< Back to articles

Pendle Finance: Pendle V2 audit summary

Audits, Ethereum, Solidity June 27, 2023

Pendle Finance is a DeFi protocol based on Ethereum and Avalanche. It allows users to tokenize and trade the yield of yield-generating mechanisms. 

Pendle engaged Ackee Blockchain to conduct a security review of Pendle V2 with a total time donation of 4 engineering weeks between April 25 and May 20, 2022.

METHODOLOGY

We began our review by using static analysis tools and then took a deep dive into the logic of the contracts. During the review, we paid special attention to:

  • checking if nobody can breach the protocol
  • checking the correctness of the upgradeability implementation
  • checking the arithmetics of Math libraries
  • ensuring access controls are not too relaxed
  • and looking for common issues such as data validation.

SCOPE 

The scope included the following repository with a given commit: 

  • pendle-core-internal-v2 – 9d93fc1 

All contracts under contracts folder was in-scope, except for the following: 

  • core/PendleSCYImpl/AaveV3/WadRayMath.sol
  • core/RouterStatic.sol
  • libraries/ExpiryUtilsLib.sol
  • libraries/JoeLibrary.sol

FINDINGS

Here we present our findings.

Critical severity 

No critical severity issues were found. 

High severity 

No high severity issues were found. 

Medium severity

M1: Insufficient data validation in PendleAaveV3SCY

M2: Integer overflow in Math library

M3: Usage of solc optimizer  

Low severity

No low severity issues were found.

Warning severity

W1: Potential front-running of several withdraw and mint functions

W2: Exotic tokens

W3: Dangerous callbacks

W4: Unintended change of the reentrancy lock state

W5: Dynamic config potential inconsistency

Informational severity

I1: Redundant cycle in RewardManager

I2: Same function names across the project

I3: Unused code

CONCLUSION

Our review resulted in 11 findings, ranging from Informational to Medium severity.

Ackee Blockchain recommends Pendle to: 

  • address all reported issues. 

Ackee Blockchain’s full Pendle audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Pendle and look forward to working with them again.

You May Also Like

Audits, Ethereum, Solidity, Wake December 18, 2023
IPOR: Protocol Core audit summary
Audits, Ethereum, Solidity, Wake December 15, 2023
Сow Protocol: ComposableCoW & ExtensibleFallbackHandler audit summary
Education, Ethereum, Solidity, Tutorial, Wake December 7, 2023
On the wave of CI/CD for Web3