Code Review and a Security Assessment for the Yield Optimization Platform (YOP) Protocol EVM
BTblock has partnered with YOP to conduct a Code Review and a Security Assessment for the Yield Optimization Platform (YOP) Protocol EVM. The platform is developed with Solidity and will be placed in the Ethereum network and initial strategy development will focus on a number of the top DeFi Protocols on the Ethereum blockchain including AAve, Convex, Curve, Uniswap, Sushiswap, IndexCoup, and LIDO.
The YOP Ecosystem aims to simplify Yield Farming by creating a platform for individuals with all levels of experience to invest in DeFi Protocols confidently. Users can educate themselves by reviewing the extensive risk evaluations provided and choose from varying levels of complex strategy logic all while requiring minimal user interaction. YOP will continually reinvest earnings and provide metrics and insight so the user can make informed decisions based on their personal risk tolerance. Ultimately, the goal for the YOP Ecosystem is to work seamlessly across multiple blockchains and provide access to all DeFi Protocols on all supported chains.
What is YOP?
Yield Optimization Platform (YOP) is an application that allows users to interact with the best DeFi protocols across the top blockchains in a simple and easy-to-use way. YOP believes that DeFi should be accessible, transparent, and diversified. This project features an intuitive interface that breaks down exactly how your Yield is being generated while allowing you to gain exposure to multiple blockchains - all from a single application. YOP’s mission is to be a gateway for those seeking to participate in and learn about DeFi, whether you’re a beginner or an expert.
YOP tokens are distributed across seven pools, including: Community, Reserve, Marketing, Treasury, Team, Advisors, and Liquidity. The primary objective of YOP’s tokenomics is to promote long-term sustainability of the protocol and can be bought on UniSwap, KuCoin, and Gate.io.
YOP is powered by Pluto Digital PLC, a crypto operations and technology company. This seasoned management team has extensive experience and resources to help bring YOP to the next level.
The BTblock Process
When BTBlock performs an assessment, we focus on the code committed at a specific time when the code base is feature complete. Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
In reviewing solutions such as the YOP Protocol EVM, we review a threat assessment of possible exploits of the system. Still, we review the code, program authentication scenarios and all components, and fund loss scenarios. This review met our requirements for an effectively implemented product in all situations, including resolving any findings we uncovered.
Findings & Report
During the Security Assessment for the YOP Protocol EVM, we discovered:
One finding with a MEDIUM severity rating
Three findings with a LOW severity rating
One finding with an INFORMATIONAL severity rating
The several findings with LOW severity rating were sufficiently remediated reducing the risk of application downtime caused by unintended exploitation of the smart contracts, accidental function call by non-authorized roles, and a duplicate contract name. The impact of the MEDIUM severity finding could result in potential loss of contract control. The contract FeeCollection did not initially protect the initialize function which meant that some users could call the initialize function before the contract owner. The YOP team implemented a mitigation strategy using the hardhat-upgrade module in which they were willing to accept the risk identified.
In general, the team was very supportive and open to discussing the design choices made. Several strengths were noted during the review, including the well structured and organized code and project files as well as well-designed and clearly defined smart contract access rights.
The full BTblock report can be found below: