Sherlock collaborative audit · CODESPECT as Lead Security Expert
Vesu vault periphery on Starknet: AUM provider, Merkle-tree permission registry and integrations for Avnu, ERC-4626 and Vesu V1/V2.
upgrade_contract_setup(...) is intended to upgrade specified target contracts but upgrades the vault_governor contract itself.
Because fee_recipient is the vault_governor, the fee-exempt redemption path no longer applies and redemption fees are charged on fee distribution.
The AUM provider does not deduct redemption fees, so reported share value is slightly overstated.
_add_vesu_v1_leafs(...) and _add_vesu_v2_leafs(...) omit approve(...) for the debt asset when building the Merkle root, preventing the strategist from repaying debt.
Using the raw share price ignores redemption fees, overstating the value of strategy holdings.
Get a free 30-minute security assessment. We’ll review your codebase scope and flag the top 3 risk areas.
No commitment required · Typical audits start within 1–2 weeks