Yearn — yvUSD — Yearn Curation

yvUSD (USD yVault) / Ethereum (with cross-chain strategies on Arbitrum) / April 3, 2026

Score Breakdown

Category	Weight	Score
Audits & Historical	20%	3.00
Centralization & Control	30%	2.00
Funds Management	30%	2.00
Liquidity Risk	15%	3.00
Operational Risk	5%	1.50
Final Score		2.3 / 5.0

Low Risk

Overview

yvUSD is a USDC-denominated cross-chain Yearn V3 vault (ERC-4626) that deploys deposited USDC into multiple yield strategies across Ethereum mainnet and Arbitrum. The vault uses Circle's CCTP (Cross-Chain Transfer Protocol) to bridge assets to strategies on remote chains, requiring only strategy contracts on those chains rather than full Yearn V3 infrastructure.

Key architecture:

Vault: Standard Yearn V3 vault (v3.0.4) accepting USDC deposits, issuing yvUSD shares
Cross-chain strategies: Use a two-contract pattern — an origin CCTPStrategy on Ethereum and a remote CCTPRemoteStrategy (ERC-4626 variant) on the destination chain. The origin strategy restricts deposits to a single DEPOSITER address (the yvUSD vault itself). When report() is called on the destination chain, _harvestAndReport() reports new assets back to the origin by queuing a CCTP message — no separate keeper relay required. The origin receives updates via handleReceiveFinalizedMessage and tracks remote capital via a remoteAssets variable. Additional remote vault implementations using different native bridges are currently in development
LockedyvUSD: Companion cooldown wrapper where users lock yvUSD shares for additional yield. Users locking shares gives the vault better guarantees on duration risk, enabling higher-yield strategies without sacrificing atomic liquidity for non-lockers. Cooldown: 14 days (configurable), withdraw window: 5 days (configurable). Lockers receive a percentage of extra yield as an illiquidity premium. Also serves as the vault's accountant
Strategies: 11 active strategies deploying into Morpho, Maple syrupUSDC, InfiniFi, Sky/MakerDAO, Spark, 3Jane USD3, Pendle/Spectra PT tokens, Cap stcUSD, and Fluid
Yield sources: Lending yield (Morpho, Fluid, Spark, Sky), looper strategies (borrow-against-collateral loops on Morpho), and fixed-rate PT tokens (Pendle/Spectra)

Key metrics (April 3, 2026):

TVL: ~$4,031,087 USDC
Total Supply: ~4,003,217 yvUSD
Price Per Share: 1.006961 USDC/yvUSD (~0.70% appreciation in ~74 days, ~3.4% annualized)
Total Debt: 100% deployed (0 idle)
Deposit Limit: $5,000,000 (80.6% utilized)
Profit Max Unlock Time: 7 days
Net APR: 4.23% | APY: 4.32%

Links:

Risk Summary

Key Strengths

Battle-tested Yearn V3 infrastructure: V3 framework audited by Statemind, ChainSecurity, and yAcademy. No V3 exploits in ~23 months of production. Immutable vault contracts eliminate proxy upgrade risk
Standard Yearn governance with 7-day timelock: The vault now uses the standard Yearn V3 governance pattern (same as yvUSDC-1 and 37+ other vaults) with a 7-day TimelockController for critical operations (adding strategies, changing accountant). Daddy/ySafe (6-of-9, with publicly known signers) is the sole proposer/executor. The timelock is self-governed (holds TIMELOCK_ADMIN_ROLE) — any config changes must themselves go through the 7-day delay
Multi-layer security: Daddy (governance), Brain (operations), Security (emergency), and automated bots (Keeper, Debt Allocator) with differentiated responsibilities. No single point of failure
USDC-denominated: Stablecoin backing eliminates price volatility risk on the underlying asset
Diversified strategy portfolio: 11 strategies across 8+ protocols, distributed across lending, looper, PT, and cross-chain categories
Improved dependency quality: Medium-risk protocol exposure reduced from 65.6% to 16.4%. Largest allocation (Maple, 45.8%) is rated Low Risk (2.33/5)
No EOA role concentration: Deployer EOA confirmed at 0 vault roles. All vault operations require multisig or contract authorization
Rigorous strategy review process: 12-metric risk scoring framework with ySec security review. All strategies evaluated across testing coverage, complexity, risk exposure, centralization, and protocol integration dimensions
Active monitoring infrastructure: Hourly large-flow alerts, weekly endorsed-vault checks, and timelock monitoring across 6 chains via GitHub Actions + Telegram alerts

Key Risks

Still early stage: ~74 days in production with ~$4M TVL. No stress testing. Deposit limit of $5M indicates early stage, though TVL growth is healthy (+34% since March)
No external product-specific audit: The CCTPStrategy cross-chain code and LockedyvUSD wrapper have no dedicated external audit. CCTPStrategy underwent strict internal ySec review. All strategies follow the rigorous 12-metric risk framework, but external third-party review of these specific components is absent
Maple concentration: 45.8% of vault funds are in Maple syrupUSDC strategies — a single protocol failure could impact nearly half the vault
High looper allocation: Looper strategies now represent ~86% of TVL (up from ~58%), increasing leverage exposure

