Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Concrete>Informational findings>Unchecked return value in ,setParkingLot
GeneralOverview
Findings
High (2)
Medium (6)
Low (8)
Informational (9)The fees charged to the feeRecipient are inconsistent between functions deposit and mintThe BTCLinkedPriceFeed contract does not initialize the ownerInsufficient validation of _requestIdUnchecked return value in setParkingLotIncorrect withdrawable check in _withdrawStrategyFundsConcreteMultiStrategy should inherit from ReentrancyGuardUpgradeable instead of ReentrancyGuardIncorrect implementation of max functions in ConcreteMultiStrategyStrategy rewards accrue after the share price has been calculatedIncorrect use of the function _getRewardTokens to initialize the rewardTokens
DiscussionThe ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimalsUnused _decimals variable in strategiesTest suite
DesignComponent: ControllerComponent: ConcreteMultiStrategyVaultComponent: WithdrawalComponent: Strategies
Audit ResultsAssessment Results
Category: Coding Mistakes

Unchecked return value in setParkingLot

Informational Impact
Informational Severity
N/A Likelihood

Description

The setParkingLot function in the ConcreteMultiStrategyVault contract does not check the successfulApproval boolean returned by TokenHelper.attemptForceApprove. If the approval fails, subsequent deposits to the parking lot will revert.

function setParkingLot(address parkingLot_) external onlyOwner {
    // [...]
    bool successfulApproval = TokenHelper.attemptForceApprove(token, parkingLot_, type(uint256).max, false);
    emit ParkingLotUpdated(currentParkingLot, parkingLot_, successfulApproval);

    parkingLot = IParkingLot(parkingLot_); // Update the fee recipient
}

Impact

If the approval fails, the contract still updates parkingLot to the new address. Since the vault requires token approval to deposit into the parking lot, all future parking-lot deposit attempts will fail.

Recommendations

Verify that the approval succeeds.

function setParkingLot(address parkingLot_) external onlyOwner {
    // [...]
    bool successfulApproval = TokenHelper.attemptForceApprove(token, parkingLot_, type(uint256).max, false);
+   require(successfulApproval, "Approve failed");
    // [...]
}

Remediation

This issue has been acknowledged by Blueprint Finance, and a fix was implemented in commit 7b237030.

Zellic © 2025Back to top ↑