Halborn Logo

Vault Contract - Wallchain


Prepared by:

Halborn Logo

HALBORN

Last Updated 12/03/2024

Date of Engagement by: November 21st, 2024 - November 25th, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

6

Critical

0

High

0

Medium

0

Low

3

Informational

3


1. Introduction

Wallchain engaged Halborn to conduct a security assessment on their Solidity smart contract beginning on November 21st, 2024 and ending on November 25th, 2024. The security assessment was scoped to the smart contracts provided in the vault-contract-halborn GitHub repository, commit hashes, and further details can be found in the Scope section of this report.


The WallchainVault contract is an ERC-4626 Vault with partial ERC-7540 implementation that does not hold any funds, as all deposits are directly transferred to the owner address to ensure secure control of the assets.

2. Assessment Summary

The team at Halborn assigned one full-time security engineer to check the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing and smart-contract hacking skills, and deep knowledge of multiple blockchain protocols.


The purpose of this assessment is to:

    • Ensure that smart contract functionality operates as intended

    • Identify potential security issues with the smart contracts


In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Wallchain team. The main ones were the following:

    • Implement safeguards to prevent the owner from arbitrarily modifying totalAssets, such as only allowing incremental updates or avoiding minting zero shares.

    • Introduce cancellation and timeout mechanisms for asynchronous redemptions to protect users from indefinite locking of funds, as recommended by EIP-7540.

    • Replace manual updates of the perOneAsset parameter with an automated oracle-based system to ensure real-time accuracy and minimize human error.


3. SCOPE

Files and Repository
(a) Repository: vault-contract-halborn
(b) Assessed Commit ID: 7cb8efa
(c) Items in scope:
  • src/WallchainVault.sol
Out-of-Scope: Third party dependencies and economic attacks.
Remediation Commit ID:
Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysisRisk levelRemediation
Risk of Inflation or Deflation Due to Arbitrary Owner Control of totalAssetsLowSolved - 11/26/2024
Lack of User Protection in Asynchronous Redemption ProcessLowSolved - 11/25/2024
Manual Configuration of perOneAsset Introduces Risk of MiscalculationLowPartially Solved - 11/26/2024
Insufficient ValidationsInformationalPartially Solved - 11/28/2024
Lack of Two-Step Ownership Transfer MechanismInformationalSolved - 11/28/2024
Inconsistencies in Redemption and Withdrawal Due to Changes in totalAssetsInformationalSolved - 11/28/2024

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2024. All rights reserved.