Critical Risks

Looper liquidation cascade: Looper strategies (~86% of TVL) use leveraged positions on Morpho. A collateral depeg (e.g., syrupUSDC or siUSD) could trigger cascading liquidations across multiple strategies simultaneously. The increased looper concentration amplifies this risk compared to March
Cross-chain accounting lag: Remote strategy positions are updated when _harvestAndReport() queues CCTP messages back to the origin. Between report cycles, the vault's reported totalAssets() may not reflect real-time changes on Arbitrum

Full Report

Contract Addresses

Core yvUSD Contracts (Ethereum)

Contract	Address	Type
yvUSD Vault	`0x696d02Db93291651ED510704c9b286841d506987`	Yearn V3 Vault (v3.0.4), Vyper minimal proxy
LockedyvUSD (Accountant)	`0xAaaFEa48472f77563961Cdb53291DEDfB46F9040`	Cooldown wrapper + vault accountant
APR Oracle	`0x1981AD9F44F2EA9aDd2dC4AD7D075c102C70aF92`	Onchain APR estimation
Fee Splitter	`0xd744B7D6bE69b334766802245Db2895e861cb470`	Revenue distribution

Governance Contracts

Contract	Address	Configuration
Yearn V3 Role Manager	`0xb3bd6B2E61753C311EFbCF0111f75D29706D9a41`	Standard Yearn Role Manager — vault `role_manager`
Strategy Manager (Timelock)	`0x88ba032be87d5eF1FbE87336b7090767f367bF73`	TimelockController — 7-day delay. Governs the RoleManager. TIMELOCK_ADMIN_ROLE held only by the timelock itself (not Daddy or any EOA). DEFAULT_ADMIN never granted (`admin = address(0)` at construction) — no one can grant/revoke roles outside the propose→wait→execute flow
Daddy / ySafe (Governance)	`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`	6-of-9 Gnosis Safe — sole PROPOSER on timelock; also EXECUTOR and CANCELLER (shared). Holds nearly all vault roles (bitmask 0x3FF6)
Brain (Operations)	`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`	3-of-8 Gnosis Safe — operational roles + CANCELLER on timelock
Security	`0xe5e2BAf96198c56380DDd5e992D7d1adA0E989C0`	4-of-7 Gnosis Safe — DEBT_MANAGER, MAX_DEBT_MANAGER, EMERGENCY_MANAGER
Debt Allocator	`0x1E9eB053228B1156831759401DE0E115356b8671`	Contract — REPORTING_MANAGER, DEBT_MANAGER
Keeper	`0x604e586F17cE106B64185a7A0d2c1DA5BaCe711e`	yHaaSRelayer — REPORTING_MANAGER
Deployer EOA	`0x1b5f15DCb82d25f91c65b53CEe151E8b9fBdD271`	0 vault roles (confirmed). Fee Splitter governance only

Yearn V3 Infrastructure

Contract	Address
Vault Factory	`0x770D0d1Fb036483Ed4AbB6d53c1C88fb277D812F`
Vault Implementation (v3.0.4)	`0xd8063123BBA3B480569244AE66BFE72B6c84b00d`
Tokenized Strategy	`0xD377919FA87120584B21279a491F82D5265A139c`
Yearn V3 Keeper	`0x52605BbF54845f520a3E94792d019f62407db2f8`

Active Strategies (11)

#	Strategy	Name	Current Debt (USDC)	Allocation	Protocols Used
1	`0xF28DC8B6DeD7E45F8cf84B9972487C8e1857A442`	syrupUSDC/USDC Morpho Looper	1,747,438	43.35%	Maple syrupUSDC, Morpho
2	`0x0e297dE4005883C757c9F09fdF7cF1363C20e626`	Morpho Yearn OG USDC Compounder	970,687	24.08%	Morpho
3	`0x5f9DBa2805411a8382FDb4E69d4f2Da8EFaF1F89`	Infinifi sIUSD Morpho Looper	612,648	15.20%	InfiniFi siUSD, Morpho
4	`0x7130570BCEfCedBe9d15B5b11A33006156460f8f`	USDC to sUSDS Depositor	421,438	10.45%	Sky/MakerDAO
5	`0x9e0A5943dFc1A85B48C191aa7c10487297aA675b`	USDC To Spark USDS Depositor	100,257	2.49%	Spark, Sky/MakerDAO
6	`0x2F56D106C6Df739bdbb777C2feE79FFaED88D179`	Arbitrum syrupUSDC/USDC Morpho Looper	100,114	2.48%	Maple syrupUSDC, Morpho, CCTP
7	`0x4C0e4d3cB62B91afBbf1Fe8e830f98A513c7234b`	USD3 Pendle PT Maxi	50,015	1.24%	3Jane USD3, Pendle
8	`0x7bf1D269bf2CB79E628F51B93763B342fd059D1D`	PT stcUSD Jul 23 Morpho Looper	28,491	0.71%	Cap stcUSD, Morpho, Pendle/Spectra
9	`0x48E66D65006007ef62B50735D070fc30d0242a93`	USDC To SKY USDS Depositor	0	0.0%	Sky/MakerDAO
10	`0x00C8a649C9837523ebb406Ceb17a6378Ab5C74cF`	USDC Fluid Lender	0	0.0%	Fluid
11	`0x1983923e5a3591AFe036d38A8C8011e66Cd76e9E`	Arb Yearn Degen Morpho Compounder	0	0.0%	Morpho, CCTP

