Prepared by:
HALBORN
Last Updated 12/03/2024
Date of Engagement by: November 21st, 2024 - November 25th, 2024
100% of all REPORTED Findings have been addressed
All findings
6
Critical
0
High
0
Medium
0
Low
3
Informational
3
Wallchain
engaged Halborn
to conduct a security assessment on their Solidity smart contract beginning on November 21st, 2024 and ending on November 25th, 2024. The security assessment was scoped to the smart contracts provided in the vault-contract-halborn GitHub repository, commit hashes, and further details can be found in the Scope section of this report.
The WallchainVault
contract is an ERC-4626 Vault with partial ERC-7540 implementation that does not hold any funds, as all deposits are directly transferred to the owner address to ensure secure control of the assets.
The team at Halborn assigned one full-time security engineer to check the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing and smart-contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of this assessment is to:
Ensure that smart contract functionality operates as intended
Identify potential security issues with the smart contracts
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Wallchain team
. The main ones were the following:
Implement safeguards to prevent the owner from arbitrarily modifying totalAssets, such as only allowing incremental updates or avoiding minting zero shares.
Introduce cancellation and timeout mechanisms for asynchronous redemptions to protect users from indefinite locking of funds, as recommended by EIP-7540.
Replace manual updates of the perOneAsset parameter with an automated oracle-based system to ensure real-time accuracy and minimize human error.
Security analysis | Risk level | Remediation |
---|---|---|
Risk of Inflation or Deflation Due to Arbitrary Owner Control of totalAssets | Low | Solved - 11/26/2024 |
Lack of User Protection in Asynchronous Redemption Process | Low | Solved - 11/25/2024 |
Manual Configuration of perOneAsset Introduces Risk of Miscalculation | Low | Partially Solved - 11/26/2024 |
Insufficient Validations | Informational | Partially Solved - 11/28/2024 |
Lack of Two-Step Ownership Transfer Mechanism | Informational | Solved - 11/28/2024 |
Inconsistencies in Redemption and Withdrawal Due to Changes in totalAssets | Informational | Solved - 11/28/2024 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed