Submission Details
Severity:
ZlpVault Does Not Fully Implement ERC-4626
Summary
The ZlpVault contract is missing name and symbol parameters, which are required by ERC-4626 for underlying ERC20 token. According to the ERC-4626 standard: All EIP-4626 tokenized Vaults MUST implement EIP-20’s optional metadata extensions. The name and symbol functions SHOULD reflect the underlying token’s name and symbol in some way. [Ref]
Vulnerability Details
The
initializefunction does not set a name and symbol for the ERC-4626 vault's ERC20 index token
Recommendation
Add name and symbol to Initialization. Modify initialize to properly set the vault’s name and symbol:
function initialize(
address marketMakingEngine,
uint8 decimalsOffset,
address owner,
IERC20 asset_,
uint128 vaultId,
+ string memory name_, // 🔹 Add name
+ string memory symbol_ // 🔹 Add symbol
)
external
initializer
{
__Ownable_init(owner);
__ERC4626_init(asset_);
+ __ERC20_init(name_, symbol_); // Set ERC20 metadata
ZlpVaultStorage storage zlpVaultStorage = _getZlpVaultStorage();
zlpVaultStorage.marketMakingEngine = marketMakingEngine;
zlpVaultStorage.decimalsOffset = decimalsOffset;
zlpVaultStorage.vaultId = vaultId;
IERC20(asset_).approve(marketMakingEngine, type(uint256).max);
}
Updates
Lead Judging Commences
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
ERC4626 not properly implemented
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.