All Reports
Vesu Starknet Vault Kit

Vesu Starknet Vault Kit

2025-09-23

Sherlock collaborative audit · CODESPECT as Lead Security Expert

Download PDF
Critical0
High1
Medium4
Low2
Info0

About the Protocol

ERC-4626 style vault, allocator and decoder-sanitizer permission layer for the Vesu Starknet Vault Kit.

Findings (7)

H-01HighFixed

Incorrect fee shares minted when management and performance fees apply together

report(...) miscalculates the number of fee shares to mint when both fee types are charged in the same call, causing a loss for the protocol.

M-01MediumFixed

Rate limit slot calculation rolls back

enforce_rate_limit computes the slot with the modulo operator, confining it to [0, period-1] so it wraps, which can hinder normal interactions.

M-02MediumAcknowledged

Insufficient modify_lever parameter checks allow a strategist to steal tokens

MultiplyDecoderAndSanitizerComponent under-validates modify_lever parameters, letting a partially trusted strategist operate on unauthorized tokens or beneficiaries.

M-03MediumAcknowledged

Price oracle lacks integrity checks

get_value(...) consumes the Pragma response without validating staleness, aggregated source count or expiry before using it as slippage input.

M-04MediumAcknowledged

Vault contract is not ERC-4626 compliant

Several EIP-4626 MUST statements are unmet, covering max_deposit/max_mint while paused, max_withdraw, and fees in preview_redeem.

Start here

Ready to secure your project?

Get a free 30-minute security assessment. We’ll review your codebase scope and flag the top 3 risk areas.

No commitment required · Typical audits start within 1–2 weeks