Omniscia Morpho Labs Audit
SupplyVault Manual Review Findings
SupplyVault Manual Review Findings
SVL-01M: Potential Point of Concern
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | SupplyVault.sol:L105 |
Description:
The referenced line indicates integration with the IMorpho contract which is an internal project contract that is not in scope of the audit and thus interactions with it cannot be properly validated.
Example:
12contract SupplyVault is SupplyVaultUpgradeable {Recommendation:
As general security recommendations, we advise the Morpho team to ascertain that the rewards yielded by claimRewards are properly defined, and that the false flag is correct for the purposes of the _accrueUnclaimedRewards system. This does not constitute an audit of the Morpho contract and simply indicates best practices and security considerations that should be followed.
Alleviation:
The Morpho team considered our advice and has validated the IMorpho integration on their end. This exhibit will remain in the audit report for the sake of prosperity, marked as "addressed" based on Morpho's validation of the integration.
SVL-02M: Unsafe Casting Operations
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations |  | SupplyVault.sol:L115, L116, L119 |
Description:
The relevant casting operations from uint256 to uint128 are performed unsafely which can significantly compromise the integrity of the reward system especially when dealing with large offsets such as the WAD value of 1e18.
Impact:
The overall reward system of the SupplyVault can be significantly compromised if a casting underflow is achieved in the _accrueUnclaimedRewards function.
Example:
112if (rewardsIndexDiff > 0) {113 unclaimed =114 userRewards[_user].unclaimed +115 uint128(balanceOf(_user).mulWadDown(rewardsIndexDiff));116 userRewards[_user].unclaimed = uint128(unclaimed);117}118
119userRewards[_user].index = uint128(rewardsIndexMem);Recommendation:
We advise the casting operations to be performed safely via the usage of a relevant library such as SafeCast from OpenZeppelin. We should note that the built-in safe arithmetic introduced in post-0.8.X Solidity versions does not cover casting operations.
Alleviation:
All three operations referenced now make use of the SafeCastLib by @solmate thus addressing this exhibit in full and performing casting safely.