration for trade-offs between multi-stable UX vs. time to market in the resolution of arbitrage issues. More guidance to come.

Overall, the yAxis team and champs believe strongly that the value returned to the Project through this C4 engagement far exceeded anything we could’ve hoped for. The v3 codebase is incredible valuable to the future of yAxis. By partaking in such a diligent, multi-faceted review, yAxis is forging a strong foundation for its future.

You can learn more about yAxis’s security approach here.

The full recording of this week’s episode can be found on YouTube and in podcast format.

yAxis Project Stats of the Week

  1. MetaVault TVL $2 million.
  2. YAXIS LP 356% APY (162% APR)
  3. Staking rewards are currently paused in preparation for the launch of the new staking contract with the guarded v3 launch. Learn more about the v3 staking gauges here.

Join Us: Bounties & Jobs

Coordinated by the yAxis Champions Programme, the yAxis Bounty Board lists requests for proposals (RFPs), where community members can respond to specific Project needs and receive compensation upon task completion. See the current opportunities below and check the Bounty Board frequently as more opportunities will be added over time, such as the recently added Convex Development Bounty, which led to this pull request.

If none of the current opportunities appeal to you, but you would still like to contribute, reach out to waali@yaxis.io. You have the opportunity to shape the next era of yAxis.

That concludes the twenty-first edition of The Weekly Yax. Thank you for reading and looking forward to many more!

Onward and upward, Herd!

--

--

No responses yet