Note: Since the March 2026 assessment, one strategy has been removed (PT siUSD March 25 — matured) and significant rebalancing has occurred. The vault has shifted from 3Jane USD3 dominance (33% → 1.2%) to Maple syrupUSDC dominance (9.4% → 45.8% across two strategies). Active portfolio management continues with multiple strategy additions and revocations over the vault's ~74-day history.

Strategy Protocol Dependencies with Existing Reports

Several underlying protocols have been previously assessed in this repository:

Protocol	Report Score	yvUSD Allocation
Maple syrupUSDC	2.33/5 (Low Risk)	45.83% (two strategies)
InfiniFi	2.8/5 (Medium Risk)	15.20%
3Jane USD3	3.5/5 (Medium Risk)	1.24%
Fluid	1.1/5 (Minimal Risk)	0% (currently inactive)
Spectra	2.25/5 (Low Risk)	Used for PT token infrastructure

Audits and Due Diligence Disclosures

Yearn V3 Core Audits

The underlying vault infrastructure has been audited by 3 reputable firms:

Auditor	Date	Scope	Report
Statemind	May 2, 2024	V3 Vaults (v3.0.0)	PDF
ChainSecurity	May 4, 2024	V3 Vaults + Tokenized Strategy (v3.0.0)	2 PDFs
yAcademy	Jun 2024	V3 Vaults (v3.0.1)	PDF

yvUSD-Specific Audits

No external third-party audit specifically covering the CCTPStrategy cross-chain code, the LockedyvUSD cooldown wrapper, or individual yvUSD strategies was found. However, the CCTPStrategy has undergone strict internal review by ySec (Yearn's security team). All strategies go through Yearn's rigorous internal review process (see Strategy Review Process below).

Strategy Review Process

Yearn uses a formal 12-metric risk scoring framework (RISK_FRAMEWORK.md) for evaluating and approving strategies. The framework scores strategies across two dimensions:

Strategy-Related Scores (6 metrics):

Review — number of Sources of Trust (internal strategist, peer review, expert review, ySec security review, recurring security review)
Testing — code coverage requirements (score 1 = 95%+, score 5 = <70%)
Complexity — source lines of code (score 1 = 0-150 sLOC, score 5 = 600+)
Risk Exposure — potential loss percentage
Centralization Risk — offchain management dependency
Protocol Integration — number of external protocols integrated

External Protocol-Related Scores (6 metrics):

Auditing — number of trusted audits on external protocols
Centralization — owner control/governance of external protocols
TVL — active total value locked
Longevity — contract deployment age
Protocol Type — category (blue-chip vs novel vs cross-chain vs offchain)

All 12 scores are summed and mapped to risk levels (Level 1-4). ySec can make exceptions with textual justification. This is a rigorous, documented process that provides strong assurance for strategy quality even without external audits on individual strategies.

Underlying Protocol Audits

Protocol	Audit Coverage	Notes
Morpho	25+ audits (Trail of Bits, Spearbit, OpenZeppelin, ChainSecurity, Certora)	Blue-chip. Formal verification by Certora
Pendle	6+ audits (Ackee, Dedaub, ChainSecurity, Spearbit, Code4rena)	Well-established
Circle CCTP	ChainSecurity (V1 2023, V2 March 2025, V2 update April 2025, Gateway July 2025)	Trust-minimized bridge
Sky/MakerDAO	Extensively audited across many years	Blue-chip
Spark	Inherits MakerDAO audit coverage	Blue-chip
Cap (stcUSD)	TODO — no specific audit information found in public documentation	~$500M TVL. Assessed internally as risk-2 (non-public report)

Bug Bounty

Immunefi: Active bug bounty for Yearn Finance. Max payout: $200,000 (Critical). Scope includes V3 vaults (VaultV3.vy, VaultFactory.vy).
- Link: https://immunefi.com/bounty/yearnfinance/
Sherlock: Also listed: https://audits.sherlock.xyz/bug-bounties/30
Safe Harbor: Not listed on the SEAL Safe Harbor registry

On-Chain Complexity

The yvUSD system is moderately complex:

11 active strategies across 2 chains (Ethereum + Arbitrum)
Cross-chain accounting via Circle CCTP (destination chain reports back to origin via CCTP on _harvestAndReport())
Looper strategies using Morpho for leveraged yield (borrow-against-collateral loops)
PT token strategies with maturity dates requiring rollover
Custom accountant (LockedyvUSD) combining cooldown/locking mechanics with fee management
Multiple protocol dependencies (8+ distinct protocols)
V3 vault itself is non-upgradeable (immutable Vyper minimal proxy)

