Incorrect Asset Withdrawal from ERC4626 Vault via Direct Transfer
Summary
The contract incorrectly attempts to transfer underlying assets directly from an ERC4626 vault's address using safeTransferFrom, violating the ERC4626 standard. This causes transactions to revert, as ERC4626 vaults manage assets via shares, not direct token balances at the vault's address.
Vulnerability
Inside the StabilityBranch::fulfillSwap the contract uses safeTransferFrom to transfer assets from the vault to the mm engineContract before distributions
ERC4626 vaults do not hold underlying tokens at their own address. Instead, assets are managed through share-based mechanisms (deposit/redeem). Direct transferFrom calls fail because: The vault’s address has no token balance. No approval is granted to the contract to spend tokens on the vault’s behalf.
Impact
Swaps involving ERC4626 vaults always fail, rendering the protocol unusable for these vaults.
Tools used
Manual review
Recommendations
Replace direct safeTransferFrom with ERC4626-compliant redemptions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.