Andre Cronje, the creator of Yearn.Finance, has recently made security audits of his project publicly available. He explained to Cointelegraph that he had been previously withholding these audits, which were completed months ago, so as to not give users a false sense of security:
I always refused to publish the audits because I don’t want people to get a false sense of security because of them.
Yesterday, Cronje published five audits on the project’s GitHub repository. The audits were performed between February and July by leading auditors, such as Certik and Quantstamp. Some of the vulnerabilities that were discovered are classified as “critical”. For instance, Certik identified “a major vulnerability, which under quite common situations could temporarily block users from withdrawing all of their funds.” Cronje explained that although this was a design choice, it is still a vulnerability:
If you lend, the risk always exists that there are more assets borrowed than the available liquidity to withdraw.
He added that other major DeFi projects like Compound and Aave share this vulnerability. Cronje decided to publish these audits as proof that he subjects his code to external scrutiny, but regardless, people “throw money into contracts when they see ‘audited’”:
“But since the whole ‘no audit yolo’ narrative, decided to share them, so people understand, I still do audits, I just don’t share them, because I want people to understand the risk.”
Another DeFi project called Yam.Finance recently collapsed due to an irreconcilable bug after launching without external audits.