Omniscia Kyo Finance Audit
ERC4626TokenStreamSplitter Manual Review Findings
ERC4626TokenStreamSplitter Manual Review Findings
ERC-01M: Deviation of EIP-4626 Deposit / Withdrawal Restriction
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | ERC4626TokenStreamSplitter.sol:L27 |
Description:
Per the EIP-4626 standard, an EIP-4626 vault must expose its upper-bound limitations properly via its relevant max prefixed getter functions (in this case, the type(uint128).max limitation) which is not observed in the ERC4626TokenStreamSplitter implementation.
Impact:
The ERC4626TokenStreamSplitter presently deviates from several of the EIP-4626 standard's MUST requirements albeit in low-sensitivity functions meriting a medium severity rating.
Example:
25function _update(address from, address to, uint256 value) internal override {26 super._update(from, to, value);27 require(value <= type(uint128).max, "value too large");28 if (value != 0) {29 _distribute();30 if (from != address(0)) _decreaseWeight(from, uint128(value));31 if (to != address(0)) _increaseWeight(to, uint128(value));32 }33}Recommendation:
We advise the relevant ERC4626TokenStreamSplitter::_update restriction to be properly signaled to external observers via an override of all aforementioned functions, ensuring compliance with the EIP-4626 standard.
Alleviation (17c8d4e59f):
The code was updated to yield a fixed value of type(uint128).max for its ERC4626TokenStreamSplitter::maxDeposit and ERC4626TokenStreamSplitter::maxMint functions, however, these limits are slightly inaccurate.
Specifically, the actual limit imposed is the value of type(uint128).max sans the current balance of the user due to the usage of checked arithmetic in the StakingMath::stake implementation.
Additionally, the system does not appear to signal a limit of 0 for any non-whitelisted address thereby rendering the exhibit to be partially addressed.
Alleviation (9bcc31960d):
The code was updated per our follow-up recommendation, ensuring that correct limitations are yielded by the ERC4626TokenStreamSplitter::maxDeposit and ERC4626TokenStreamSplitter::maxMint function implementations.