Omniscia Morpho Labs Audit

SupplyVaultUpgradeable Manual Review Findings

SupplyVaultUpgradeable Manual Review Findings

SRO-01M: Potential Points of Concern

Description:

The referenced lines indicate integration with the IMorpho contract which is an internal project contract that is not in scope of the audit and thus interactions with it cannot be properly validated.

Example:

src/compound/SupplyVaultUpgradeable.sol
18abstract contract SupplyVaultUpgradeable is ERC4626UpgradeableSafe, OwnableUpgradeable {

Recommendation:

As general security recommendations, we advise the Morpho team to ascertain that no flash-loan based attacks affect the p2pSupplyIndex evaluation and that the supply and withdraw workflows properly transfer underlying assets out and in of the system as well as unwrap them for the CEth token deposit workflow. Additionally, all value entries retrieved from the IMorpho contract should be validated as non-changeable as otherwise configuration should be dynamic for the contract in scope. This does not constitute an audit of the Morpho contract and simply indicates best practices and security considerations that should be followed.

Alleviation:

The Morpho team considered our advice and has validated the IMorpho integration on their end. This exhibit will remain in the audit report for the sake of prosperity, marked as "addressed" based on Morpho's validation of the integration.

SRO-02M: Inexistent Slippage Protection

Description:

The EIP-4626 standard dependency by OpenZeppelin is not meant to be used standalone as highlighted in the documentation of the contract as well given that there may be natural slippage incurred when depositing and withdrawing from the vault which should be accounted for by a router similar to how DEX operations are performed.

Impact:

Inexistent slippage checks will cause arbitrage opportunities to present themselves to potential attackers, hurting the end-users of the vaults.

Example:

src/compound/SupplyVaultUpgradeable.sol
18abstract contract SupplyVaultUpgradeable is ERC4626UpgradeableSafe, OwnableUpgradeable {

Recommendation:

We advise a router implementation to be introduced to the codebase that interacts with the vaults as otherwise any deposits and withdrawals will be significantly vulnerable to sandwich and MEV attacks.

Alleviation:

The Morpho Labs team stated that they are awaiting a router implementation by the Fei Protocol to become production-ready as it is currently undergoing a security audit and as such will utilize that module once it is ready for alleviating this exhibit in the future.

SRO-03M: Normalized Mantissa Inexistent

Description:

The Compound system calculations for assessing the underlying balance of a particular C-Token balance involve the division with a normalizer-mantissa that is calculated dynamically based on the decimals of the underlying asset as well as the decimals of the C-Token, which are fixed. This does not appear to be taken into account here.

Impact:

Currently, over-evaluations and under-evaluations of assets can occur as the Compound pool balance is incorrectly evaluated in underlying units.

Example:

src/compound/SupplyVaultUpgradeable.sol
81function totalAssets() public view override returns (uint256) {
82 IMorpho morphoMem = morpho;
83 address poolTokenMem = poolToken;
84
85 Types.SupplyBalance memory supplyBalance = morphoMem.supplyBalanceInOf(
86 poolTokenMem,
87 address(this)
88 );
89
90 return
91 supplyBalance.onPool.mul(ICToken(poolTokenMem).exchangeRateStored()) +
92 supplyBalance.inP2P.mul(morphoMem.p2pSupplyIndex(poolTokenMem));
93}

Recommendation:

We advise the calculation to be re-assessed and the mantissa to be properly calculated depending on the underlying token and C-Token decimals as otherwise the calculation is prone to failure and can significantly compromise the integrity of the vault.

Alleviation:

The Morpho Labs team stated that the calculations are being executed as they are expected to by the overall Morpho Labs protocol given that multiple multi-decimal assets have already been deployed. As a result, we consider this exhibit nullified given that the current calculations fit Morpho Labs' purposes.