Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Avantis>Low findings>Incorrect access control of ,setVaultManager, causes update lockout
GeneralOverview
Findings
Critical (6)
High (9)
Medium (6)
Low (10)Miscalculation of `totalPrincipalDeposited`Fee charged without market-order placementOne account can register multiple referral codesVault manager cannot access entire junior trancheThe maxRedeem function should comply with ERC-4626Incorrect access control causes update lockoutTrader contract can bypass max trades per pairLimit-order timelock not initialized on openPartial closes emit incorrect valueFunction lacks incorrect-payment sanity checks
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.solTrading.solTradingStorage.solTranche.solVaultManager.solVeTranche.sol
Audit ResultsSummary
Category: Coding Mistakes

Incorrect access control of setVaultManager causes update lockout

Low Severity
Low Impact
High Likelihood

Description

The setVaultManager function is used in VeTranche to update the address of the vault manager contract:

function setVaultManager(address _vaultManager) external onlyManager {
    require(_vaultManager != address(0), "ADDRESS_INVALID");
    vaultManager = IVaultManager(_vaultManager);
}

This function is onlyManager, so it can only be called by the vault manager. However, the current version of the vault manager contract never calls this function.

Impact

The vault manager cannot be updated.

Recommendations

Change this to onlyGov.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit af954df9.

Zellic © 2025Back to top ↑