Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

ZlpVault EIP4626 Non Compliant

ChainDefenders

Summary

As described in the known issues ZlpVault is EIP4626 non compliant. However, in the known issues it is listed that it is non compliant due to "previewDeposit and previewRedeem including fees". It is also non compliant because maxDeposit "MUST NOT rely on balanceOf of asset" but it does.

Vulnerability Details

As described in the known issues ZlpVault is EIP4626 non compliant. However, in the known issues it is listed that it is non compliant due to "previewDeposit and previewRedeem including fees". It is also non compliant because maxDeposit "MUST NOT rely on balanceOf of asset" but it does. The returned value depends on the totalAssetsCached value which relies on balanceOf.

Impact

Other protocols that integrate with the given protocol may wrongly assume that the functions are EIP4626 compliant. Thus, it might cause integration problems that can lead to wide range of issues for both parties. Also it can cause confusion for off chain services integrating with the given protocol

Tools Used

Manual Review

Recommendations

Refactor the maxDeposit function to be EIP4626 compliant or describe this issue in the documentation of the protocol so others can know not to expect it to be compliant with the given EIP.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

1337web3 Submitter
6 months ago
inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.