All Reports
Vesu Vaults

Vesu Vaults

2025-10-31

Sherlock collaborative audit · CODESPECT as Lead Security Expert

Download PDF
Critical0
High0
Medium7
Low7
Info0

About the Protocol

Vesu vault periphery on Starknet: AUM provider, Merkle-tree permission registry and integrations for Avnu, ERC-4626 and Vesu V1/V2.

Findings (14)

M-01MediumFixed

Vault governor upgrades itself instead of the target contract

upgrade_contract_setup(...) is intended to upgrade specified target contracts but upgrades the vault_governor contract itself.

M-02MediumFixed

Fee distribution incorrectly incurs redemption fees

Because fee_recipient is the vault_governor, the fee-exempt redemption path no longer applies and redemption fees are charged on fee distribution.

M-03MediumFixed

AUM inflated in vault kit strategies by missing redemption fee deductions

The AUM provider does not deduct redemption fees, so reported share value is slightly overstated.

M-04MediumFixed

Missing debt asset approval leaves block strategist repayment

_add_vesu_v1_leafs(...) and _add_vesu_v2_leafs(...) omit approve(...) for the debt asset when building the Merkle root, preventing the strategist from repaying debt.

M-05MediumFixed

AUM provider values ERC-4626 shares with convert_to_assets(...) instead of preview_redeem(...)

Using the raw share price ignores redemption fees, overstating the value of strategy holdings.

Start here

Ready to secure your project?

Get a free 30-minute security assessment. We’ll review your codebase scope and flag the top 3 risk areas.

No commitment required · Typical audits start within 1–2 weeks