Harvest

Security & Audits

Smart-contract audits, ongoing security practices, and responsible disclosure.

Approach to security

The Harvest contract system has been deployed onchain continuously since 2020. Across that period the codebase has been reviewed by four independent security firms. Each report is published in full at the source, linked below alongside a concise summary of the substantive findings.

Audits provide point-in-time assurance and are an input to the security posture of a system, not a guarantee of it. Smart-contract risk persists in audited systems and is treated as a standing category on the risk framework page.

Audit reports

All reports are published at harvest-finance/harvest/audits. Summaries below cover substantive findings; refer to the source PDF for the full scope, methodology and severity classification used by each firm.

Haechi

One major-severity finding and five minor findings. The major finding had been independently surfaced and remediated prior to publication. Of the five minor findings, four were classified as intentional design properties of the protocol's decentralization model rather than defects; the remaining item was remediated.

Read the Haechi report (PDF)

PeckShield

Primary finding addressed the privileged role of the 0xf00d deployer address. A timelock mechanism was introduced in response, providing depositors with a guaranteed exit window before any deployer action takes effect. A separate issue in CRVStrategyStable.depositArbCheck() was identified independently and patched prior to publication of the final report. Remaining items were informational or reflected explicit design decisions in the protocol architecture.

Read the PeckShield report (PDF)

CertiK

One minor-severity finding, classified as a false positive after review: the described conditions are not reachable under the production deployment and configuration. Remaining items were optimization recommendations and language-level alternatives with no security impact.

Read the CertiK report (PDF)

Least Authority

No new findings beyond issues already disclosed or remediated at the time of engagement. The review also covered the proposed vault redesign and informed subsequent architectural direction.

Read the Least Authority report (PDF)

Halborn

January 2025 review of Harvest's core vault infrastructure. The full report is published on GitHub.

Read the Halborn report (PDF)

Reporting an issue

Security disclosures, suspected vulnerabilities, and responsible-disclosure inquiries should be sent to support@harvest.finance. Please include reproduction steps, the affected contract address or interface, and a contact channel for follow-up.

We aim to acknowledge verified reports within two business days. Coordinated disclosure is appreciated where the vulnerability could be exploited before a remediation lands.

Scope and caveats

The audits listed above cover the Harvest smart-contract system at the points in time when each engagement was conducted. Subsequent contract deployments, vault redesigns, and integrations with third-party protocols are not automatically in scope. Where a third-party protocol is integrated (for example a lending market or AMM that a Harvest vault deposits into), the security of that third-party protocol is governed by its own audit history, not by ours.

The full set of risks that can affect a Harvest deposit, and the categories we use to communicate them on individual product pages, are documented on the risk framework page. The legal disclaimer that accompanies all of this is the Risk Disclosures statement.