Pendle Finance is a DeFi protocol based on Ethereum and Avalanche. It allows users to tokenize and trade the yield of yield-generating mechanisms.
Pendle engaged Ackee Blockchain to conduct a security review of Pendle V2 with a total time donation of 4 engineering weeks between April 25 and May 20, 2022.
We began our review by using static analysis tools and then took a deep dive into the logic of the contracts. During the review, we paid special attention to:
- checking if nobody can breach the protocol
- checking the correctness of the upgradeability implementation
- checking the arithmetics of Math libraries
- ensuring access controls are not too relaxed
- and looking for common issues such as data validation.
The scope included the following repository with a given commit:
- pendle-core-internal-v2 – 9d93fc1
All contracts under contracts folder was in-scope, except for the following:
Here we present our findings.
No critical severity issues were found.
No high severity issues were found.
M1: Insufficient data validation in PendleAaveV3SCY
M2: Integer overflow in Math library
M3: Usage of solc optimizer
No low severity issues were found.
W1: Potential front-running of several withdraw and mint functions
W2: Exotic tokens
W3: Dangerous callbacks
W4: Unintended change of the reentrancy lock state
W5: Dynamic config potential inconsistency
I1: Redundant cycle in RewardManager
I2: Same function names across the project
I3: Unused code
Our review resulted in 11 findings, ranging from Informational to Medium severity.
Ackee Blockchain recommends Pendle to:
- address all reported issues.
Ackee Blockchain’s full Pendle audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Pendle and look forward to working with them again.