Historical Track Record

Vault deployed: January 19, 2026 (block 24271831) — ~74 days in production
TVL: ~$4.03M USDC — early stage with a $5M deposit limit (80.6% utilized)
PPS trend: 1.000000 → 1.006961 (~0.70% appreciation over 74 days, ~3.4% annualized)
Security incidents: None known for this vault or Yearn V3 generally
Strategy changes: Active portfolio management continues — one strategy removed (PT siUSD March 25 matured), significant rebalancing from 3Jane dominance to Maple dominance
Governance maturation: Vault migrated from direct Safe governance to standard Yearn RoleManager with 7-day timelock (March 2026)
Yearn V3 track record: V3 framework has been live since May 2024 (~23 months). No V3 vault exploits

Yearn protocol TVL: ~$240M total across all chains (DeFi Llama, April 2026).

Funds Management

yvUSD deploys deposited USDC across 11 strategies with 100% capital utilization (0 idle). Strategies fall into four categories:

Strategy Categories

1. Looper Strategies (85.8% of TVL)

Strategies that borrow against collateral on Morpho to achieve leveraged yield positions. These include:

syrupUSDC/USDC Morpho Looper (43.35%)
Morpho Yearn OG USDC Compounder (24.08%)
Infinifi sIUSD Morpho Looper (15.20%)
Arbitrum syrupUSDC/USDC Morpho Looper (2.48%, cross-chain)
PT stcUSD Jul 23 Morpho Looper (0.71%)

Looper risk: These strategies are leveraged — they borrow USDC on Morpho against collateral (PT tokens, siUSD, syrupUSDC). If the collateral depegs or the Morpho market becomes illiquid, positions may face liquidation or inability to unwind.

2. Fixed-Rate PT Strategies (1.2% of TVL)

USD3 Pendle PT Maxi (1.24%) — holds Pendle Principal Tokens backed by 3Jane USD3

PT risk: PT tokens have fixed maturity dates. Before maturity, exit requires selling on AMM (Pendle/Spectra) at potentially unfavorable rates. At maturity, PT is manually rolled over by converting to SY (yield token) via a rollover() call on the strategy — this process cannot steal user funds. If not rolled over, the position simply holds the redeemed underlying.

3. Lending Strategies (12.9% of TVL)

USDC to sUSDS Depositor (10.45%) — deposits into Sky/MakerDAO
USDC To Spark USDS Depositor (2.49%) — deposits into Spark

Lending risk: Standard DeFi lending risk. Sky and Spark are blue-chip protocols with extensive audit coverage.

4. Cross-Chain Strategies (2.5% active, with inactive allocations)

Two strategies bridge USDC to Arbitrum via Circle CCTP:

Arbitrum syrupUSDC/USDC Morpho Looper (2.48%)
Arb Yearn Degen Morpho Compounder (0%, inactive)

Cross-chain risk: Bridge delays (CCTP attestation time), and remote chain execution risk.

Accessibility

Deposits: Permissionless — anyone can deposit USDC and receive yvUSD (ERC-4626 standard). Subject to $5M deposit limit
Withdrawals: ERC-4626 standard. Users can redeem yvUSD for USDC. However:
- 100% of funds are deployed (0 idle) — withdrawals require unwinding strategy positions
- Cross-chain strategies require CCTP bridging back, which takes time
- PT strategies may have liquidity constraints before maturity
- Looper strategies require deleveraging, which may take multiple transactions
LockedyvUSD: Optional lock wrapper with 14-day cooldown + 5-day withdrawal window. Yields a "locker bonus" but restricts exit timing
No fees on deposits/withdrawals — fees are taken via the accountant during process_report (performance/management fees)

Collateralization

100% onchain USDC backing — all deposits are USDC, all strategy positions ultimately track back to USDC value
Collateral quality varies by strategy:
- Blue-chip (Sky, Spark, Fluid): 12.9% of TVL
- Low-risk (Maple syrupUSDC 2.33/5): 45.8% of TVL — now the dominant allocation
- Medium-risk (InfiniFi 2.8/5, 3Jane 3.5/5): 16.4% of TVL — significantly reduced from 65.6% in March
- Low-risk (Cap stcUSD, internal risk-2): 0.71% of TVL
- Established infrastructure (Morpho, Pendle): used across 85%+ of strategies
Leverage via looper strategies: Borrowing against collateral on Morpho. Looper allocation increased from ~58% to ~86% of TVL

Provability

yvUSD exchange rate: Calculated onchain via ERC-4626 standard (convertToAssets()/convertToShares()). Fully programmatic, no admin input
Strategy positions: Each strategy's totalAssets() is onchain. The vault's totalAssets() is the sum of all strategy debts
Cross-chain lag: For cross-chain strategies, remoteAssets on the origin is updated when CCTP messages arrive (sent automatically by _harvestAndReport() on the destination chain). Between report cycles, the value can be stale — the vault's reported totalAssets() may not reflect real-time changes on Arbitrum
Profit/loss reporting: Profits are reported by keepers via process_report() and locked for gradual distribution over 7 days (profitMaxUnlockTime). Losses are immediately reflected in PPS

