Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Concrete>Low findings>Function ,getAvailableAssetsForWithdrawal, should return zero when ,withdrawEnabled, is false
GeneralOverview
Findings
High (2)
Medium (6)
Low (8)The VaultManager contract lacks the code to call the function emergencyRemoveStrategyIncorrect transfer amount in the function rescueFundsThe function redeem lacks dust-amount checkInconsistent handling of infinite allowance in _withdrawLack of support for the 0.01% fee tier for swaps in MorphoVaultStrategyFunction getAvailableAssetsForWithdrawal should return zero when withdrawEnabled is falseFunction changeAllocations does not check vaultIdle status before redistributing assetsIncorrect rounding direction in previewMint
Informational (9)
DiscussionThe ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimalsUnused _decimals variable in strategiesTest suite
DesignComponent: ControllerComponent: ConcreteMultiStrategyVaultComponent: WithdrawalComponent: Strategies
Audit ResultsAssessment Results
Category: Coding Mistakes

Function getAvailableAssetsForWithdrawal should return zero when withdrawEnabled is false

Low Impact
Low Severity
Low Likelihood

Description

When withdrawEnabled is false, the revert in _protocolWithdraw prevents the Concrete Vault from withdrawing from the MultiSigStrategyV1 strategy:

function _protocolWithdraw(uint256 assets_, uint256) internal virtual override {
    if (!withdrawEnabled) revert WithdrawDisabled();
    // [...]
}

Therefore, getAvailableAssetsForWithdrawal should return 0 in this case. However, it currently returns _vaultDepositedAmount:

function getAvailableAssetsForWithdrawal() public view override returns (uint256) {
    if (!withdrawEnabled) return _vaultDepositedAmount;
    // [...]
}

Impact

For a Concrete Vault using the MultiSigStrategyV1 strategy, if withdrawEnabled is false, the vault receives an incorrect estimate of the withdrawable amount from the strategies.

Recommendations

Update the getAvailableAssetsForWithdrawal function to return zero when withdrawEnabled is false.

function getAvailableAssetsForWithdrawal() public view override returns (uint256) {
-    if (!withdrawEnabled) return _vaultDepositedAmount;
+    if (!withdrawEnabled) return 0;
    // [...]
}

Remediation

Blueprint Finance provided the following response to this finding:

We intentionally return _vaultDepositedAmount when withdrawEnabled is false. This was originally a workaround to force withdrawals to go through the queue, since some vaults weren’t upgradeable.

This behavior only applies when multiSigStrategy is the sole strategy in the vault, and we’d prefer to keep it as-is for backward compatibility.

Zellic © 2025Back to top ↑