dRdefRes
Beefy logo

Beefy

TierΒ 2

beefy

Yield Aggregator
ArbitrumAuroraAvalancheBaseBerachainBinance

Beefy automates yield farming to make DeFi easy, safe and efficient for all. By autocompounding your tokens, Beefy unlocks higher returns so you earn more of what you love.

5.9Safety Score65% confidence

Latest TVL

$117.06M

DeFiLlama Β· updated 5/20/2026

Audits

1

reports collected

Findings

11

across all audits

Last Updated

5/21/2026

Analyzed

Analysis Overview

πŸ—οΈ

Protocol Overview

Beefy is a multichain yield optimizer that auto-compounds user deposits across 40+ chains with $117M TVL. Its Uniswap V3 concentrated liquidity vaults use a TWAP-based calm period mechanism to block deposits during price manipulation. Key risks include oracle dependency on Uniswap V3 TWAP integrity, concentrated liquidity complexity requiring tick rebalancing, and multi-chain operational surface. Owner controls TWAP deviation threshold, position width, and swap paths β€” creating centralization risk. No whitepaper, historical TVL data, or strategy-level APY data is available.
πŸ”’

Code Security

7.8/10
The Zellic audit found 11 issues in Beefy's Uniswap V3 strategy contracts, including a critical TWAP calm period bug allowing price deviations up to 31.83% instead of the intended 1%, and two high-severity findings on TWAP interval timing and discontinuous balance behavior. All 11 findings were remediated, yielding a 7.8/10 score. Audit scope covered only UniswapV3 strategy contracts, not Beefy's full protocol across 40+ chains.
πŸ’°

Economic Security

6.0/10
Beefy holds $117M TVL across 36+ chains, giving meaningful attack surface. The critical oracle manipulation finding was patched, but TWAP oracle manipulation remains a theoretical concern for concentrated liquidity strategies on low-liquidity pools β€” a 2.06% price deviation suffices for profitable flash-loan sandwich attacks. BIFI tokenomics data is insufficient to assess. Score: 6.0/10.
πŸ‘₯

Team & Transparency

5.0/10
Social and team information is largely opaque. No doxxed team members, no company structure, no governance documentation, and no financial data are available in the workspace. Positive signals include open-source code on GitHub, a recent Zellic audit (May 2026, 11 findings), and active multi-chain deployment. Score: 5.0/10.
πŸ—³οΈ

Governance

3.5/10
Beefy is heavily centralized with a single owner key controlling critical parameters β€” TWAP deviation, position width, and swap paths β€” with no documented constraints, no timelock, and no multisig. The audit explicitly confirms the protocol is not fully decentralized. Key person risk is very high: a compromised owner key can deploy malicious upgrades with no delay or disable the calm-period protection entirely. The manager role provides only pause capability. Score: 3.5/10.
πŸ”—

Cross-Analysis

Cross-domain analysis identifies five combined attack vectors: sandwich attacks via TWAP manipulation, no-timelock malicious upgrade deployment, flash-loan attacks on low-liquidity vaults during market stress, cross-chain composability cascade from downstream protocol failures, and owner-driven position-width manipulation. Worst-case scenario involves a compromised owner key enabling immediate vault drainage with no community-governed recovery mechanism. Key structural risk: anonymous team plus single admin key with no multisig. Score: 5.5/10.

Executive Summary

Executive Summary: Beefy

Safety Rating: YELLOW

Overall Score: 5.9/10 | Confidence: 0.65 | Data Completeness: 0.60 "Confidence level: 0.65 β€” Moderate confidence"

Scores by Dimension

DimensionScoreKey Finding
Code Security7.8/10Solid security practices with comprehensive third-party audit and full remediation of all 11 findings "All 11 findings acknowledged and remediated"
Economic Security6.0/10Mature yield aggregator with significant historical vulnerabilities remediated, offset by multichain deployment footprint and notable absence of tokenomics data "significant historical vulnerabilities that have been remediated"
Team Transparency5.0/10Basic transparency indicators present but minimal team identity information; no doxxed members or company structure details available "minimal team identity information"
Governance3.5/10Heavily centralized with single owner key controlling critical safety parameters without documented constraints "single owner key controlling critical safety parameters"
Track Record5.5/10Operational continuity across 40+ chains with responsive security practices and full audit remediation "Multi-chain deployment suggests active development and maintenance"

What This Protocol Does

Beefy is a decentralized, multichain yield optimizer that automates yield farming to maximize returns for DeFi users through autocompounding vault strategies "Beefy is a decentralized, multichain yield optimizer that allows its users to earn compound interest on their crypto holdings". The protocol operates across 40+ EVM-compatible chains with $117M TVL, using vault-based architecture that allocates user deposits to yield strategies and automatically harvests and reinvests rewards "Users deposit tokens into vaults, which allocate funds to underlying yield strategies".