Liquidity Risk

Primary exit: Redeem yvUSD for USDC via ERC-4626 withdraw()/redeem(). Subject to strategy liquidity
Zero idle funds: Currently 100% of vault assets are deployed to strategies. Withdrawals require unwinding positions
Strategy withdrawal constraints:
- Looper strategies: Must deleverage on Morpho (may require multiple keeper transactions)
- PT strategies: Before maturity, must sell PTs on AMM (potential slippage). At maturity, manual rollover via rollover() call converting PT to SY
- Cross-chain strategies: Withdrawal triggers CCTP bridging back from remote chain (hours for CCTP attestation)
- Lending strategies (Sky, Spark): Generally liquid for immediate withdrawal
DEX liquidity: No known DEX liquidity pools for yvUSD. The vault is an ERC-4626 token, not traded on DEXes
LockedyvUSD: 14-day cooldown + 5-day withdrawal window. Shares in cooldown cannot be transferred
Same-value asset: USDC-denominated vault token — no price divergence risk from the underlying
Deposit limit: $5M cap limits both concentration risk and indicates early stage

Centralization & Control Risks

Governance

Since the initial March 2026 assessment, the yvUSD vault has completed its governance setup by migrating to the standard Yearn V3 governance pattern via the Yearn V3 Role Manager contract (0xb3bd6B2E61753C311EFbCF0111f75D29706D9a41). This is the same governance framework used by yvUSDC-1 and 37+ other Yearn vaults — a significant maturation from the initial direct-Safe governance used during the vault's launch phase.

Governance hierarchy:

Position	Address	Threshold	Roles on Vault
Daddy (ySafe)	`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`	6-of-9	Nearly all roles (bitmask 0x3FF6). Sole PROPOSER on timelock; also EXECUTOR and CANCELLER (shared — see Appendix)
Brain	`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`	3-of-8	Operational roles (bitmask 0x3972) — REVOKE_STRATEGY, QUEUE, REPORTING, DEBT, DEPOSIT_LIMIT, PROFIT_UNLOCK, DEBT_PURCHASER, EMERGENCY. CANCELLER on timelock
Security	`0xe5e2BAf96198c56380DDd5e992D7d1adA0E989C0`	4-of-7	DEBT_MANAGER, MAX_DEBT_MANAGER, EMERGENCY_MANAGER (bitmask 0x20C0)
Strategy Manager (Timelock)	`0x88ba032be87d5eF1FbE87336b7090767f367bF73`	7-day delay	ADD_STRATEGY, REVOKE_STRATEGY, FORCE_REVOKE, ACCOUNTANT, MAX_DEBT (bitmask 0x8F). DEFAULT_ADMIN never granted. Timelock holds TIMELOCK_ADMIN_ROLE — config changes require 7-day delay
Keeper	`0x604e586F17cE106B64185a7A0d2c1DA5BaCe711e`	Bot	REPORTING_MANAGER
Debt Allocator	`0x1E9eB053228B1156831759401DE0E115356b8671`	Bot	REPORTING_MANAGER + DEBT_MANAGER

Daddy (ySafe) 6-of-9 multisig signers include publicly known contributors: Mariano Conti (ex-MakerDAO), Leo Cheng (C.R.E.A.M.), 0xngmi (DeFiLlama), Michael Egorov (Curve), and others (source).

Governance assessment:

Standard Yearn governance — same setup used across 37+ vaults (including yvUSDC-1), battle-tested pattern
No EOA role concentration — deployer EOA has 0 vault roles (confirmed). All vault operations require multisig or contract authorization
7-day timelock with locked-down role structure — strategy additions and other critical operations go through the TimelockController (delay increased from initial 24h to 7 days). The timelock roles are tightly controlled:
- PROPOSER: Daddy (6/9) only — no one else can initiate timelocked operations
- EXECUTOR: Daddy (6/9) + TimelockExecutor contract (governed by Brain, internal executors: Brain + Deployer EOA)
- CANCELLER: Daddy (6/9) + Brain (3/8)
- TIMELOCK_ADMIN_ROLE: held only by the timelock contract itself — not by Daddy, Brain, or any EOA. Config changes (delay, role grants) must go through the 7-day delay
- DEFAULT_ADMIN_ROLE: never granted (admin = address(0) at construction). No one can grant or revoke timelock roles outside the normal propose→wait→execute flow
Immutable vault — no proxy upgrades possible
Multi-layer security — Daddy (governance), Brain (operations), Security (emergency), and automated bots (Keeper, Debt Allocator) with differentiated responsibilities

Remaining concern: The deployer EOA (0x1b5f15DCb82d25f91c65b53CEe151E8b9fBdD271) remains the sole governance address on the Fee Splitter contract (0xd744B7D6bE69b334766802245Db2895e861cb470). This is a low-impact concern (fee distribution only, not fund custody) but deviates from the otherwise robust multi-sig governance pattern.

