BaseVol is a next-generation on-chain options protocol delivering lightning-fast 0DTE trading, capital-efficient vault strategies, and institutional-grade product design. Backed by top-tier investors and a Base grant winner, the protocol is built around high-throughput rounds, precise settlement flows, and a multi-vault architecture integrating both BaseVol’s prediction engine and external yield layers like Morpho.
To uphold its commitment to safety and user trust, BaseVol engaged FailSafe to conduct a full-scope, multi-facet audit across its Diamonds, Vaults, Managers, ClearingHouse, and Strategy contracts.
FailSafe’s role covered a deep inspection of epoch settlement logic, strategy valuation pipelines, BaseVolManager accounting, oracle feeds, and cross-protocol flows. This security review surfaced several critical vulnerabilities including permanent fund-loss vectors, share-price manipulation paths, unbounded loops causing settlement DoS, initialization risks, and multiple accounting inconsistencies.
We are pleased to report that all 35 findings were successfully resolved by the BaseVol team prior to final delivery.
Summary of Findings
Audit Date: 7th October – 20th October, 2025
Repository: https://github.com/stvol-official/basevol-contract
Report Date: 18 November 2025
| Severity | Total | Status |
|---|---|---|
| Critical | 9 | 9 Resolved |
| High | 8 | 8 Resolved |
| Medium | 11 | 11 Resolved |
| Low | 4 | 4 Resolved |
| Informational | 3 | 3 Resolved |
| Total | 35 | All Resolved |
1. 50-Epoch Claimability Window – Permanent Fund Loss
Status: Resolved
The Genesis Vault previously skipped any epoch older than 50, permanently locking user funds if they did not claim in time. FailSafe proposed a pagination-based solution, which the team implemented.
2. Auto-Processing Unbounded Loops – Complete Settlement DoS
Status: Resolved
Settlement logic iterated over all users in unbounded loops. With 1,000+ participants, settlement would exceed block gas limits and permanently freeze rounds. Pagination and progressive settlement were implemented.
3. Critical Operator Functions Missing Pause Protection
Status: Resolved
Four BaseVol operator functions bypassed pause(), allowing settlement and price updates during emergencies. Pause protection was added to all operators.
4. Donation Attack via Strategy – Extreme Inflation & Zero-Share Minting
Status: Resolved
External token donations to strategy contracts inflated vault asset values and allowed attackers to force victims into zero-share mints. BaseVol implemented expectedBalance tracking and corrected strategy accounting.
5. Duplicate Order IDs – Accounting Corruption & Double-Spending
Status: Resolved
Order submissions did not validate sequential IDs, allowing replayed orders to receive multiple settlements. Full sequential validation was added.
6. Fee Calculation Overflow – Complete Vault DoS
Status: Resolved
Incorrect precision constants caused management and performance fee calculations to overflow by 1 trillion times on 6-decimal assets like USDC. FLOAT_PRECISION fixes and sanity checks now ensure fee safety.
7. Force Withdrawal Zeroes Entire Balance – Direct Fund Loss
Status: Resolved
Force withdrawals reset user balance to zero instead of subtracting the withdrawn amount. Logic corrected to prevent balance wiping.
8. No Validation of Share Price – Share Price Could Settle to Zero
Status: Resolved
Invalid share prices (including 0) could be stored during settlement, causing division-by-zero conditions and permanent epoch lock. Validation and deviation checks were added.
9. Zero-Price Manipulation via Manual Override & Stale Oracle Data
Status: Resolved
Manual price overrides allowed arbitrary end-prices (including zero). Pyth updates lacked timestamp freshness checks. Both were hardened with validation and stale-data rejection.
Read more about the findings in the full report here.
BaseVol’s Security Posture
Throughout this audit, the BaseVol team demonstrated exceptional responsiveness, engineering maturity, and a deep commitment to protocol security. The team engaged proactively, implemented every fix, and collaborated closely throughout every remediation cycle.
BaseVol’s architecture spanning Diamonds, Vaults, ClearingHouse modules, epoch engines, and multi-protocol strategy integrations – is complex and high-performance. The team’s thorough remediation across all findings reflects a strong dedication to building a safe and resilient trading layer for on-chain options.
FailSafe commends BaseVol for its transparent process, rapid turnaround, and excellence in engineering quality.
FailSafe’s Closing Remarks
Our collaboration with BaseVol extended beyond a standard audit – it was a deep technical partnership focused on precision, safety, and long-term reliability.
As BaseVol continues its growth across the Base ecosystem, FailSafe remains committed to supporting the protocol as a strategic security partner and ensuring the safety of its vaults, strategies, and traders.
Related Articles
dbook Smart Contract Audit
dbook is a fully on-chain EVM orderbook exchange designed to deliver decentralized trading with high performance, gas efficiency, and self-custody. The protocol...
Aegis JUSD Smart Contract Audit
Aegis is a multichain stablecoin protocol powering JUSD and YUSD, featuring minting, redemption, staking vaults, rewards distribution, and cross-chain bridging ...
The Moats V3 Smart Contract Audit
The Moats are a flexible staking and rewards protocol enabling project teams to configure easy governance participation, time-weighted incentives, and multi-tok...
Ready to secure your project?
Get in touch with our security experts for a comprehensive audit.
Contact Us