# Protocol Due Diligence: Vesper Finance ## Vesper Overview - [Site](https://vesper.finance) - [Team](https://vesper.finance/about/) - [Docs](https://docs.vesper.finance/) - [Audits and due dilligence disclosures](https://docs.vesper.finance/vesper-grow-pools/vesper-grow/audits) ## Rug-ability **Multi-sig:** Yes - The Vesper [multi-sig](https://etherscan.io/address/0x9520b477aa81180e6ddc006fc09fb6d3eb4e807a) is owner of the controller contract which has authority to call key security functions. For example, changing strategies, withdrawing funds from strategies, etc. - Multi-sig is 3-of-5 **Upgradable Contracts:** No - Controller (via governance) may swap out strategies at any time however. **Decentralization:** - **Current** For the first 2-6 months, ownership functionalities will be retained by the team’s multisig in order to upgrade strategies, introduce new pools, allocate VSP rewards, and so on. - **Future per [plan](https://docs.vesper.finance/community-participation-and-governance/governance)** After 2-6 months, governance responsibilities will be transferred in full to holders of vVSP in the vVSP vault. ## Other Risks - Like Yearn, Vesper has a vault/strategy model. Current strategies are low risk. [Source](https://medium.com/vesperfinance/vesper-grow-strategies-today-and-tomorrow-8bd7b907ba5). **Currently in use:** Aave: [link to contract](https://etherscan.io/address/0x3a51F72104fd7c9257730C437B250E99516202Fc) USDC is deposited to Aave to compound yield. **In beta: AaveV2** USDC is deposited to Aave v2 where it compounds yield and farms AAVE, which is liquidated back to USDC and deposited for more yield. ## Audit Reports Medium article [here](https://coinspect.medium.com/vesper-pools-smart-contract-audits-835d10b9e44c). 1. [Certik Audit](https://github.com/vesperfi/doc/blob/main/audit/v1/REP-Bloq-11_11_20.pdf) 2. Coinspec Audits - [First Report](https://github.com/coinspect/publications/blob/master/Vesper%20Pools%20Security%20Audit%20v201230.pdf) - [Second Report](https://github.com/coinspect/publications/blob/master/Vesper%20Pools%20Security%20-%20Second%20Audit%20v201230.pdf) - [Third Report](https://github.com/coinspect/publications/blob/master/Vesper%20Pools%20Security%20-%20Third%20Audit%20v201230.pdf) - [Fourth Report](https://github.com/coinspect/publications/blob/master/Vesper%20Pools%20Security%20-%20Fourth%20Audit%20v210119.pdf) - [Fifth Report](https://github.com/coinspect/publications/blob/master/Vesper%20Pools%20Security%20-%20PaymentSplitter%20Audit%20v210210.pdf) ### Key Findings - Pool contracts are immutable - Strategies can be upgraded by the controller contract - No harvest sandwich protection. Acknowledged with no action by the team. ## Path-to-Prod: - [x] Deploy a strategy instance in ape.tax with USDC - [x] Test to make sure all functionality is working correctly - [ ] Update strategy to make it clonable - [ ] Deploy a clone of the strategy in the USDC prod vault with 50k usdc debt ratio - [ ] Deploy a clone of the strategy in the WBTC prod vault with 50k usdc debt ratio - [ ] Clone other tokens and assign to prod vaults 🤷