Programmability

Exchange rate (PPS): Calculated onchain algorithmically via ERC-4626. Fully programmatic, no admin input
Vault operations: Deposit/withdraw are permissionless onchain transactions
Strategy profit/loss: Reported programmatically by keepers via process_report(). Profits unlock linearly over 7 days. Losses are immediate
Debt allocation: Automated via Debt Allocator contract, with manual override available to DEBT_MANAGER role holders (Daddy, Brain, Security)
Cross-chain accounting: When report() is called on the destination chain, _harvestAndReport() automatically queues a CCTP message back to the origin. No separate keeper relay required. Can be stale between report cycles
V3 vaults are immutable — no proxy upgrades, no admin-changeable implementation

External Dependencies

Dependency	Criticality	Allocation	Notes
Morpho	Critical	~86% (5 strategies)	$6.6B TVL, 25+ audits, formal verification. Used for looper leverage and USDC compounding
Maple syrupUSDC	Critical	45.8%	Report score 2.33/5 (Low Risk). Overcollateralized institutional lending, ~$1.7B TVL. Highest single-protocol allocation
InfiniFi	High	15.2%	Report score 2.8/5 (Medium Risk). Stablecoin protocol deploying into various DeFi strategies, ~$150M TVL
Sky/MakerDAO	High	10.5%	Blue-chip, extensively audited. Stable lending yield
Pendle/Spectra	Medium	Used in PT strategies	$2.1B TVL (Pendle), 6+ audits. PT token infrastructure for fixed-rate yield
Spark	Medium	2.5%	Part of Sky/MakerDAO ecosystem. Blue-chip
Circle CCTP	Medium	Cross-chain bridge	Audited by ChainSecurity (V1 + V2). Trust assumption: Circle attestation (same trust as holding USDC)
3Jane USD3	Low	1.2%	Report score 3.5/5. Significantly reduced from 33% in March. Unsecured credit-based lending
Cap (stcUSD)	Low	0.7%	~$500M TVL. Yield-bearing stablecoin. Reduced from 5.1%
Fluid	Low	0% (inactive)	Report score 1.1/5. Currently no allocation

Dependency concentration: The vault's largest protocol dependency is now Maple syrupUSDC at 45.8% (rated Low Risk 2.33/5), a significant improvement from the previous concentration in medium-risk protocols (65.6% in 3Jane + InfiniFi). Medium-risk protocol exposure has dropped to ~16.4% (InfiniFi 15.2% + 3Jane 1.2%). However, the Maple concentration risk is notable — a single protocol failure could impact nearly half the vault. Morpho remains the critical infrastructure layer across 86% of strategies.

Operational Risk

Team: Yearn Finance — established since 2020, publicly known contributors. The Yearn global multisig has 9 named signers including Mariano Conti (ex-MakerDAO), Leo Cheng (C.R.E.A.M.), 0xngmi (DeFiLlama), Michael Egorov (Curve), and others
yvUSD governance: Standard Yearn V3 Role Manager — the same governance used across 37+ vaults, with clear role separation (Daddy, Brain, Security, Keeper, Debt Allocator). 7-day timelock on critical operations
Documentation: Comprehensive Yearn V3 documentation. yvUSD-specific docs are now published on the official Yearn docs site, including cross-chain strategy architecture, LockedyvUSD mechanics, and a dedicated APR API service (yvusd-api.yearn.fi)
Legal: Yearn Finance has converted its ychad.eth multisig into a BORG (cybernetic organization) via YIP-87, wrapping it in a Cayman Islands foundation company with smart contract governance restrictions. The YFI token governs the protocol via YIP proposals
Incident response: Yearn has demonstrated incident response capability across historical events. V3 framework has not been tested under stress. The $200K Immunefi bug bounty provides a responsible disclosure channel
V3 immutability: Vault contracts cannot be upgraded — this eliminates proxy upgrade risk but means bugs cannot be patched without deploying a new vault

Monitoring

Existing Monitoring Infrastructure

Yearn maintains an active monitoring system via the monitoring-scripts-py repository:

Large flow alerts (yearn/alert_large_flows.py): Runs hourly via GitHub Actions. Monitors deposit/withdrawal events via Envio indexer, alerts on flows exceeding $5M threshold via Telegram. Currently monitors 21 vaults across Ethereum, Base, Arbitrum, and Katana
Endorsed vault check (yearn/check_endorsed.py): Runs weekly, verifies all Yearn V3 vaults are endorsed onchain via the registry contract
Timelock monitoring (timelock/timelock_alerts.py): Monitors Yearn TimelockController across 6 chains

Note: yvUSD is not yet added to the monitored vault list in alert_large_flows.py, but the infrastructure is in place and can be extended.

