Testnet — this app is connected to Hedera testnet
Security
Hardened direct-deploy ERC-4626 stack on Hedera mainnet (June 2026 redeploy). Reviewed against ERC-4626 exploit classes, Slither, Aderyn, Echidna, Halmos, and 38 automated regression tests.
38/38 tests passing · ERC-4626 threats mitigated · vault + bridge paused until migration verified
ERC-4626 exploit review
LynxVault inherits OpenZeppelin 5.x ERC-4626 mitigations and adds Lynx-specific controls. Each class below was reviewed with dedicated unit tests, property fuzz, and/or Echidna where applicable. The legacy signed reward drain path does not exist on the v4 stack.
Mitigations: _decimalsOffset = 6, cost-basis NAV, migration deposit while vault is paused.
Test evidence
Mitigations: Not in scope in-contract. Do not use raw convertToAssets() as a lending collateral price without extra guards.
Test evidence
Mitigations: Keeper-only reportGain; lockedProfit streaming over profitUnlockPeriod.
Test evidence
Mitigations: 1 LYNX base unit = 1 vault share base unit escrowed in bridge (not 1 HBAR per deposit).
Test evidence
Mitigations: depositHbar(receiver, minSharesOut) and depositHbarAndWrap(minSharesOut) revert SharesSlippage when floor not met.
Test evidence
Legacy vs v4: The historical proxy vault allowed backend-signed rewards and transferHbarTo drains without burning shares. The new ERC-4626 stack removed that path entirely. Share-price manipulation is mitigated via virtual offset 6 plus on-chain minSharesOut on HBAR deposit paths.
Known exploit classes reviewed for the hardened mainnet v4 stack. Status reflects code mitigations, automated tests, and current operational state.
| Threat class | Applicable | Mitigation | Tested | Status |
|---|---|---|---|---|
| Legacy signed reward drain | No on v4 | Path removed | N/A | Not applicable |
| ERC-4626 inflation / donation | Yes | OZ virtual shares + offset 6 | Unit + fuzz | Mitigated |
| First depositor on empty vault | Yes | Offset + paused until migration | Unit + ops | Paused |
| Fake yield / instant redeem | Partial | Locked profit + manager-only gain | Unit | Mitigated |
| Lending oracle (Venus-style) | External only | No in-contract lending | N/A | Policy: no raw oracle |
| Bridge backing shortfall | Yes | Ops: fund bridge before unpause | Fuzz + Echidna | Pending migration |
| HBAR deposit slippage | Yes | minSharesOut on HBAR/bridge paths | Unit | Deployed |
| Governance / keeper trust | Yes | Operational | Partial | Trusted roles |
Layer 1 inherits OpenZeppelin ERC-4626 defenses. Layer 2 adds Lynx-specific economic and operational controls. June 2026 redeploy required new bytecode (contracts are not upgradeable).
