Omniscia Teahouse Finance Audit
Portfolio Strategy Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 74e2e7a064 | January 22nd 2024 | bc657b7e4f |
| 302b96f324 | February 6th 2024 | 53fe55c026 |
| a337648498 | February 10th 2024 | 5c61434b6c |
| 1dc136da87 | March 4th 2024 | 893b7aeaf4 |
| 3a0cc9c15a | March 6th 2024 | b98b6b7dda |
| 3a0cc9c15a | March 6th 2024 | b4893d8a15 |
Audit Overview
We were tasked with performing an audit of the Teahouse Finance codebase and in particular their V3 Portfolio Strategy module.
The system is composed of a router-like helper contract that is meant to ephemerally hold funds to forward interactions to the main portfolio contract of Teahouse Finance.
The portfolio contract is meant to represent a multi-collateral vault whereby users can deposit funds to and managers can utilize those funds to interact with various strategies, such as Uniswap V3 like positions or Aave lending markets.
A security-first approach can be observed in the router contract whereby delegatecall instructions are securely performed, a single state change exists, and all approvals are correctly erased after an interaction has occurred via its special-purpose TeaVaultV3PortfolioHelper::multicall system.
We would like to note that the managers of a portfolio have full control over all assets within it, and the Teahouse Finance team is strongly advised to be diligent in how they assign this role.
Over the course of the audit, we identified several medium-severity vulnerabilities that arise from donation attacks, absence of input sanitization, lingering storage changes, and other such novel attack vectors.
As a final note, we observed a design-level flaw in the way assets are maintained for the portfolio that can cause issues in how the portfolio is managed, given that the inclusion and / or removal of an asset is somewhat insecurely performed and can be hijacked via front-running.
We advise the Teahouse Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Teahouse Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Teahouse Finance and have identified that certain exhibits have not been adequately dealt with. We advise the Teahouse Finance team to revisit the following exhibits: AOE-02M, TVV-03M, TVV-06M
Additionally, the following informational findings remain unaddressed and should be revisited: UVP-05C, TVH-02C, TVV-01S, TVV-13C, TVV-11C
Post-Audit Conclusion (a337648498)
The Teahouse Finance team re-evaluated the above exhibits and proceeded to supply additional remediations for AOE-02M and TVV-06M.
While exhibit AOE-02M has been properly dealt with, we advise the Teahouse Finance team to revisit TVV-06M as well as re-evaluate TVV-03M for which no further action was taken.
Post-Audit Conclusion (1dc136da87)
The Teahouse Finance team proceeded with supplying additional alleviations for TVV-06M while also addressing some partially alleviated exhibits; specifically: TVV-01S, UVP-05C, TVV-13C
Exhibit TVV-03M was acknowledged despite our additional analysis while TVV-11C remains partially alleviated.
Some additional changes potentially related to TVV-06M were observed which affected the security of the system, and the newly introduced flaw has been outlined in TVV-06M and needs to be alleviated.
As a final note, a flaw was identified in the TeaVaultV3Portfolio::withdraw function by the Teahouse Finance team's internal testing whereby the withdrawn value was overestimated, leading to the highWaterMark being underestimated and thus affecting the fees generated by the protocol.
We have confirmed that the Teahouse Finance team has properly alleviated this issue by replacing usage of the totalAmounts with withdrawnAmounts in the TeaVaultV3Portfolio::_calculateAssetsValue call.
Post-Audit Conclusion (3a0cc9c15a)
The Teahouse Finance team proceeded with alleviating TVV-06M as well as highlighting that TVV-11C was resolved in an earlier commit.
We proceeded with amending TVV-11C to illustrate this fact as well as introducing the latest alleviation action for TVV-06M.
We consider all exhibits properly dealt with, and all outputs of the audit report properly consumed by the Teahouse Finance team.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 3 | 1 | 0 | 2 |
 | 40 | 37 | 0 | 3 |
 | 13 | 12 | 0 | 1 |
 | 5 | 5 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 5 findings utilizing static analysis tools as well as identified a total of 56 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: