Omniscia Morpho Labs Audit
SupplyVault Manual Review Findings
SupplyVault Manual Review Findings
SVT-01M: Potential Points of Concern
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | SupplyVault.sol:L69, L84, L123-L126, L163-L167, L207-L210 |
Description:
The referenced lines indicate integration with the IMorpho and IRewardsManager contracts which represent internal project contracts that are not in scope of the audit and thus interactions with them cannot be properly validated.
Example:
12contract SupplyVault is SupplyVaultUpgradeable {Recommendation:
As general security recommendations, we advise the Morpho team to ascertain that the overall reward system exposed by the IRewardsManager is sound and is not susceptible to manipulation by external calls. This does not constitute an audit of the Morpho contract and simply indicates best practices and security considerations that should be followed.
Alleviation:
The Morpho team considered our advice and has validated the IMorpho & IRewardsManager integrations on their end. This exhibit will remain in the audit report for the sake of prosperity, marked as "addressed" based on Morpho's validation of the integration.
SVT-02M: Unsafe Casting Operations
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations |  | SupplyVault.sol:L219, L224-L226 |
Description:
The relevant casting operations from uint256 to uint128 are performed unsafely which can significantly compromise the integrity of the reward system especially when dealing with large offsets such as the SCALE value of 1e36.
Impact:
The overall reward system of the SupplyVault can be significantly compromised if a casting underflow is achieved in the _accrueUnclaimedRewards function.
Example:
218if (supply > 0 && claimedAmount > 0)219 rewardsIndex[rewardToken] += uint128(claimedAmount.mulDivDown(SCALE, supply));Recommendation:
We advise the casting operations to be performed safely via the usage of a relevant library such as SafeCast from OpenZeppelin. We should note that the built-in safe arithmetic introduced in post-0.8.X Solidity versions does not cover casting operations.
Alleviation:
Both operations referenced now make use of the SafeCastLib by @solmate thus addressing this exhibit in full and performing casting safely.