Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Circuit DAO>Critical findings>Improper condition filters in savings vault
GeneralOverview
Findings
Critical (4)Broken lineage check due to governance-coin unwrap logicMissing MOD_HASH validationImproper condition filters in savings vaultMissing condition filters in outlier resolver
High (7)
Medium (1)
Low (1)
Informational (3)
DiscussionVote aggregationTreasury-ring correctness relies on governanceConfusion of atom-announcer identityOracle-resolution votingTest code coverage
DesignDesign overviewThe statues coinGovernanceAtom announcerAnnouncer registryOracleTreasuryRecharge auctionSurplus auctionCollateral vaultSavings vaultBYC and CRT
Audit ResultsAssessment Results
Category: Business Logic

Improper condition filters in savings vault

Critical Severity
Critical Impact
High Likelihood

Description

The conditions returned by the inner puzzle of the savings-vault puzzle are filtered using the filter-conditions function. This function allows more than one CREATE_COIN condition to be passed. If two coins are created from this savings vault with the same puzzle mod but one contains different curried arguments, the lineage could still be proved.

Impact

New fake coins with nonzero value of DISCOUNTED_DEPOSIT could be used to steal from the treasury coin while still maintaining the correct lineage.

Recommendations

We recommend only allowing one CREATE_COIN condition to be returned from the inner puzzle of the savings vault.

Remediation

This issue has been acknowledged by Voltage Technologies Ltd., and a fix was implemented in commit 30165496.

Zellic © 2025Back to top ↑