Vector Reserve Security Smart Contract Audit

Summary

Quantstamp performed a security review of the smart contracts implementing the Vector Reserve protocol based on the code present in the listed repositories. Vector Reserve offers users to stake allowed LSTs and LRTs to obtain `vETH` tokens. The protocol will also mint `Vector` (`$VEC`) tokens based on the `vETH` deposited in the treasury (obtained by selling `VEC` bonds and `VEC` buy/sell taxes). Users can also stake their `vETH` to `svETH` and `VEC` to `sVEC` (rebase token) to get more rewards. The protocol shows a high centralization, with many features that need manual interaction from privileged addresses. Owners fully manage the deposits in the `VectorETH` contract. This is detailed in VEC-3. All issues and recommendations are discussed in the *Findings* section of this document. We recommend addressing all the issues and adding tests to cover the proposed fixes. The documentation quality is medium. The project has good user documentation, but it is recommended to add more technical pages, including architecture diagrams and privileged roles needed by the system, as well as any potential risks that LPs can experience. Regarding testing, all tests passed, but the project shows low branch coverage metrics in some of the audited files. We highly recommend improving the branch coverage to a minimum of `95%` and adding new tests to cover the proposed fixes. **Update:** The Vector Reserve team has acknowledged most of the issues as the contracts were deployed before the start of the audit. Regarding VEC-1 sandwich attacks are mitigated by including slippage control parameters for LP bonds. The Vector Reserve team stated that the next iterations of bond contracts will accept LP tokens directly. We still recommend improving the test suite to reach higher branch coverage and implementing security measures in privileged accounts due to the level of centralization of the protocol.

Project

Vector Reserve

Ethereum

No active critical issues

Last audited on 2024/02/22

Auditor

292 audits on Trustblock

Multi-Tags

Issues (12)

	Low	Medium	High	Critical	Total
Not fixed	9	2	-	-	11
Fixed	-	1	-	-	1
Total	9	3	0	0	12

Contracts (30)

#	Github Repository	Commit Hash	File	Url
11	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/libraries/SafeMath.sol	Check on Github
12	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/interface/IUniswapV2Router02.sol	Check on Github
13	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/libraries/Address.sol	Check on Github
14	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/staking/VECStaking.sol	Check on Github
15	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/mocks/MockWETH.sol	Check on Github
16	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/balancer/vETHRateProvider.sol	Check on Github
17	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/reward/RewardDistributor.sol	Check on Github
18	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/interface/IvETH.sol	Check on Github
19	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/tokens/Vector.sol	Check on Github
20	vectorreserve/vector-contracts	6c92889621f6cc3e28b2b0487acd45b7859229e0	contracts/tokens/StakedVectorETH.sol	Check on Github

Vector Reserve

Summary

Issues (12)

High Centralization Risksnot_fixed/medium

Stealing Funds When Rates Changenot_fixed/medium

'Dead' Codenot_fixed/low

`sVEC` Token Infinite Allowance Logicnot_fixed/low

Clone-and-Ownnot_fixed/low

Contracts (30)