Key Strengths

  • Full audit remediation: All 11 findings from the Zellic security audit (1 Critical, 2 High, 2 Medium, 5 Low, 1 Informational) have been acknowledged and fixed "All 11 findings acknowledged and remediated"
  • Multichain diversification: TVL of $117M distributed across 40+ chains limits single-chain concentration risk "TVL fragmentation across 36+ chains limits single-chain concentration risk"
  • Active security practices: Recent Zellic audit (February 2024) demonstrates ongoing security investment "Zellic audit (February 2024)"
  • No algorithmic stablecoin risk: As a pure yield optimizer, Beefy lacks structural death-spiral mechanisms "Beefy does not employ algorithmic stablecoins, reflexive token mechanics, or self-referential collateralization"
  • Role separation exists: Manager role provides emergency pause capability separate from owner's critical parameter control "The manager can call the panic and unpause functions"

Key Risks

  • Single owner key with no timelock: Owner can set TWAP deviation threshold and position width with no constraints, enabling potential manipulation or immediate malicious upgrade deployment "Single compromised owner key could upgrade strategy implementations to malicious code"
  • No multisig protection: Owner and manager roles appear EOA-controlled or single-signer, creating high key person risk "No multisig configuration is documented in the available sources"
  • Oracle manipulation vulnerability: 60-second TWAP interval too short for flash-loan protection; 2.06% deviation threshold sufficient for profitable attack on low-liquidity pools "a value of d >= 2.06% suffices to make the attack profitable"
  • Cross-chain composability exposure: Integrations with hundreds of downstream protocols across 40+ chains amplifies systemic risk "Beefy integrates with hundreds of underlying DeFi protocols across 36+ chains"
  • Anonymous team with no legal accountability: Combined with single owner key architecture, creates elevated insider threat "The protocol's security rests entirely on the integrity of persons who are not publicly accountable"

Critical Findings

  • HIGH: Centralized governance without timelock β€” The owner can immediately upgrade strategy implementations with no delay or community oversight. A compromised or malicious owner key could deploy malicious code without any safeguard "Direct call to upgradeTo with a new implementation address β€” no delay or veto mechanism"
  • HIGH: Unconstrained TWAP deviation parameter β€” Owner can set deviation threshold with no documented constraints, effectively defeating the calm-period protection against price manipulation "owner can essentially set the deviation from the TWAP and the position width"
  • MEDIUM: TWAP oracle architecture limitations β€” The 60-second TWAP interval is too short to protect against flash-loan manipulation, and the original implementation allowed up to 31.83% deviation instead of intended 1% "the allowed deviation could reach 31.83% instead of the intended 1%"
  • MEDIUM: Insufficient tokenomics data β€” BIFI token governance utility and team/investor allocation not documented, limiting assessment of incentive alignment "Insufficient tokenomics data is available"

Recommendation

Beefy presents a mixed risk profile: strong code security fundamentals with full audit remediation, offset by significant governance centralization risks that create severe single-point-of-failure exposure. The protocol is suitable for risk-tolerant users seeking passive yield optimization who understand the tradeoffs of centralized admin control. Users with low risk tolerance or those depositing significant capital should wait for identified governance improvements β€” specifically implementation of multisig protection and timelock delays on upgrades and parameter changes β€” before committing funds. The $117M TVL and 40+ chain deployment make Beefy a meaningful target, and the combination of anonymous team, single owner key, and no timelock creates a risk profile materially worse than comparable tier 2 protocols with better governance structures. The absence of insurance or reserve mechanisms means users bear full loss risk in any exploit scenario.

Report Sections

  • Protocol Overview
  • Code Security
  • Economic Security
  • Social & Team
  • Governance
  • Cross-Risk Analysis

Vulnerability Findings

Critical1High3Medium2Low4Info1

Audit Reports (1)

AuditorTierStatusDiscoveredLink
Zellictier_2completed5/20/2026View β†—