Omniscia Morpho Labs Audit
SupplyVaultUpgradeable Manual Review Findings
SupplyVaultUpgradeable Manual Review Findings
SVU-01M: Potential Points of Concern
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | SupplyVaultUpgradeable.sol:L69, L70, L89-L92, L96, L108, L118 |
Description:
The referenced lines indicate integration with the IMorpho contract which is an internal project contract that is not in scope of the audit and thus interactions with it cannot be properly validated.
Example:
20abstract contract SupplyVaultUpgradeable is ERC4626UpgradeableSafe, OwnableUpgradeable {Recommendation:
As general security recommendations, we advise the Morpho team to ascertain that no flash-loan based attacks affect the p2pSupplyIndex evaluation and that the supply and withdraw workflows properly transfer underlying assets out and in of the system. Additionally, all value entries retrieved from the IMorpho contract should be validated as non-changeable as otherwise configuration should be dynamic for the contract in scope. This does not constitute an audit of the Morpho contract and simply indicates best practices and security considerations that should be followed.
Alleviation:
The Morpho team considered our advice and has validated the IMorpho integration on their end. This exhibit will remain in the audit report for the sake of prosperity, marked as "addressed" based on Morpho's validation of the integration.
SVU-02M: Inexistent Slippage Protection
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | SupplyVaultUpgradeable.sol:L101, L111 |
Description:
The EIP-4626 standard dependency by OpenZeppelin is not meant to be used standalone as highlighted in the documentation of the contract as well given that there may be natural slippage incurred when depositing and withdrawing from the vault which should be accounted for by a router similar to how DEX operations are performed.
Impact:
Inexistent slippage checks will cause arbitrage opportunities to present themselves to potential attackers, hurting the end-users of the vaults.
Example:
20abstract contract SupplyVaultUpgradeable is ERC4626UpgradeableSafe, OwnableUpgradeable {Recommendation:
We advise a router implementation to be introduced to the codebase that interacts with the vaults as otherwise any deposits and withdrawals will be significantly vulnerable to sandwich and MEV attacks.
Alleviation:
The Morpho Labs team stated that they are awaiting a router implementation by the Fei Protocol to become production-ready as it is currently undergoing a security audit and as such will utilize that module once it is ready for alleviating this exhibit in the future.