Security
Core Protocol Audits​
Full security reviews of the Mellow MetaVaults core architecture, including Vault, Subvault, queues, Oracle, Verifier, ShareManager, FeeManager, and RiskManager.
| Report | Auditor | Date | Scope | Commit |
|---|---|---|---|---|
| Mellow Core Vaults | Sherlock | 2025-07-28 | Modular vault infrastructure for institutional-grade asset management on EVM chains | c2d66f3 |
| Mellow Core Vaults | Nethermind | 2025-09-03 | Core protocol contracts: Vault, Subvault, queues, Oracle, Verifier, and managers | 69413d5 |
Module and Incremental Audits​
Focused reviews of individual modules and contract updates.
| Report | Auditor | Date | Scope | Commit |
|---|---|---|---|---|
| NM-0682 Migrator | Nethermind | 2025-10-15 | Migrator contract for migrating MultiVault instances into new core vaults | a04e285 |
| NM-0703 Oracle Submitter | Nethermind | 2025-11-17 | OracleSubmitter — Chainlink-compatible price feed adapter for oracle price reports | d3bf393 |
| NM-0735 Swap Module | Nethermind | 2025-11-19 | SwapModule for permissioned token swaps via DEX aggregators and CoW Protocol | 688382e |
| NM-0758 SyncDepositQueue | Nethermind | 2025-12-09 | SyncDepositQueue for instant synchronous deposits with oracle-price-based adjustment | f4c311b |
| NM-0798 BurnableTokenizedShareManager | Nethermind | 2026-01-07 | BurnableTokenizedShareManager enabling public ERC20 burn/burnFrom for vault shares | 09d8155 |
| NM-0812 Redeem Queue Fee Fix | Nethermind | 2026-01-21 | Fee transfer fix from ShareManager to feeRecipient via burn and mint | 685be83 |
| NM-0758 SyncDepositQueue | Nethermind | 2026-03-02 | Updated review of SyncDepositQueue reflecting a fix identified on Feb 27, 2026 | c9c7181 |
Bug Bounty​
Mellow Core Vaults Bug Bounty is a live bug bounty on the Sherlock platform, inviting security researchers to find and report vulnerabilities in the Mellow Core Vaults system. The program offers up to 100,000 USDC in rewards for valid findings and is part of Sherlock's ongoing post-deployment security incentives.