Sherlock collaborative audit · CODESPECT as Lead Security Expert
ERC-4626 style vault, allocator and decoder-sanitizer permission layer for the Vesu Starknet Vault Kit.
report(...) miscalculates the number of fee shares to mint when both fee types are charged in the same call, causing a loss for the protocol.
enforce_rate_limit computes the slot with the modulo operator, confining it to [0, period-1] so it wraps, which can hinder normal interactions.
MultiplyDecoderAndSanitizerComponent under-validates modify_lever parameters, letting a partially trusted strategist operate on unauthorized tokens or beneficiaries.
get_value(...) consumes the Pragma response without validating staleness, aggregated source count or expiry before using it as slippage input.
Several EIP-4626 MUST statements are unmet, covering max_deposit/max_mint while paused, max_withdraw, and fees in preview_redeem.
Get a free 30-minute security assessment. We’ll review your codebase scope and flag the top 3 risk areas.
No commitment required · Typical audits start within 1–2 weeks