FYEO performed a security assessment of the Sommelier Cellar Smart Contracts in April 2022. Following further development, the Sommelier team engaged FYEO to perform a second security assessment in June 2022.
The protocol is programmed in Solidity and built on Cosmos using Cosmos Stargate SDK. Sommelier chain’s goal is to enable 3rd party strategists to build strategy on the platform with unseen power on DeFi with use of off-chain computation models. These strategies can be executed across multiple blockchains, maximizing and simplifying interoperability. The Sommelier Protocol executes a strategy by using two main components: a strategy provider and a cellar contract. Sommelier's approach to the architecture of the protocol provides flexibility and a solution to run off-chain computation in a secure and decentralized manner.
Sommelier is built on the Cosmos layer as a modular protocol with Tendermint Consensus, a Bi-Directional Ethereum Bridge that optimizes extensive Ethereum features for users, validators set with decentralized governance, automated signatures for increased liquidity momentum and yield capture, off-chain computation, automated portfolio rebalancing, and lower Ethereum gas fees. Cellar smart contracts are smart contracts that represent an on-chain investment strategy that can take in arbitrary inputs/commands from off-chain. This approach begins with :
Cellar developers who create the smart contracts that implement the cellar strategy
Cellar creators that generate a new investment strategy that will then pass through governance prior to being accepted into Sommelier infrastructure, and
A strategy provider who sends live investment instructions to the Sommelier validators, which are then used to update the cellar position.
The FYEO Process
When FYEO performs an assessment, we focus on the code committed at a specific time when the code base is feature complete.
Our goal is to give our clients the following:
A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
Findings & Report
During the 1st Security Assessment for the Sommelier Cellar Smart Contracts, we discovered:
2 findings with a HIGH severity rating
1 finding with a LOW severity rating
1 finding with an INFORMATIONAL severity rating
During the 2nd Security Assessment for the Sommelier Cellar Smart Contracts, we discovered:
1 finding with a HIGH severity rating
1 finding with a LOW severity rating
1 finding with an INFORMATIONAL severity rating
Following both reviews, the Sommelier team implemented patches for these findings based on the recommendations by the FYEO security team. Several strengths were noted during the review, such as well structured code and project files which enhance UX and maintenance, well-designed smart contracts that clearly define access rights, custom explanations of verification errors, and the use of an up-to-date compiler.
Please see the attached full report:
Security Assessment: May 2022
Security Assessment: July 2022