yAxis V3 — Vault Security

yAxis Project
7 min readFeb 10, 2022

yAxis’ v3 vaults launched in late 2021. The four initial vaults (LINK, BTC, ETH, USD) were launched with fixed deposit caps. Those caps were designed specifically to limit losses in the event of malicious attacks or security exploits.

Since launch day, those caps have been removed, the vaults have remained secure, and the total vault TVL has risen to over $40 Million dollars.

With the launch of three new yAxis vaults, the team are mindful of our impeccable security credentials. As such, we remain hyper focused in our efforts to provide both reliable, industry leading yields while keeping user assets safe and sound.

Without further ado, here is a recap of how yAxis approaches protocol level security.

yAxis Security

Today’s cybersecurity threat landscape is dynamic, intelligent, and most of all, ruthless.

The incentives for successfully carrying out exploits on DeFi (Decentralised Finance) projects are high. The promise of untold riches has resulted in protocol exploits becoming ever more prevalent and sophisticated, with hackers frequently finding new ways to probe, attack and prosper. And sadly, this continued threat of loss of funds remains a significant barrier to mainstream DeFi adoption.

Security goals

The safety of our users’ funds is paramount, and ever since the first iteration of yAxis in late 2020, we have worked tirelessly to enhance our security credentials and minimize risk.

During the design, development and implementation of the V3 vaults we prioritized protocol security. We took our solid V1 and V2 security foundations, built upon them, and in doing so, we believe we have elevated our safety game to a much higher level.

The yAxis security progression

yAxis MetaVault V2 which launched in April 2021 was double audited by prominent auditors Quantstamp and Haechi. yAxis also run an ongoing USD $85K Immunefi Bug Bounty program which focuses on smart contract vulnerability reporting.

In May of 2021, yAxis strengthened its ties with ImmuneFi by becoming early adopters of ImmuneFi’s all new “War Room’’ crisis response hotline.

Read more about the ImmuneFi War room here.


Not wanting to rest on our significant security laurels, yAxis V3 vaults adds several new and updated layers of protocol protection.

V3 Security features

  • Audits. A prerequisite for all new protocol releases are security audits. Leading up to the V3 vault launch, yAxis carried out two comprehensive security audits.

1: Code 423n4 — Audit. The Code 423n4 $60k week-long smart contract audit contest ran between the 9th and 15th of September and represented a huge success for the team.

In total, thirteen security researchers submitted 88 unique findings to the audit. Vulnerabilities ranged from HIGH to LOW severity including 11 non-critical recommendations and 27 gas optimizations.
Each of the C4 findings were critically assessed by the yAxis development team, resulting in either patches, fixes or updates to the underlying protocol architecture. Details can be found at yAxis’ Github.

2: Haechi — Audit. The Haechi Audit was carried out post C4 audit and discovered 1 minor issue. The Haechi audit report can be found here.

The team employed a staggered-multifaceted audit approach for the V3 vaults, in which we combined the community-driven competitive smart contract style of audit run by (Code 423n4) with that of a more conventional audit from top tier auditors Haechi.

The C4 audit approach is ideal for highly specialized security researchers who are incentivized based on the number of bugs found and the risk of the bugs found. Many of these researchers focus exclusively on their particular areas of expertise, for example gas optimization, and are not laboured with having to review the entire code base. This approach proved incredibly beneficial as can be seen from the C4 report findings here.

In addition, the staggered timing of the audits gave the yAxis development team an opportunity to address issues raised by C4 before Haechi results were released, essentially creating an audit upon an audit.

The subsequent Haechi Audit and its one minor finding not only provided additional confidence in our code base but also the thorough nature of the C4 audit. Staggering audits and the employment of differing audit models is an approach we highly recommend to other teams who are looking to maximise protocol security.

  • Halt flag function. The halt flag function is an in-house built security feature that guards against attempts at malicious Governance.

Note: yAxis governance and the yAxis strategist are two different entities. Governance approves strategies, but it is the strategist that adds strategies to the protocol.

If governance were ever compromised, malicious actors could potentially vote in their own strategist and put user funds at risk. With the V3 vaults, any change of strategist will require 7 days to take effect, giving the community time to direct the current strategist to call the halting flag. Once triggered, the halting flag only permits fund withdrawals by the users, leaving the malicious actor incapable of siphoning deposited assets.

  • yAxis and smart contract interactions. A key security feature of yAxis V2, is how external smart contract interactions are disallowed by default. This security solution prevented any type of flash loan or re-entrancy type of attack.

With V3 our approach to smart contract interactions is more nuanced, in that the protocol does not allow any depositing address to interact with external projects through the vault.

This difference means that depositors can’t manipulate pools simply by depositing funds.

  • Open-source code. The diligence and responsiveness of the open-source community to security problems is incredibly beneficial. The fact that we have had “eyes on” our code ever since V1, has aided in identifying and fixing problems whenever they became apparent.
  • Rather than have our code molder in a proprietary environment, yAxis has benefited immensely from open-source transparency and we look to continue to embrace and to support this approach as we launch V3.
  • Multisig team wallet. Multisignature wallets (or multisig, for short), are cryptocurrency wallets that require two or more private keys to sign and send a transaction. yAxis utilises Multisig wallets for all of its transactions, ensuring that no one or two people are able to withdraw funds from team accounts.
  • Better protocol visibility through new and improved UX/UI. With the launch of V3, the team continues to provide the consistent yAxis experience users have come to expect. This familiarity, coupled with enhanced ease of use V3 features, will continue to foster trust and to promote security when interacting with our product.

Security feature roadmap

  • Chainlink Keepers. The integration of Chainlink Keepers within the yAxis protocol will introduce increased levels of security and protocol efficiency. This integration will provide the yAxis development team with built-in access to a decentralized, provably reliable, and crypto-economically incentivized network of Keepers that will securely automate critical smart contract functions, resulting in more decentralised fund management and quicker response times in case a utilised strategy is exploited.
  • The YAXIS DAO (Decentralized Autonomous Organization). All well-governed DAO’s can provide technological and community solutions for the evolution of the ecosystem, including security reviews of proposed project advances. In the case of yAxis, all new vault strategies are presented to, and then voted on by the yAxis stakers.

The Future

Traditional financial services have always been built upon trust. As DeFi matures, it is apparent that this nascent industry is no different. The most successful protocols in DeFi are rapidly becoming the ones that people trust the most. In other words, why would you put your money into a protocol that may lose everything?

The issue of protocol security is already huge and will only increase in importance as more retail and institutional capital finds its way into DeFi.

With the launch of the three new V3 vaults and the associated buildout of advanced yAxis security features, we believe we have created one of the most robust and dynamic cybersecurity solutions in the industry.

Our detailed attention to protocol security will allow yAxis to further attract the DeFi enthusiast, as well as aggressively market to, and capture institutional capital.