Connect

Yearn

YearnYearn

Details

Scope

My Submission

Reward Amounts

Critical

200,000 USDC maximum payout

Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

  • Definite and significant loss of funds without limitations of external conditions
  • Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

  • Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
  • A coded Proof of Concept (POC) with instructions to run the POC is required
  • If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

The base contracts Vault.vy, TokenizedStrategy.sol, and BaseStrategy.sol are covered on Immunefi. Duplicate issues will not be considered as new reports.

Platform Rule

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Previous Audits

The base contracts Vault.vy, TokenizedStrategy.sol, and BaseStrategy.sol have been audited. You can find the audit reports here:

However, the actual contracts within the current scope have not been audited by external firms.

Additional Context

What is Yearn V3?

Yearn V3 uses ERC4626 vaults that allocate user-deposited funds to yield sources and auto-compounds them.

Detailed explanation on Yearn V3:
https://docs.yearn.fi/developers/v3/overview

Generalized accepted risks and assumptions:

  • Some strategies can sell rewards with minimumAmountOut of "0" or not a realistic value. In such cases, the risk of sandwich attacks is accepted. We use MEV relayers to prevent MEV attacks.
  • Some strategies may sell reward tokens in very low TVL pools, which is an accepted risk. We will run keeper bots to sell the reward tokens in small amounts in such cases.
  • All the governance roles in Yearn code are trusted.
  • External protocols pausing is accepted
  • External protocol admins setting critical values on the strategy's yield source is an accepted risk.
  • External protocol upgrades are also accepted. These upgrades may require us to develop a new strategy for adaptability, which is also accepted since we actively monitor external protocol activities.

Scope

Note that the scope includes all contracts listed on the website linked below:
https://yearn.fi/v3

yRoboTreasury

Description

Automated treasury management for yearns treasury using auctions.
##### Addresses:
https://github.com/yearn/yRoboTreasury/blob/master/deployment.json

Max Rewards

200,000 USDC

Status

Live since

Last updated

LIVE

May 15, 2026, 9:57 AM

May 15, 2026, 9:57 AM

Report a bug