Trail of Bits
Audit Open Original ↗

Spool Platform

Type

Security review

Client

The Spool DAO

Date

2023-03

Domain

AppSec

Effort

8 wks

Section

Technology Product Reviews

Trail of Bits's security review of The Spool DAO (Mar 2023) identified 38 issues: 5 high, 14 medium, 12 low, 5 informational, and 2 undetermined.

Findings · 38

  1. 1 Solidity compiler optimizations can be problematic Undetermined
  2. 2 Risk of SmartVaultFactory DoS due to lack of access controls on grantSmartVaultOwnership High
  3. 3 Lack of zero-value check on constructors and initializers Medium
  4. 4 Upgradeable contracts set state variables in the constructor Medium
  5. 5 Insucient validation of oracle price data Low
  6. 6 Incorrect handling of fromVaultsOnly in removeStrategy Low
  7. 7 Risk of LinearAllocationProvider and ExponentialAllocationProvider reverts due to division by zero Medium
  8. 8 Strategy APYs are never updated Medium
  9. 9 Incorrect bookkeeping of assets deposited into smart vaults High
  10. 10 Risk of malformed calldata of calls to guard contracts Low
  11. 11 GuardManager does not account for all possible types when encoding guard arguments Low
  12. 12 Use of encoded values in guard contract comparisons could lead to opposite results Low
  13. 13 Lack of contract existence checks on low-level calls Low
  14. 14 Incorrect use of exchangeRates in doHardWork High
  15. 15 LinearAllocationProvider could return an incorrect result Medium
  16. 16 Incorrect formula used for adding/subtracting two yields Medium
  17. 17 Smart vaults with re-registered strategies will not be usable Low
  18. 18 Incorrect handling of partially burned NFTs results in incorrect SVT balance calculation Low
  19. 19 Transfers of D-NFTs result in double counting of SVT balance Medium
  20. 20 Flawed loop for syncing flushes results in higher management fees Medium
  21. 21 Incorrect ghost strategy check Informational
  22. 22 Reward configuration not initialized properly when reward is zero Low
  23. 23 Missing function for removing reward tokens from the blacklist Informational
  24. 24 Risk of unclaimed shares due to loss of precision in reallocation operations Informational
  25. 25 Curve3CoinPoolAdapter’s _addLiquidity reverts due to incorrect amounts deposited Medium
  26. 26 Reallocation process reverts when a ghost strategy is present High
  27. 27 Broken test cases that hide security issues Informational
  28. 28 Reward emission can be extended for a removed reward token Medium
  29. 29 A reward token cannot be added once it is removed from a smart vault Low
  30. 30 Missing whenNotPaused modifier Low
  31. 31 Users who deposit and then withdraw before doHardWork lose their tokens High
  32. 32 Lack of events emitted for state-changing functions Informational
  33. 33 Removal of a strategy could result in loss of funds Medium
  34. 34 ExponentialAllocationProvider reverts on strategies without risk scores Medium
  35. 35 Removing a strategy makes the smart vault unusable Medium
  36. 36 Issues with the management of access control roles in deployment script Low
  37. 37 Risk of DoS due to unbounded loops Medium
  38. 38 Unsafe casts throughout the codebase Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related