Omniscia Mitosis Audit
VaultHub Manual Review Findings
VaultHub Manual Review Findings
VHB-01M: Inexistent Initialization Protection of Base Implementation
Type | Severity | Location |
---|---|---|
Language Specific | VaultHub.sol:L28 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
28contract VaultHub is OwnableUpgradeable, VaultHubStorageV1 {29 function initialize(address owner) public initializer {30 __Ownable_init();31 _transferOwnership(owner);32 }
Recommendation:
We advise a constructor
to be introduced that either invokes the initializer
modifier of the Initializable
contract or invokes the Initializable::_disableInitializers
function to prevent the base implementation from ever being initialized.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
A VaultHub::constructor
has been introduced invoking the Initializable::initialize
modifier thereby preventing re-initializations as long as the contract does not utilize a versioned initialization system.
If such a system is expected, we advise the Initializable::_disableInitializers
function instead.
VHB-02M: Potentially Dangerous Invocation
Type | Severity | Location |
---|---|---|
Language Specific | VaultHub.sol:L39 |
Description:
The VaultHub::isVault
function will invoke the IVault::vaultType
getter function on its vault
input argument, permitting a malicious contract to yield any value it wishes.
Impact:
While the referenced code is presently safe, a future upgrade of the system may misconceive that it is safe to invoke getter functions on input arguments supplied by users.
Example:
38function isVault(address vault) public view returns (bool) {39 return IVaultFactory(factory(IVault(vault).vaultType())).isVault(vault);40}
Recommendation:
While it is presently not a security vulnerability as the yielded value is used as a key to a factory implementation that is further validated, we still advise the call to an untrusted address to be avoided.
This can be achieved by looping through the VaultType
values supported in the system one-by-one until the vault
is either found or until all factories have been checked.
Alleviation (5297bb74fa):
The code was adjusted to perform a try-catch
operation, however, this is still insecure as the getter call is still performed on the input argument.
We advise the Mitosis team to revisit this exhibit.
Alleviation (58e8cc66df):
The code was updated per our original recommendation, iterating through all vault types and evaluating whether the input vault
is part of any in a sequential manner.
We consider this approach secure and thus the exhibit fully alleviated.