YieldNest – Security Review of Max Vaults and integration with Kernel

YieldNest partnered with Composable Security to evaluate the security of its Max Vault integration with the Kernel protocol on BNB Chain. The goal was to ensure safe yield generation and optimize protocol robustness before launch.

Basic information

Project type: DeFi protocol with Liquid Restaking Token infrastructure

Service: Smart contract security review, including retest and advisory support.

Results: Identified and resolved 1 high-risk and 8 medium-risk vulnerabilities; verified integration security with Kernel; improved architectural resilience and code quality.

About the YieldNest

YieldNest is a DeFi protocol focused on creating structured yield products through Liquid Restaking Tokens (LRTs). Their products, such as ynBNBk and ynBTCk, allow users to earn yield on restaked assets while maintaining liquidity. YieldNest operates across chains, with a strong emphasis on scalable integrations and user-focused product design.

The project evaluated in this case study centered around integrating the Kernel protocol into YieldNest’s Max Vault architecture on the BNB Chain, enabling streamlined yield access through composable DeFi strategies.

Visit website: https://www.yieldnest.finance/

About the service scope

The engagement focused on reviewing the smart contracts behind the Max Vault integration and ensuring their compliance with DeFi standards and security best practices. This integration enables managing yield strategies on the BNB chain using the Kernel protocol. This partnership aims to integrate Kernel’s infrastructure with YieldNest’s Liquid Restaking Tokens (LRTs), specifically ynBNBk and ynBTCk.

• ynBNBk: This LRT combines existing ynBNB – a liquid restaking token on BNB Chain with Kernel’s restaking infrastructure to optimize yield generation.
• ynBTCk: This LRT enables users to restake their Bitcoin assets on the BNB Chain, leveraging Kernel’s infrastructure for enhanced returns.

The Max Vault Architecture is designed to give users streamlined access to yield opportunities across multiple DeFi protocols. The system design involves ERC4626 compatible Vaults (deposit vaults) and downstream Strategies that handle further allocation of assets to e.g. restaking connectors.

Architecture consists of the following key components:

• Vault (ERC4626)
  • Core deposit contract that converts user deposits into a standardized share token.
  • Manages accounting (e.g., total assets, total shares).
  • Accepts multiple derivative or native assets but denominates shares in a single, major base asset (e.g., ETH, BTC, USD).
• Strategies
  • Downstream contracts that allocate assets into DeFi protocols (Kernel, etc.).
  • Receive allocations from the Vault and generate yield.
  • Return capital when users withdraw or when the Vault rebalances.
• Coprocessor
  • Monitors the Vault’s deposit and withdraw events.
  • Calls processor function to move assets to/from Strategies.
  • Makes sure everything stays in sync without unnecessary gas overhead.
• Rate Provider
  • Feeds the Vault with current price/conversion data for all supported assets.
• Buffer Strategy
  • Strategy that holds enough liquidity for immediate withdrawals.
  • Prevents the need to exit more complex or illiquid Strategies for everyday withdrawal requests.

Initial challenges and constraints:

• A newly implemented Max Vault architecture supporting multi-asset deposits
• Integration with the Kernel protocol’s restaking infrastructure
• Active development phase with some logic still evolving
• Strategic importance of accurate asset accounting and fee handling

Defined objectives:

• Test for compliance with ERC4626
• Review integrations with Kernel strategies and rate providers
• Perform a follow-up retest to verify remediations

Composable Security performed the audit over a one-week period with two dedicated smart contract security experts, followed by a retest two weeks later.

Identified threats

As before every smart contract audit, thorough threat modeling was performed. The results are made available to the client for joint analysis.

Key assets that require protection:

• Assets (deposited tokens)
• Exchange rate
• Protocol availability
• Private keys of the owner and privileged roles

Potential attackers goals:

• Theft of user’s assets
• Lock users’ funds in the contract
• Collecting more rewards than other users
• Preventing other users from receiving rewards
• Reducing the yield of the protocol
• Preventing withdrawals
• Brick the contract, so that others cannot use it

Potential scenarios to achieve the indicated attacker’s goals:

• Incorrect integration with Kernel protocol
• Theft of funds stored in the strategy vault
• Shares manipulation with donation attack
• Manipulation of asset’s exchange rate
• Unauthorized minting of tokens
• Lack of compliance with ERC4626
• Influence or bypass the business logic of the system
• Privilege escalation through incorrect access control to functions or badly written modifiers
• Design issues
• Excessive power, too much in relation to the declared one

More can be found in the report.

Smart contract audit results

A comprehensive security review outlined six vulnerabilities (1 high, 8 medium, 5 low) and four additional recommendations.

Key findings:

• [High Severity] Invalid decimals used to calculate total assets

• [Medium Severity] Inflating vault’s share rate via reentrancy

• [Medium Severity] Invalid amounts of asset returned by strategies
• [Medium Severity] Fee on withdrawal from strategy can lead to protocol’s loss
• [Medium Severity] Inability to unstake required assets from Kernel
• [Medium Severity] Rate provider for ynBNBx is missing ynClisBNBk strategy
• [Medium Severity] Invalid rate for YieldNest vaults
• [Medium Severity] Vault not compliant with ERC4626 in maxWithdraw function
• [Medium Severity] Back-running the rewards transfer

The team started improving the codebase immediately during the audit and we verified during the retest that most identified vulnerabilities had been properly remediated. Two vulnerabilities with medium impact on risk were acknowledged by the team with detailed justification.

Security enhancements:

• Improved ERC4626 compliance across Max Vaults and strategies
• Hardening of fee and withdrawal logic to prevent loss scenarios
• Strengthened compatibility with Kernel’s evolving architecture

Knowledge transfer:

The YieldNest team was highly engaged throughout the process. They independently identified some of the vulnerabilities and collaborated closely during remediation. Their readiness to address security concerns contributed significantly to the robustness of the final implementation.

Client rating