Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Concrete>Low findings>The function ,redeem, lacks dust-amount check
GeneralOverview
Findings
High (2)
Medium (6)
Low (8)The VaultManager contract lacks the code to call the function emergencyRemoveStrategyIncorrect transfer amount in the function rescueFundsThe function redeem lacks dust-amount checkInconsistent handling of infinite allowance in _withdrawLack of support for the 0.01% fee tier for swaps in MorphoVaultStrategyFunction getAvailableAssetsForWithdrawal should return zero when withdrawEnabled is falseFunction changeAllocations does not check vaultIdle status before redistributing assetsIncorrect rounding direction in previewMint
Informational (9)
DiscussionThe ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimalsUnused _decimals variable in strategiesTest suite
DesignComponent: ControllerComponent: ConcreteMultiStrategyVaultComponent: WithdrawalComponent: Strategies
Audit ResultsAssessment Results
Category: Business Logic

The function redeem lacks dust-amount check

Low Impact
Low Severity
Low Likelihood

Description

Functions deposit and mint check whether the amount of shares to be minted is greater than the DUST amount, and the function withdraw checks whether the amount of shares to be burned is greater than the DUST amount. However, the function redeem does not perform this check.

Impact

When a user redeems a dust amount of shares, they may receive zero assets, resulting in a loss of funds.

Recommendations

Add a check in the function redeem to ensure that the amount of shares is greater than DUST.

Remediation

This issue has been acknowledged by Blueprint Finance, and a fix was implemented in commit 7e38c044.

Zellic © 2025Back to top ↑