SecondMetaVaultAudit.md

Second Meta Vaults Security Audit

Scope of the second security audit of mStable's vaults will be focused on the Meta Vault. This is an EIP-4626 vault that periodically invests deposited assets into the underlying EIP-4626 vaults and charges a performance fee.

Logic

See 3Crv Convex Vaults and FraxBP Convex Vaults for explanations of what the different vaults do and how value flows between them. The PeriodicAllocationPerfFeeMetaVault contract is the same for both the 3CRv and FraxBP Meta Vaults. It can also be used to integrate to other underlying vaults that are compliant with the EIP-4626 vault standard.

More detailed documentation of the Meta Vault can be found in the README including:

• Capabilities
• Contract Diagrams
• Processes

Code

All code is in the metavaults repository with tag 0.0.7-dev and commit hash 1657b7ed2f8b964783487a0d68f973c70036bdfb on the develop branch.

Contract scope

All contract are under the contracts folder.

In scope

Base contract

• PeriodicAllocationPerfFeeMetaVault

Inherited contracts

• PeriodicAllocationAbstractVault
• PerfFeeAbstractVault
• FeeAdminAbstractVault
• AssetPerShareAbstractVault
• SameAssetUnderlyingsAbstractVault
• AbstractVault
• InitializableToken
• VaultManagerRole
• InitializableTokenDetails
• ImmutableModule
• ModuleKeys

Out of scope

The inherited Open Zeppelin contracts are out of scope

• @openzeppelin/contracts/token/ERC20/ERC20.sol
• @openzeppelin/contracts/utils/Context.sol
• @openzeppelin/contracts/security/Pausable.sol
• @openzeppelin/contracts/proxy/utils/Initializable.sol

The following related contracts are out of scope

• Nexus used to manage the Governor and Keeper roles used by the Meta Vault.
• Proxies proxy contract.
• InstantProxyAdmin proxy admin with no time delay.
• DelayedProxyAdmin proxy admin with one week time delay.

Tests

Unit tests

yarn test will run all the units tests but to test that cover the above in scope contracts are

yarn test:file ./test/vault/allocate/PeriodicAllocationBasicVault.spec.ts
yarn test:file ./test/vault/allocate/SameAssetUnderlyingsBasicVault.spec.ts
yarn test:file ./test/vault/fees/PerfFeeBasicVault.spec.ts

Fork Tests

Rather than mocking external protocols like Curve and Convex, fork tests are used to test the integration with these protocols. This was we are testing exactly as the protocols work and not our assumptions on how they are implemented. The PeriodicAllocationPerfFeeMetaVault contract is tested with the following fork tests.

export NODE_URL=<url to mainnet node>
# Convex 3Crv vaults
yarn test:file:fork ./test-fork/vault/savePlus.spec.ts
# Convex FraxBP vaults
yarn test:file:fork ./test-fork/vault/saveFraxPlus.spec.ts

Coverage

Coveralls is used to report on the code coverage of the unit and fork tests.

https://coveralls.io/github/mstable/metavaults

Third Party Dependencies

Contract Libraries

• OpenZeppelin is used for ERC20 tokens, access control, initialization, reentry protection, proxies, casting and math operations.

Protocols

• Curve Finance used to generate yield on stablecoin deposits.
• Convex Finance used to enhance the yield from Curve pools.
• Cowswap used for swapping Convex reward tokens (CRV and CVX) to DAI, USDC or USDT.

Standards

• EIP-20
• EIP-4626