Additionally, Yearn provides a dedicated yvUSD APR API (yvusd-api.yearn.fi, source) that aggregates onchain vault/strategy accounting with offchain APR oracle computations. Endpoints include /api/health (data recency), /api/aprs (precomputed APRs), and /api/snapshot (raw strategy cache). A DeBank bundle (portfolio view) provides a consolidated view of all vault fund positions.

Key Contracts (Ethereum)

Contract	Address	Monitor
yvUSD Vault	`0x696d02Db93291651ED510704c9b286841d506987`	PPS (`convertToAssets(1e6)`), `totalAssets()`, `totalDebt()`, `totalIdle()`, Deposit/Withdraw events
LockedyvUSD	`0xAaaFEa48472f77563961Cdb53291DEDfB46F9040`	Cooldown events, configuration changes (cooldown duration, withdrawal window)
Strategy Manager (Timelock)	`0x88ba032be87d5eF1FbE87336b7090767f367bF73`	Pending operations, MinDelayChange events, role grants/revocations
Daddy / ySafe	`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`	Signer/threshold changes, submitted transactions
Brain	`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`	Signer/threshold changes, submitted transactions
Deployer EOA	`0x1b5f15DCb82d25f91c65b53CEe151E8b9fBdD271`	Fee Splitter governance changes only (0 vault roles)
Fee Splitter	`0xd744B7D6bE69b334766802245Db2895e861cb470`	Governance changes, fee distribution changes

Critical Events to Monitor

PPS decrease — any decrease in convertToAssets(1e6) indicates a loss event. Should only increase
Strategy additions/removals — StrategyChanged events indicate portfolio changes (new strategies go through 7-day timelock)
Debt allocation changes — UpdatedMaxDebtForStrategy and DebtUpdated events
Emergency actions — Shutdown event on vault
Timelock operations — pending proposals on the TimelockController (strategy additions, accountant changes, delay changes)
Signer/threshold changes on the Daddy (6-of-9) and Brain (3-of-8) Safes
Cross-chain strategy accounting — monitor remoteAssets for staleness (compare to actual onchain positions on Arbitrum)
Looper strategy health — monitor Morpho market positions for proximity to liquidation
Underlying protocol health — monitor Maple, InfiniFi, and Morpho for incidents

Monitoring Functions

Function	Contract	Purpose	Frequency
`convertToAssets(1e6)`	Vault	PPS tracking	Every 6 hours
`totalAssets()`	Vault	Total TVL	Daily
`totalDebt()` / `totalIdle()`	Vault	Capital deployment ratio	Daily
`strategies(address)`	Vault	Per-strategy debt, last report time	Daily
`get_default_queue()`	Vault	Withdrawal queue composition	Weekly
`getThreshold()` / `getOwners()`	Daddy / Brain Safes	Governance integrity	Daily
`getMinDelay()`	Timelock	Delay change detection	Weekly

Reassessment Triggers

Time-based: Reassess in 2 months (June 2026) as the vault approaches the 6-month production milestone
TVL-based: Reassess if TVL exceeds $10M or changes by more than ±50%
Incident-based: Reassess after any exploit, strategy loss, or underlying protocol incident (especially Maple, InfiniFi, or Morpho)
Governance-based: Reassess if the timelock delay is modified, Safe compositions change (signer additions/removals, threshold changes), or the Fee Splitter governance is transferred from the deployer EOA to the multisig
Audit-based: Reassess if CCTPStrategy or yvUSD-specific components receive dedicated external audits (should improve Audits score)
Dependency-based: Reassess if Maple syrupUSDC or InfiniFi experience significant events. Reassess if Morpho looper markets face liquidation stress
Strategy-based: Reassess if Maple concentration exceeds 60%, if allocation to medium-risk protocols exceeds 30%, or if looper leverage ratios increase significantly