| Item | Implementation |
|---|---|
| Virtual shares Industry-standard post–v4.9 mitigation | shares = assets × (supply + 10^offset) / (assets + 1) |
| _decimalsOffset() Donation/inflation attacks orders of magnitude more expensive than offset = 0 | Constant 6 in LynxVault.sol |
| Share decimals() Display only; bridge 1:1 is raw base units (share wei ↔ LYNX wei) | 8 (WHBAR) + 6 = 14 |
| Standard deposit() Off-chain previewDeposit + UI slippage for WHBAR ERC-20 path | Unmodified IERC-4626 signature |
| Change | Before → After |
|---|---|
| _decimalsOffset() | 0 (OZ default) → 6 |
| HBAR slippage | depositHbar(receiver) only → depositHbar(receiver, minSharesOut) |
| Bridge mint | depositHbarAndWrap() → depositHbarAndWrap(minSharesOut) |
| Post-deploy pause | Manual (ops:mainnet:pause-stack) → Automatic in deploy scripts |
| Contract IDs | 10509714 / 10509719 / 10509723 / 10509749 → 10510134 / 10510137 / 10510139 / 10510145 |
| Control | What it does | Risk reduced | Evidence |
|---|---|---|---|
| Cost-basis totalAssets() | idle + deployedPrincipal - lockedProfit; no mark-to-market | Oracle / manipulated NAV | Unit + fuzz I2 |
| lockedProfit + 7d unlock | Gains stream in; not instantly withdrawable | Harvest sandwich, fake yield redeem | LynxVault.test.ts |
| Buffer maxRedeem | Redeem ≤ idle WHBAR only | Forced LP unwind in user tx | LynxVault.test.ts |
| reportGain / reportLoss | StrategyManager only | Public NAV inflation | Unit + Halmos |
| No transferHbarTo / rewards | Removed vs legacy architecture | Historical ~25k HBAR drain class | Not in codebase |
| depositHbar minSharesOut | Revert SharesSlippage if minted shares < floor | Donation before HBAR mint | depositHbar slippage tests |
| depositHbarAndWrap | Forwards slippage check to vault | Bad bridge mint UX | LynxHTSBridge.test.ts |
| Pausable inflows | Blocks deposit/mint/wrap; not redeem/unwrap | Empty vault incident window | Hardening.test.ts |
| Auto-pause on deploy | pause() after vault + bridge create | Post-deploy exposure | Deploy scripts |
| Ownable2Step + guardian | Two-step ownership; optional fast pause | Governance hijack / incident response | Hardening.test.ts |
| Exit fee cap | MAX_EXIT_FEE_BPS = 10% | Fee governance mistake | Halmos |
| HtsOps._toInt64 | Revert on HTS amount overflow | Silent truncation | Hardening.test.ts |
| Strategy manager CEI | Principal before external calls on push | Reentrancy accounting drift | Code review + unit |
| setStrategyManager guard | No swap with outstanding principal | NAV desync | Hardening.test.ts |
| LP position cap | MAX_ACTIVE_LP_POSITIONS = 32 | Unbounded harvest gas | SaucerSwapLiquidityStrategy.sol |
| Bridge backing | 1 LYNX wei = 1 share wei escrowed | Under-backed unwrap | Unit + fuzz + Echidna |
Before public use: migrate backing → verify backingShares → TokenUpdate → unpause. Vault pause blocks all inflows including direct depositHbar.
| Contract | Scope |
|---|---|
LynxVault.solERC-4626 vault (WHBAR); cost-basis NAV; profit streaming; exit fee | Production |
LynxHTSBridge.sol1:1 wrap of vault shares ↔ HTS LYNX; bridge is treasury + supply key | Production |
StrategyManager.solAllocates vault WHBAR to strategies; cost-basis principal accounting | Production |
SaucerSwapLiquidityStrategy.solProduction LP strategy (SaucerSwap V1/V2); admin-driven position ops | Production |
libraries/HtsOps.solHTS precompile (0x167) wrapper with uniform revert on failure | Production |
Wake is intentionally not used (scope control; Slither + Aderyn + Echidna + Halmos suffice).
Real mitigations implemented in code — not triage waivers.
Accepted Residual Behavior
Owner/keeper can change fees, strategies, caps, pause inflows, and move capital. Accepted under Ownable2Step with expected multisig governance.
Why this is safe
Impact by role
Accepted Residual Behavior
block.timestamp used in lockedProfit() and totalAssets(). Accepted — Yearn-style linear unlock prevents harvest sandwiching.
Why this is safe
Impact by role
Accepted Residual Behavior
LynxVault, LynxHTSBridge, and SaucerSwapLiquidityStrategy accept native value without a generic withdraw() sweep.
Why this is safe
Impact by role
Accepted Residual Behavior
Users redeem only from idle WHBAR in the vault — not forced strategy unwind in the user transaction.
Why this is safe
Impact by role
Accepted Residual Behavior
Registered IStrategy implementations receive WHBAR; all LYNX/WHBAR movement depends on HTS at 0x167.
