# Audit

A full audit of the [contracts](/sherpaearn-vault/contracts.md) delineated in these docs has been conducted by Cyfrin.

## Full audit report:

{% file src="/files/4mTbjLQ00iUFZZ52Y9jn" %}

{% file src="/files/Id7EqHQyTBl1kpsTDPx1" %}

<table><thead><tr><th width="644.4609375">Finding</th><th>Status</th></tr></thead><tbody><tr><td>[M-1] Owner can rescue the vault's own share tokens</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[M-2] Owner can chain admin calls for same-block drains</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[M-3] Withdrawals can effectively only happen on the primary chain after any yield has accrued</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[L-1] Misconfigured decimal scale can skew vault accounting</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[L-2] SherpaUSD does not work with fee-on-transfer tokens</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[L-3] Direct amount assignment in SherpaUSD::ownerMint/ownerBurn can break accounting for totalStaked and accountingSupply</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-1] SherpaVault::_rollInternal price calculation comment and math inconsistent</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-2] SherpaUSD::consumeTotalStakedApproval and SherpaUSD::consumeAccountingApproval callable by anyone</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-3] CCIPReceiver dependency not necessary</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-4] SherpaVault::redeem naming ambiguous</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-5] Some SherpaUSD can never be unstaked due to minimumSupply check</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[I-6] Consider implementing explicit rounding behaviour instead of default round down</td><td><mark style="color:green;">Resolved</mark></td></tr><tr><td>[G-1] Optimize setters by emitting event before state updates</td><td><mark style="color:green;">Resolved</mark></td></tr></tbody></table>

Click [here](https://github.com/Cyfrin/cyfrin-audit-reports/blob/main/reports/2025-11-23-cyfrin-sherpa-v2.0.pdf) to view the report directly in Cyfrin's public repo.<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sherpa.trade/sherpaearn-vault/audit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.