V2.1 — Soken Audit Remediation
V2.1 — Soken Audit Remediation
Audited V2.0: tag v2.0.0 · Audit report: Soken APY-2026-06-001 (2026-06-23)
Findings summary
| Severity | Count | Status |
|---|---|---|
| Critical | 1 | ✅ Fixed (F-17) |
| High | 0 | — |
| Medium | 2 | ✅ Fixed (F-01, F-02) |
| Low | 4 | ✅ Fixed (F-03, F-04, F-06, F-07) |
| Informational (code-change) | 5 | ✅ Fixed (F-05, F-15, F-16 docs, +X-listed) |
| Informational (acknowledged) | 4 | Documented as design tradeoffs |
| Total | 16 | 12 fixed + 4 acknowledged |
Full per-finding mapping (root cause → V2.1 fix → regression test): docs/SOKEN_AUDIT.md
Critical highlight — F-17
Soken's Foundry PoC reproduced a permanent vault brick: once totalSupply() returns to zero, the never-reset lastSharePrice baseline detonated the FeeTooHigh defensive guard on the next deposit and froze every entrypoint. Fixed in _accrue() + _withdraw(); the next deposit re-takes the lazy-init path and re-snaps the baseline cleanly.
Reproduced post-fix in test/v2/Vault.v21.spec.ts — test_f17_freshDepositAfterEmptyVault_doesNotBrick.
Verification at this tag
npx hardhat compile— 16 Solidity files OKnpx hardhat test— 92 passing (4 fork specs pending withoutFORK=true)npx hardhat test test/v2/Vault.v21.spec.ts— 14 V2.1-specific specs passingforge test --fuzz-runs 10000— 10 streaming-fee invariants × 10 000 iterations, zero failures
Status
Awaiting Soken remediation review against this tag. Production V2.0 contracts remain on-chain (immutable); V2.1 redeploy + voluntary V2.0 → V2.1 migration begins after the remediation review completes.
Commits
7f34422feat(v2.1): contracts — Soken APY-2026-06-001 remediation (9 findings)eacb892chore(v2.1): scripts — F-04g chain × strategy reward matrix + plumbinga30190atest(v2.1): hardhat V2.1 spec + sync existing V2 specs to new constructor sigs5e3bb50docs(v2.1): V2_DESIGN + TRUST_MODEL + SECURITY + new SOKEN_AUDIT — Soken remediation
Merged via PR #2.