Why this is safe
Impact by role
Slither and Aderyn flag code patterns that may indicate bugs. After human review, each alert is assigned a disposition. “Accepted” does not mean an open vulnerability — it means the pattern is intentional design or an acceptable tradeoff with no exploitable path for users.
The tool flagged something real, but it is intentional design or an acceptable tradeoff — not an exploitable bug.
The tool misread the code (common with HTS precompile wrappers and Solidity overrides).
We changed the code to address the finding.
Style or readability nit with no demonstrated security impact.
| ID | Finding | Severity | Location | Disposition |
|---|---|---|---|---|
| H-01 Slither + Aderyn | SaucerSwap LP admin reentrancy ordering createLPPosition / increaseLPPosition update storage after external SaucerSwap calls. Slither reentrancy-eth; Aderyn H-2. Why accepted These functions are onlyOwner and nonReentrant. The external caller is the configured SaucerSwap NFT manager — a trusted protocol contract, not arbitrary users. There is no practical reentrancy attack path for depositors; reordering to strict checks-effects-interactions would be a style improvement, not a security fix. SaucerSwapLiquidityStrategy.sol | ● high | SaucerSwapLiquidityStrategy.sol | Accepted |
| H-02 Aderyn | Payable contracts lock native HBAR LynxVault, LynxHTSBridge, and SaucerSwapLiquidityStrategy accept native value without a generic withdraw() sweep. Aderyn H-1. Why accepted The vault and bridge must receive HBAR for depositHbar and depositHbarAndWrap. The LP strategy holds HBAR for SaucerSwap V2 NFT mint/increase fees. User funds are not trapped — the missing sweep only affects residual operational dust, which governance can recover later if needed. LynxVault.sol · LynxHTSBridge.sol · SaucerSwapLiquidityStrategy.sol | ● high | LynxVault.sol · LynxHTSBridge.sol · SaucerSwapLiquidityStrategy.sol | Accepted |
| M-01 Slither | HTS return values ignored at call sites Slither unused-return on HtsOps.mint, transfer, associate, approve. Why false positive HtsOps checks HederaResponseCodes.SUCCESS internally and reverts with HTSCallFailed on failure. Callers do not need to re-check the int64 return value — the library already enforces success or revert. libraries/HtsOps.sol | ● medium | libraries/HtsOps.sol | False positive |
| M-02 Slither | Cost-basis NAV uses block.timestamp block.timestamp used in lockedProfit(), totalAssets(), setProfitUnlockPeriod. Why accepted Profit streaming (Yearn-style linear unlock) deliberately uses timestamps so depositors cannot sandwich harvests. On Hedera, consensus timestamps have narrow skew (~10–15s), which is negligible for hour/day unlock periods set by governance. LynxVault.sol | ● medium | LynxVault.sol | Accepted |
| M-03 Aderyn | StrategyManager pull/harvest interaction order State updates after withdraw() / harvest() external calls. Why accepted The manager must observe strategy return values before adjusting principal or reporting PnL — reversing the order would break accounting. Access is keeper-only with nonReentrant; push was reordered to CEI, but pull/harvest order is intentional. StrategyManager.sol | ● medium | StrategyManager.sol | Accepted |
| M-04 Aderyn | Centralized governance Owner/keeper can change fees, strategies, caps, pause inflows, and move capital. Why accepted This is the protocol trust model, not a code bug. Mitigations include Ownable2Step (two-step ownership transfer), optional guardian for fast pause, exit/redemption paths that stay open when inflows are paused, MAX_EXIT_FEE_BPS ceiling, and per-strategy caps. Production governance is expected to be a multisig. Core contracts | ● medium | Core contracts | Accepted |
