The Sturdy Protocol has introduced new functionality, including leveraged yield farming and a new vault that integrates with the Aura protocol. The leveraged yield farming feature lets users increase their collateral holdings within their desired vault by purchasing more collateral with funds borrowed from Sturdy. The Aura vault works very similarly to existing vaults, especially the older Convex vault.

The auditing team found two critical issues with the new leverage contracts. QSP-1 describes a potential exploit that could be used to steal other users' collateral due to insufficient reentrancy protection and input validation. QSP-2 demonstrates the loss of user and protocol value due to broken slippage controls. Other notable findings relate to the incorrect implementation or validation of oracle price feeds (QSP-3, QSP-4, QSP-5). We strongly recommend that the Sturdy team fixes all issues found within the report.

While the Sturdy team has implemented many tests, including integration tests, the quality and coverage of these tests need to be improved. Many important behaviors are not being validated, and several critical scenarios have not been tested. We have provided suggestions for improvement in the "Test Results" section.

The new functionality needs to be sufficiently documented. Sparse documentation makes it difficult for auditors to verify if the contracts function as the team intends them to. The documentation lacks both high-level conceptual explanations and details on the code-level. We highly recommend that the Sturdy team improve architectural, conceptual, and code documentation.

**Update:** Following the fix review phase, all but two issues have either been fixed, mitigated, or acknowledged. QSP-4 and QSP-11 remain unresolved and should be addressed. QSP-4 describes the possibility of calculating an incorrect collateral token price, the consequences of which could be serious. QSP-11 demonstrates a potential loss of precision in some calculations and should also be resolved.

The code-level documentation has been improved, and most functions and events have been documented according to the NatSpec standard. However, only minimal changes have been made to the test suite, which still needs improvement, as described above. The potential consequences of insufficient testing include unexpected functional bugs.

**Update after final fix review:** No vulnerabilities within the report remain unresolved following the final fix review. However, a few concerns do remain regarding the calculation of the Balancer LP token price when the prices of ETH and STETH are significantly different (QSP-4).