Back to Blog
BenchmarkSmart ContractsWeb3

86% High Detection on BakerFi: 6 of 7 Criticals Caught in a 2,028-Line Yield Protocol

March 18, 20264 min readRedVolt Team

Yield protocols are brutal to audit. Share accounting, strategy routing, oracle trust, ERC4626 integrations — any single miscalculation can drain a vault. BakerFi's Code4rena 2024-12 contest put all of these in one codebase: 2,028 lines of Solidity, seven high-severity bugs confirmed by human wardens, a $X0K bounty pool. We ran our AI audit engine against it and caught six of the seven.

The Results

86%

High Detection (6/7)

50%

Medium Detection (8/16)

2,028

Lines of Solidity

~3h

Total Audit Time

BakerFi is the kind of protocol where automated tools miss almost everything important. Vault share math lives in one contract, strategy accounting in another, and the exploits hide in how they interact. This benchmark is about whether an AI can follow that cross-contract thread.

The Target: BakerFi Yield Vaults

BakerFi is a multi-strategy yield vault protocol built around ERC4626. Users deposit into a vault, the vault routes capital across strategies, and a router contract lets users interact with the system via multicalls. That design surface includes:

Protocol Surface

ERC4626 share accounting

Two places compute share prices — the vault itself and the strategy adapter. When those disagree, value leaks.

Strategy routing

MultiStrategy contract deploys and undeploys capital across sub-strategies based on configured weights. Allowances and balances track across both.

Pull-style approvals

VaultRouter takes user permission to move tokens. Any validation gap in the router becomes an allowance drain for the entire user base.

Oracle-dependent strategies

Leverage strategies rely on oracle reads. Mismatched freshness between read paths creates share-price manipulation windows.

Every High-Severity Finding

C4 High Finding

  • H-01: Users may encounter losses on ERC4626 deposits via StrategySupplyERC4626
  • H-02: Anyone can call StrategySupplyBase.harvest — fee evasion
  • H-03: _deployedAmount not updated on undeploy, preventing fee collection
  • H-04: Decimal conversion issues between vault and strategy
  • H-05: pullTokensWithPermit allows attackers to steal tokens
  • H-06: VaultRouter allowance exploit for ERC20 tokens
  • H-07: VaultRouter allowance exploit for ERC4626 tokens

Detection

  • DETECTED
  • DETECTED
  • DETECTED
  • DETECTED
  • MISSED
  • DETECTED
  • DETECTED

Six of seven highs caught. The one we missed (H-05, permit signature replay in pullTokensWithPermit) is a real weakness in our current coverage for EIP-2612 integration patterns and is now on our detection roadmap.

What We Found That C4 Flagged as Medium

Three of our detections were rated Medium by our severity calibrator even though C4 rated them High. That's the recalibration rules working as designed — our engine downgrades findings that require additional preconditions to exploit. The bugs themselves were all surfaced; the severity labels diverge because our ruleset is stricter about what qualifies as "High."

Medium-Severity Coverage

8/16

Medium Findings Detected

M-05

Deposit Limit Bypass

M-12

Oracle Manipulation

M-16

Share Inflation Attack

Notable mediums we caught include the classic first-depositor share inflation attack (M-16), oracle freshness mismatch enabling share-price manipulation in leverage strategies (M-12), and a DoS vector in MultiStrategy.deploy when a sub-strategy reverts (M-04).

Why This Benchmark Matters

BakerFi isn't a toy protocol. It's 2,028 lines of production Solidity with ERC4626 share math, cross-contract strategy routing, and oracle-dependent leverage — exactly the class of codebase where simple pattern matchers fail. Getting 86% of the high-severity bugs on a protocol like this is a real capability claim, not a theoretical one. Our published detection rate is measured, not marketed.

The Honest Comparison

What We Caught

  • Cross-contract fee-evasion via unprotected harvest
  • Router allowance exploits for ERC20 + ERC4626
  • Decimal conversion mismatches between vault and strategy
  • Oracle manipulation + share inflation attacks

What We Missed

  • EIP-2612 permit-signature replay theft
  • DAI-style permit signature incompatibility
  • Reentrancy in router multicall execution
  • Strategy weight rebalance edge cases

We publish what we find and what we miss. That's the only way benchmarks mean anything.

Try It Yourself

86%

High Severity Found

6/7

Critical Bugs Caught

2,028

SLOC Audited

PoC

Every High Verified

Upload your contracts, get a verified audit with runnable PoCs. We publish the detection rates so you know exactly what you're paying for.

Audit Your Smart Contract

Related reading

BenchmarkSmart Contracts

88% High Detection on veRWA in 19 Minutes: Vote-Escrow Governance Benchmark

veRWA ran on Code4rena in August 2023 — a vote-escrow governance protocol with eight high-severity findings. Our AI pipeline caught seven of them in under 19 minutes, including vote multiplication via delegation and permanently-locked delegated funds.

Mar 19, 2026 · 4 min read
BenchmarkSmart Contracts

First Rust/Solana Benchmark: 100% Critical, 90% High Detection on Jito Restaking

We benchmarked our AI audit engine against Jito Restaking — a 9,000-line Rust/Solana protocol that was the subject of four professional audits and a $150,000 Immunefi bug bounty competition. This is RedVolt's first Rust/Solana benchmark, and the results exceeded our expectations.

Mar 10, 2026 · 6 min read
BenchmarkSmart Contracts

100% Detection, 100% PoC Verified: Our Smart Contract Audit vs Code4rena VTVL

We benchmarked our AI audit engine against a real Code4rena contest. Every high and medium finding detected. Every PoC verified by Foundry. 100% severity accuracy. Here are the full results.

Feb 25, 2026 · 5 min read

Want to secure your application or smart contract?

Request an Expert Review