Yield Basis Fee Distributor Clears Five-Round AI Audit by Firepan.
Flagship-grade AI review of a 302-line contract returned zero high-severity findings. The newly published report surfaced a variety of novel but non-critical observations.
"At first, I was skeptical about AI audits. But with Firepan, it feels like guys are doing what marketing says Mythos can do: on par with top-notch human auditors."
— Michael Egorov, Founder, Yield Basis & Curve Finance
Here's the story…
Yield Basis is the impermanent-loss-eliminating Bitcoin yield protocol founded by Curve Finance creator Michael Egorov. Built on Curve's five-year infrastructure foundation, the protocol uses 2× compounding leverage to neutralize impermanent loss in automated market makers — a long-standing hard problem in DeFi.
The protocol holds a 60M crvUSD credit line approved by the Curve DAO and operates three Bitcoin-focused pools on Ethereum mainnet. Funds are real, the bar is high, and the standard of scrutiny is the same standard Curve itself is held to.
The Challenge
Modern DeFi protocols are built from a small number of large, deeply audited core contracts — and a much larger surrounding ecosystem of small, ancillary contracts. Fee splitters, zaps, oracle adapters, vesting escrows. A few hundred lines each. Usually straightforward. Often considered too simple to warrant a full human audit, which can cost upwards of hundreds of thousands of dollars and take months.
The pedantic truth of DeFi security is that this is also where the largest losses tend to happen. A contract simple enough that the senior team didn't think twice — a single misconfigured access control, a single off-by-one in a loop bound, a single mis-cast type — and customer funds are gone. The contracts most teams don't audit are the contracts that bleed.
The Yield Basis FeeDistributor is exactly this kind of contract. 302 lines of Vyper. Holds protocol fees pending distribution to veNFT lockers. Deployed to Ethereum mainnet in September 2025. The Yield Basis team had tested it carefully and was confident in its behavior — but given the successful launch, wanted additional scrutiny on this critical infrastructure. Egorov, in his own words: "it only holds fees for the distribution and has admin rug methods if something happens... I proceeded carefully, testing it well."
The team brought Firepan in to prove the live deployment was safe, and to document everything worth documenting about the contract for anyone who might ever reuse it.
The Implementation
Firepan ran the engagement across five successive probe rounds in April 2026, powered by Claude Opus and the proprietary HOUND engine with fp-check verification gates. Each round produced deliberately aggressive severity claims — and each finding was then rebaked against the actual mainnet threat model: 716 active veNFTs, 2,202 claims processed, four whitelisted LP tokens with no fee-on-transfer, rebasing, or blocklist behavior.
Several round-four high- and medium-severity claims fell to lower severities during the rebake. An honest audit downgrades its own findings when the evidence demands it. That intellectual discipline is the foundation of the trust the engagement built.
The methodology layered five adversarial token mocks across every transfer path, a forked-mainnet invariant suite, and a six-user twenty-operation interleaved test verifying mass conservation wei-exact. A skeptical external reviewer of the round-four report objected that single-shape proofs-of-concept were not full envelope coverage. Firepan answered with a 5×3 hostile-token matrix, a cardinality cross-product sweep, nine dead-window class shapes, and a full week-boundary timing fuzz.
Firepan's Hound engine builds a knowledge graph as part of every deep-audit onboarding: contracts, functions, storage slots, roles, events, and the relationships between them — extracted directly from source and rendered for human review before any finding-surfacing work begins. The view below is the unedited graph produced for the Yield Basis FeeDistributor: drag any node, scroll to zoom.
The Results
Across 22 probed attack surfaces and approximately 50 deterministic proofs-of-concept, Firepan delivered an exoneration report on the live Yield Basis FeeDistributor contract: zero high-severity findings on mainnet code, and one medium, six low, and thirteen informational observations — every one of them accepted by the Yield Basis team. The full Firepan audit report is published alongside this case study.
Critically, the medium- and low-severity observations are not active risks to the live Yield Basis deployment. They are governance-tier properties and deployment-time considerations:
— A dead-epoch DoS class reachable only at fresh deployment, when total_votes can be zero. Yield Basis's own deployment workflow requires non-zero votes before deployment is possible, so the live contract was never exposed. A future team reusing this contract for their own fee distribution needs to know about it — and now they do.
— A token-set cardinality bound at 50 entries. Becomes consequential only if more than 50 token sets are added within a single epoch — operationally implausible at any reasonable governance cadence. Yield Basis is publishing it so any future governance process knows the operational envelope.
— Two VESTING_ESCROWS registry properties surfaced in the final probe round — both code-level invariants useful to anyone reasoning about admin-recoverable tokens.
This is the value of a flagship-grade AI review on a small, mission-critical contract: not a list of fires to put out, but a complete and meticulous catalog of every property worth knowing. The Yield Basis team can now point to a published, externally-reviewed report when questions about FeeDistributor safety come up. Future teams that fork or adapt the contract inherit the documentation they need to deploy safely.
What Changed
The economics of smart contract auditing have a structural gap. Big, complex protocols get four-month human audits — and they should. Small ancillary contracts — fee splitters, zaps, oracle adapters, vesting helpers — usually don't, because the per-line cost of a traditional audit makes it commercially absurd to spend $50,000 on three hundred lines of code. So the small contracts ship under-scrutinized. And the small contracts are where the byte-flip happens.
The Yield Basis engagement is the cleanest demonstration to date of what closes that gap: an AI-led adversarial audit, five rounds deep, with deterministic verification gates, delivered in days rather than months, at a fraction of the cost of a flagship human audit — and producing a report the protocol's founder is willing to publish under his own name.
This is the use case Firepan was built for. Not as a replacement for the four-month human audit on a CryptoSwap-class contract, but as the security layer that makes it economically possible for every protocol to give every contract — including the small, simple, mission-critical ones — the scrutiny they deserve.
For the case of Egorov, who was previously more skeptical of AI capabilities, two audits conducted concurrently for Yield Basis and Curve upgraded his thinking. The Curve audit remains under private review before expected public release at a forthcoming date.