Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Concrete>Informational findings>Incorrect use of the function ,_getRewardTokens, to initialize the ,rewardTokens
GeneralOverview
Findings
High (2)
Medium (6)
Low (8)
Informational (9)The fees charged to the feeRecipient are inconsistent between functions deposit and mintThe BTCLinkedPriceFeed contract does not initialize the ownerInsufficient validation of _requestIdUnchecked return value in setParkingLotIncorrect withdrawable check in _withdrawStrategyFundsConcreteMultiStrategy should inherit from ReentrancyGuardUpgradeable instead of ReentrancyGuardIncorrect implementation of max functions in ConcreteMultiStrategyStrategy rewards accrue after the share price has been calculatedIncorrect use of the function _getRewardTokens to initialize the rewardTokens
DiscussionThe ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimalsUnused _decimals variable in strategiesTest suite
DesignComponent: ControllerComponent: ConcreteMultiStrategyVaultComponent: WithdrawalComponent: Strategies
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect use of the function _getRewardTokens to initialize the rewardTokens

Informational Impact
Informational Severity
N/A Likelihood

Description

The constructor of the MorphoVaultStrategy contract tries to generate a reward-token array by using the function _getRewardTokens.

constructor(ConstructorParams memory params) {
    // [...]
    __StrategyBase_init(
        params.baseAsset,
        string.concat("Concrete Morpho Vault ", symbol, " Strategy"),
        string.concat("ctMV1-", symbol),
        params.feeRecipient,
        type(uint256).max,
        params.owner,
!       _getRewardTokens(params.rewardFee),
        params.vault
    );

    // [...]
}

However, this function's returned array is based on the length of the storage variable rewardTokens, which is empty during deployment.

function _getRewardTokens(uint256 rewardFee_) internal view returns (RewardToken[] memory) {
    address[] memory rewards = getRewardTokenAddresses();
    RewardToken[] memory r = new RewardToken[](rewards.length);
    // [...]
    return r;
}

function getRewardTokenAddresses() public view virtual returns (address[] memory) {
    //Each strategy should avoid returning the token considered in the _totalAssets function as a reward token
    uint256 len = rewardTokens.length;
    address[] memory rT = new address[](len);
    // [..]
    return rT;
}

Impact

This means that the owner needs to add the reward token separately via the function addRewardToken after deployment, which should not be required if the deployment is correct.

Recommendations

Consider implementing appropriate logic to generate the reward-token array during deployment.

Remediation

This issue has been acknowledged by Blueprint Finance, and a fix was implemented in commit 7bec80ce.

Zellic © 2025Back to top ↑