Appendix: Contract Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                         VAULT LAYER                                  │
│                                                                      │
│  ┌───────────────────────┐        ┌──────────────────────────────┐  │
│  │  yvUSD Vault (v3.0.4) │        │  LockedyvUSD                 │  │
│  │  ERC-4626, immutable  │◀───────│  Cooldown wrapper + accountant│  │
│  │  0x696d...6987        │        │  14d cooldown, 5d window     │  │
│  │                       │        │  0xAaaF...9040               │  │
│  │  deposit() / redeem() │        └──────────────────────────────┘  │
│  │  totalAssets()        │                                           │
│  └──────────┬────────────┘                                           │
│             │ deploys USDC to 11 strategies                          │
│             │                                                        │
│  ┌──────────▼──────────────────────────────────────────────────────┐│
│  │  STRATEGIES (by allocation)                                      ││
│  │                                                                  ││
│  │  ┌─────────────────────────────────────────────────────────┐    ││
│  │  │ LOOPER STRATEGIES (~86% of TVL)              via Morpho │    ││
│  │  │  syrupUSDC/USDC Morpho Looper        43.35%  (Maple)   │    ││
│  │  │  Morpho Yearn OG USDC Compounder     24.08%  (Morpho)  │    ││
│  │  │  Infinifi sIUSD Morpho Looper        15.20%  (InfiniFi)│    ││
│  │  │  Arb syrupUSDC/USDC Morpho Looper     2.48%  (CCTP)    │    ││
│  │  │  PT stcUSD Jul 23 Morpho Looper       0.71%  (Cap)     │    ││
│  │  └─────────────────────────────────────────────────────────┘    ││
│  │  ┌──────────────────────┐  ┌────────────────────────────────┐  ││
│  │  │ LENDING (~13%)       │  │ PT (~1%)                       │  ││
│  │  │  sUSDS Depositor     │  │  USD3 Pendle PT Maxi  1.24%   │  ││
│  │  │            10.45%    │  │  (3Jane USD3, Pendle)          │  ││
│  │  │  Spark Depositor     │  └────────────────────────────────┘  ││
│  │  │             2.49%    │                                       ││
│  │  └──────────────────────┘                                       ││
│  └─────────────────────────────────────────────────────────────────┘│
└──────────────────────────────────────────────────────────────────────┘
                                │
                  deposits into underlying protocols
                                │
┌───────────────────────────────▼──────────────────────────────────────┐
│                    UNDERLYING PROTOCOLS                                │
│                                                                       │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐               │
│  │  Morpho      │  │  Maple       │  │  Sky/MakerDAO│               │
│  │  $6.6B TVL   │  │  syrupUSDC   │  │  sUSDS       │               │
│  │  25+ audits  │  │  $1.7B TVL   │  │  Blue-chip   │               │
│  │  86% of strat│  │  45.8% alloc │  │  12.9% alloc │               │
│  └──────────────┘  └──────────────┘  └──────────────┘               │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐               │
│  │  InfiniFi    │  │  Pendle/     │  │  Circle CCTP │               │
│  │  siUSD       │  │  Spectra     │  │  Cross-chain │               │
│  │  15.2% alloc │  │  PT tokens   │  │  bridge      │               │
│  └──────────────┘  └──────────────┘  └──────────────┘               │
└───────────────────────────────────────────────────────────────────────┘

Data flow: User deposits USDC → yvUSD vault → strategies deploy to
Morpho/Maple/Sky/InfiniFi/Pendle. Cross-chain strategies bridge via
Circle CCTP to Arbitrum. Profits reported by Keeper, locked for 7 days.
Optional: User locks yvUSD in LockedyvUSD for bonus yield (14d cooldown).

Appendix: TimelockController Role Structure

TimelockController 0x88ba032be87d5eF1FbE87336b7090767f367bF73 — deployed at block 24,242,692 with admin = address(0).

Timelock Roles

Role	Holder	Type	Notes
DEFAULT_ADMIN	No holder	—	Never granted (`admin = address(0)` at construction). No one can grant/revoke roles outside the propose→wait→execute flow
TIMELOCK_ADMIN	Timelock itself (`0x88ba032be87d5eF1FbE87336b7090767f367bF73`)	Contract	Only the timelock can admin its own roles. Config changes (delay, role grants) must go through the 7-day delay
PROPOSER	Daddy/ySafe (`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`)	6-of-9 Safe	Only proposer — no one else can initiate timelocked operations
EXECUTOR	Daddy/ySafe (`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`)	6-of-9 Safe	Can execute queued proposals directly
EXECUTOR	TimelockExecutor (`0xf8f60bf9456a6e0141149db2dd6f02c60da5779b`)	Contract	Wrapper contract — delegates execution to its internal executor list (see below)
CANCELLER	Daddy/ySafe (`0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52`)	6-of-9 Safe	Can cancel pending proposals
CANCELLER	Brain (`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`)	3-of-8 Safe	Can cancel pending proposals

TimelockExecutor Contract

0xf8f60bf9456a6e0141149db2dd6f02c60da5779b — governance-gated wrapper around the TimelockController. Only addresses on its internal executor list can call execute() through it.

Parameter	Value
Governance	Brain (`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`) — only Brain can add/remove internal executors
Internal executor 1	Brain (`0x16388463d60FFE0661Cf7F1f31a7D658aC790ff7`)
Internal executor 2	Deployer EOA (`0x1b5f15DCb82d25f91c65b53CEe151E8b9fBdD271`)

Execution Paths for Queued Proposals

All paths require Daddy (6/9) to first propose the operation and a 7-day wait:

Daddy (6/9) executes directly (holds EXECUTOR_ROLE on timelock)
Brain (3/8) executes via TimelockExecutor contract
Deployer EOA executes via TimelockExecutor contract

Why the Delay Cannot Be Bypassed

To change the timelock delay (e.g., reduce from 7 days), an attacker would need to:

Control Daddy (6/9) to propose updateDelay() — the only PROPOSER
Wait 7 days — Brain or Daddy can cancel during this window
Execute via Daddy, Brain, or the EOA — but the operation is already visible onchain for 7 days

DEFAULT_ADMIN was never granted, so no one can grant themselves PROPOSER or TIMELOCK_ADMIN to skip this flow. The timelock holds TIMELOCK_ADMIN but can only act on it through its own propose→wait→execute cycle.