YSL.IO 💎 x RD Auditors - Audit 2

The YSL.IO smart contracts have been rated as WELL-SECURED

6 min readOct 23, 2021

Hello YSL.IO community 👋🏻

As we first promised back in July here in this article, this will be our second in a series of audits to ensure we have done absolutely everything in our power to make certain our code is completely airtight 🔒.

It’s been said before, but it’s worth mentioning again: Here at YSL.IO, the safety and security of your funds is our top priority and our team of developers work tirelessly to ensure the code is up to par with industry standards 💪. Today’s article will look into which of our smart contracts RD Auditors have given their stamp of approval and reassure investors of why certain features noted in the full report have been included in the code.

As always, there’s plenty to cover so let’s jump right in!

⚡ Overview of RD Auditors

Since their first audit on the 21st of March 2021, RD Auditors have completed 75 audits for various crypto projects, with quite a few big-name projects amongst their recent clients. They were the auditors of choice for the likes of Wault, Crypto Blades and Dao Maker, all projects of no little renown in the crypto space.

The audit process used is a conservative one, designed in such a way to ensure all potential security vulnerabilities are logged and explored 🔎, even if they end up being non-issues. The RD Auditor team follow the “Log First, Explore Later” mentality, first documenting any and all suspicions on their first read-through of the code, before then determining the feasibility and impact of each issue via code analysis, live experimentation, or automated tests.

🌟 YSL.IO Contracts Reviewed and Audit Results

Between the 12th of September 2021 and the 7th of October 2021, RD Auditors reviewed all YSL.IO smart contracts associated with the following features:

1️⃣ YSL Protocol
2️⃣ YSL Token
3️⃣ sYSL Token
4️⃣ xYSL Token
5️⃣ All Vaults
6️⃣ Swap Function
7️⃣ Referral Program

This amounted to a total of 17 smart contracts. As you can see from the following image, all 17 contracts passed with flying colours 🌈.

A testament to the skills of our very capable developers, there were no security vulnerabilities whatsoever in any of the contracts. We won’t go through each of the functions in every single contract that the RD Auditors team looked through here in this article, but for those who are interested in the details, feel free to check out the full audit report here. In summary, it is the RD Auditor team’s opinion that YSL.IO’s code is well-secured 🔒, which is the best of the four possible outcomes resulting from an audit with them.

Absolutely zero issues or security vulnerabilities were detected!

📃 Supplementary Audit Notes

For investors looking through the full audit report, there are 2 areas we would like to pre-emptively address in order to alleviate any worries you might have.

1️⃣ Files To Be Ignored

On page 23 of the audit report, RD Auditors mention that while we have given them access to all of our contracts, there are 5 items that they did not audit.

This was not a mistake. The contracts in points:

1: Have previously been audited by Solidity Finance in our first-ever audit and will no longer be used going forward as the 🔮 Price Discovery Phase is now over.
2–4: Have previously been audited by Solidity Finance in our first-ever audit.
5: These are a series of test contracts that are purely used for testing purposes. They have NOT been deployed to production and thus pose no security risk.

2️⃣ Safety Functions

On pages 27 and 28 of the audit report, there are 2 specific contracts that the audit called attention to. While the audit specifically states that a function in these contracts exists for safety purposes, they do state that there is the potential for them to be used maliciously. We wanted to take this chance to reassure investors and provide an explanation for why these functions have been included in the contract.

🅰 Referral.sol

A specific function in the referral contract gives the owner of the project the ability to change and remove the user’s referral address.

In this article, we mentioned that once a user is referred to the YSL.IO platform, the user’s account will be linked to the referrer’s and that relationship can never be changed. We have no plans (at present moment) to give users the ability to freely change who their referrer is, though the admins have retained the ability to do so in the off chance that a referrer makes a request to have his referrer rewards redirected to another wallet.

This will be judged on a case by case basis and we will of course conduct all necessary safety checks to have the referrer prove his ownership of the addresses before doing so.

🅱 YSLProtocol.sol

In the audit report, RD Auditors mention that the admins have the ability to deactivate the pool and stop all deposits to the pool by users.

While this might sound worrying, this feature is considered common practice in the yield farming ecosystem. Any project that relies on PancakeSwap 🥞 or ApeSwap 🐵 will need the ability to deactivate old farms/pools in the event that either DEX decides to migrate to a new version. In this scenario, any YSL.IO vaults that rely on the old farms/pools will need to be deactivated and the YSL.IO admins need to be able to restrict new deposits coming into these old vaults.

📍 As an example, PancakeSwap migrated from V1 to V2 in April of 2021. All V1 PancakeSwap LP tokens had to be broken, then the funds were re-added on the platform to form V2 PancakeSwap LP tokens in order to continue earning rewards. You can find the full details here.
Without the ability to restrict new deposits, investors could be mistakenly adding funds into a farm/pool (in our case a YSL.IO vault) that would not be giving out any rewards!

It’s also worth noting that RD Auditors accurately point out that this feature only allows the YSL.IO admins to restrict deposits into the vaults, but they are unable to place any restrictions on allowing investors to withdraw their funds. Should the time come when a vault needs to be paused or deactivated, users will always have the ability to withdraw their staked funds.

Closing Thoughts 💭

Of course, we’re far from being done just yet. Solidity Finance has finished their xYSL token audit and are continuing their audit on the remaining smart contracts while CertiK and PeckShield have also begun their review of our code 🤩. We’ll be releasing individual articles once the results from those reviews are complete, so stay tuned!

Until then, let us know your thoughts in the comments below or in our Telegram group. We’re always listening and our team of helpful mods and community managers will address any concerns or feedback you might have as soon as they can!

Signing off for now ✌🏻

Authors note: Leave a clap on the article if you can! Every clap is an additional chance the Medium formula will bring YSL.IO to a readers feed, which helps grow the YSL.IO family!

Full Audit Report: Click here