Sturdy is a lending protocol that leverages user collateral to produce yield and provide interest-free loans and stable lending rewards. Collateral deposited into the protocol is converted to yield-bearing tokens through another integrated DeFi protocol, such as Lido or Yearn Finance. The yield produced by these protocols is paid out as interest to lenders. Interest rates for borrowers remain at zero until a utilization threshold is reached.

During the audit, we found several serious issues which pose a risk to users of the Sturdy protocol. In particular, QSP-1 allows one compromised vault to drain the entire protocol's funds. QSP-2 results in users being unable to withdraw their collateral under some circumstances. QSP-3 could allow for replay attacks across multiple forks of a chain.

The Sturdy team has implemented tests to verify the protocol's behavior in numerous situations. These include integration tests based on a local mainnet fork. However, we cannot verify the quality of these tests as no method of obtaining code coverage results has been provided by the team. It is thus possible that significant parts of the code have not been sufficiently tested.

The protocol relies on oracles that are not within the scope of the audit. If the oracles do not function as expected, the protocol could catastrophically fail. The protocol also depends on many external protocols, including Lido and Yearn Finance. These protocols often hold the users' collateral. If these protocols were compromised, the users' funds could be lost regardless of the security of the Sturdy contracts.

The Sturdy team has cooperated with the auditors and has helpfully answered our questions. We strongly recommend that the Sturdy team fixes all issues found in the report. We further recommend that the Sturdy team provides a way to evaluate code coverage to ensure that every part of the protocol has been tested.

**Update:**

The Sturdy team has either fixed, mitigated, or acknowledged all issues found within the report. All vulnerabilities of medium severity or higher have been either fixed or sufficiently mitigated. However, we still recommend that the team fixes some of the acknowledged issues, including QSP-13, QSP-14, QSP-17, QSP-19. QSP-21, QSP-22, and QSP-26.

The Sturdy team has not provided a way to check the code coverage of the protocol's contracts. Without a code coverage report, we cannot determine whether parts of the protocol remain untested. We recommend that the Sturdy team implement a code coverage report and increase the test coverage of any contracts lacking it.