Security Partnership: YOP partners with BTblock
YOP has partnered with BTblock where they conducted a Code Review and a Security Assessment for the Yield Optimisation Platform (YOP) Protocol EVM. The platform is developed with Solidity and will be placed in the Ethereum network and initial strategy development will focus on a number of the top DeFi Protocols on the Ethereum blockchain including AAve, Convex, Curve, Uniswap, Sushiswap, IndexCoup, and LIDO.
The YOP Ecosystem aims to simplify Yield Farming by creating a platform for individuals with all levels of experience to invest in DeFi Protocols confidently. Users can educate themselves by reviewing the extensive risk evaluations provided and choose from varying levels of complex strategy logic all while requiring minimal user interaction. YOP will continually reinvest earnings and provide metrics and insight so the user can make informed decisions based on their personal risk tolerance. Ultimately, the goal for the YOP Ecosystem is to work seamlessly across multiple blockchains and provide access to all DeFi Protocols on all supported chains.
The BTblock Process
When BTBlock performs an assessment, they focus on the code committed at a specific time when the code base is feature complete. Their goal is to give their clients the following:
- A better understanding of its security posture and help them identify current and future risks in its deployed chain & contract infrastructure.
- An opinion on what security measures are in place regarding maturity, adequacy, and efficiency.
- Identify potential issues, including loss of funds scenarios, and include improvement recommendations based on the result of our assessment.
- Give the development team a better understanding of writing and maintaining more secure code. The incremental increase of security is part of the overall increased quality of the project.
In reviewing solutions such as the YOP Protocol EVM, they review a threat assessment of possible exploits of the system. Still, BTblock reviews the code, program authentication scenarios and all components, and fund loss scenarios. This review met their requirements for an effectively implemented product in all situations, including resolving any findings we uncovered.
Findings & Report
During the Security Assessment for the YOP Protocol EVM, BTblock discovered:
- One finding with a MEDIUM severity rating
- Three findings with a LOW severity rating
- One finding with an INFORMATIONAL severity rating
The several findings with LOW severity rating were sufficiently remediated reducing the risk of application downtime caused by unintended exploitation of the smart contracts, accidental function call by non-authorised roles, and a duplicate contract name. The impact of the MEDIUM severity finding could result in potential loss of contract control. The contract FeeCollection did not initially protect the initialise function which meant that some users could call the initialise function before the contract owner. The YOP team implemented a mitigation strategy using the hardhat-upgrade module in which they were willing to accept the risk identified.
In general, BTblock reported that the YOP team was very supportive and open to discussing the design choices made. Several strengths were noted during the review, including the well structured and organised code and project files as well as well-designed and clearly defined smart contract access rights.
The full BTblock report can be found here.