Goldilocks Core - Goldilocks

1. Introduction

Goldilocks engaged Halborn to conduct a security assessment on their GoldiVault and WeethGoldiVault Solidity smart contracts beginning on November 14th, 2024 and ending on November 19th, 2024. The security assessment was scoped to the smart contracts provided in the Goldilocks-core GitHub repository, commit hashes and further details can be found in the Scope section of this report.

Goldilocks yield splitting vaults allow users to deposit assets, split them into ownership and yield tokens, and trade these tokens to unlock immediate liquidity from the future earnings of yield-bearing positions on Berachain's DeFi protocols. Goldivault is the base contract for our yield tokenization platform and WeethGoldiVault is a specific example of a vault contract that inherits from Goldivault.

2. Assessment Summary

The team at Halborn assigned one full-time security engineer to check the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing and smart-contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

• Ensure that smart contract functionality operates as intended

• Identify potential security issues with the smart contracts

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were partially addressed by the Goldilocks team. The main ones were the following:

• Add validations in the renew function to ensure all tokens from the previous cycle are redeemed before renewal of the vault parameters.

• Enforce logical constraints in initializeProtocol, changeProtocolParameters, and constructor to cap fees below 100% and validate '_depositWindow' is less than '_duration'.