Adamant Finance

NEW REVIEW
Adamant Finance is a complex yield optimization protocol with a significant number of vaults and strategies. Since it has such a high amount of strategies, it is extremely difficult for us to give a proper risk assessment of the hard-rug risks of this project. However, since a few weeks of the writing of this review, most of their vaults have actually become verified which means that potential exploiters have had their chance to take a look at it as well.

After a rough scan we can give some very rough examples of their governance powers, which seem to be relatively limited, making the project look relatively decentralised for people who don’t hold the native token:

• Performance fee up to 30%
• Deposit fee up to 10%
• Withdrawal fee up to 5%
• Withdrawal delay up to 30 days
• Minter system (which means they can add new arbitrary minters, after the expiry of their 24 hour timelock). Minter systems come with the weakness that potentially a single weak vault or strategy (jar) that uses the minter could lead to an arbitrary number of tokens being minted. Most recently Merlin was victim to such an attack. In the few strategies we checked, we did not immediately find such vulnerabilities.
  • Mints an extra 15% of minted tokens to the developers

All though the system looks non-custodian overall, we sincerely look forward to seeing a reputable audit over all of the vaults. Not only to ensure the safety of the individual vaults, but mainly also to ensure that not a single vault can be exploited into minting an abundance of tokens. It would be ideal that this audit comes from a high-end auditor and that it covers all vaults.

Audits:
* Certik (Mid-Tier): In progress, seems to be delayed due to disagreements between adamant and Certik about the report
* TechRate (Low-Tier)

We reserve the right to not review exceedingly complex projects that would require tens of thousands of dollars of senior security analyst man hours. Typically these are projects that deal with leverage, lending, options, derivatives, and anything that is overly complex, either in the project itself, or in its underlying layers and which requires tons of peer reviews and audits from top audit companies. Since our resources are stretched thin and we don’t have the funding for these kind of massive endeavors, we may pass on projects that meet this level of complexity. DYOR.

OLD REVIEW

Vault for Polygon — spot checked most popular vault of IRON-USDC and it is unverified and therefore a black box as to what the underlying code contains.  Asked in their Telegram about verifying it, they said they are not able to verify it and that’s the end of it.  Has a Tech Rate audit of their Github which is completely insufficient in scope for the complexity of the projects PLUS you don’t even know if they deployed the same contracts because once again — everything is unverified.

Newish vault + unverified contracts +  insufficient audit + existing operational and governance type of risks involved in these type of projects = highest risk grade of project.

Mitigating factors: It honestly is VERY hard if not difficult to verify a code this complex on maticvigil- the explorer is very limited and verification is HARD for even basic projects. The github code is indeed clean looking and no overt rugs found on inspection. Team has a large, cross chain, solid reputation.

UPDATE Since Polygonscan came out, we were thinking they would verify their strats, but they still have not.  For example: https://polygonscan.com/address/0xb1c33832a94fd922caed659b7bc42bfcfc574cf9.  Thus, there are no further updates.

UPDATE 2 We’ve marked this as ‘High Risk’ because their Strategy contract is UNVERIFIED. The current MC has the ability to add withdrawal penalty to Emergency Withdraw, which is absolutely horrendous. There’s a migrate function that allows them to switch out contracts.

UPDATE 3: The contracts are now verified and we’ve scheduled to review the protocol on by the 9th of July