| L-01 Slither | configure() allows zero addresses SaucerSwapLiquidityStrategy.configure allows zero addresses for SaucerSwap dependencies. Why accepted Zero means “not configured yet.” All mutating LP functions revert with NotConfigured() until the admin sets real SaucerSwap router and NFT manager addresses. This is an intentional two-phase setup pattern. SaucerSwapLiquidityStrategy.configure() | ● low | SaucerSwapLiquidityStrategy.configure() | Accepted |
| L-02 Slither | setGuardian(address(0)) allowed Guardian can be set to the zero address. Why accepted Clearing the guardian is intentional — it disables guardian-only pause so only the owner can pause. Documented in NatSpec. Useful when rotating or removing the guardian role without transferring ownership. LynxVault.sol · LynxHTSBridge.sol | ● low | LynxVault.sol · LynxHTSBridge.sol | Accepted |
| L-03 Aderyn | Unsafe ERC20 on HTS paths HtsOps.transfer / approve flagged as unsafe ERC20 by Aderyn. Why false positive These are Hedera HTS precompile calls at 0x167, not standard ERC20 transfer/approve with boolean return values. Aderyn’s ERC20 checker does not apply to HTS semantics. libraries/HtsOps.sol | ● low | libraries/HtsOps.sol | False positive |
| L-04 Aderyn | Cancun / PUSH0 bytecode Bytecode may include PUSH0 (Cancun opcode). Why accepted evmVersion: cancun is pinned in Hardhat and Foundry profiles to match Hedera mainnet (Besu EVM, release 0.50.0+). PUSH0 is expected and required for Cancun-targeted deployments. All production contracts | ● low | All production contracts | Accepted |
| L-05 Slither | LynxVault asset() unimplemented Slither claims ILynxVault.asset() is not implemented. Why false positive asset() is implemented via override resolving both ERC4626 and ILynxVault in LynxVault.sol. Slither’s inheritance analysis missed the dual-interface override. LynxVault.sol | ● low | LynxVault.sol | False positive |
| L-06 Aderyn | Large numeric literal BASIS = 10_000 Aderyn L-2 flags the BASIS constant as a large numeric literal. Why ignored 10_000 is the standard basis-points denominator (100.00%). Named constant improves readability; no security impact. Core contracts | ● low | Core contracts | Ignored |
| L-07 Aderyn | nonReentrant not first modifier Aderyn L-3: nonReentrant is not the first modifier on some LP admin functions. Why ignored Modifier ordering on owner-only admin functions has no demonstrated security impact. nonReentrant is still applied; reordering would be cosmetic. SaucerSwapLiquidityStrategy.sol | ● low | SaucerSwapLiquidityStrategy.sol | Ignored |
| L-08 Aderyn | Unspecific pragma ^0.8.20 Aderyn L-8: broad ^0.8.20 pragma on production contracts. Why ignored CI compiles all contracts with solc 0.8.28. The broad pragma allows compatibility; the pinned compiler version in CI is what matters for deployment. Production contracts | ● low | Production contracts | Ignored |
| L-09 Slither | Reentrancy-benign on StrategyManager Slither reentrancy-benign on manager push/pull/harvest paths. Why ignored Paths are access-controlled (keeper or owner only). push was hardened with checks-effects-interactions (principal booked before external calls). No user-facing reentrancy surface. StrategyManager.sol | ● low | StrategyManager.sol | Ignored |
| I-01 Slither | Solc version warning on HtsOps Broad ^0.8.0 pragma triggered Slither’s historical solc bug list. Why resolved Pragma updated to ^0.8.28 aligned with the rest of the stack. CI compiles with solc 0.8.28 — the warning is resolved in the current codebase. libraries/HtsOps.sol | ● info | libraries/HtsOps.sol | Resolved |
Notable disposition rows from Slither and Aderyn triage. Slither snapshot: 40 findings (2 High, 19 Medium, 18 Low, 1 Informational) — all triaged. Aderyn: 2 High themes, 8 Low themes (~1015 nSLOC). Wake not used. No open exploits from tooling.
