Vector Reserve
Summary
Quantstamp performed a security review of the smart contracts implementing the Vector Reserve protocol based on the code present in the listed repositories. Vector Reserve offers users to stake allowed LSTs and LRTs to obtain `vETH` tokens. The protocol will also mint `Vector` (`$VEC`) tokens based on the `vETH` deposited in the treasury (obtained by selling `VEC` bonds and `VEC` buy/sell taxes). Users can also stake their `vETH` to `svETH` and `VEC` to `sVEC` (rebase token) to get more rewards. The protocol shows a high centralization, with many features that need manual interaction from privileged addresses. Owners fully manage the deposits in the `VectorETH` contract. This is detailed in VEC-3. All issues and recommendations are discussed in the *Findings* section of this document. We recommend addressing all the issues and adding tests to cover the proposed fixes. The documentation quality is medium. The project has good user documentation, but it is recommended to add more technical pages, including architecture diagrams and privileged roles needed by the system, as well as any potential risks that LPs can experience. Regarding testing, all tests passed, but the project shows low branch coverage metrics in some of the audited files. We highly recommend improving the branch coverage to a minimum of `95%` and adding new tests to cover the proposed fixes. **Update:** The Vector Reserve team has acknowledged most of the issues as the contracts were deployed before the start of the audit. Regarding VEC-1 sandwich attacks are mitigated by including slippage control parameters for LP bonds. The Vector Reserve team stated that the next iterations of bond contracts will accept LP tokens directly. We still recommend improving the test suite to reach higher branch coverage and implementing security measures in privileged accounts due to the level of centralization of the protocol.
