Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>cyberRaise>Medium findings>Unvalidated agreement metadata in FCFS EOIs
GeneralOverview
Findings
Medium (4)Unvalidated agreement metadata in FCFS EOIsEscrow counterparty misassignmentMalicious registry signing blocks deal participationDust loss in RoundManager allocation
Low (1)
Informational (1)
DiscussionInsufficient input validation in deal and round creationMissing explicit agreement existence check in voidExpiredDealThe proxy is deployed uninitialized
Threat ModelComponent: CyberCorp round and deal manager system
Audit ResultsAssessment Results
Category: Business Logic

Unvalidated agreement metadata in FCFS EOIs

Medium Impact
High Severity
Medium Likelihood

Description

The submitEOI function in RoundManager forwards the caller-supplied globalValues and partyValues directly into the agreement without any validation or sanitization. In first-come, first-served (FCFS) rounds, the contract immediately finalizes by calling allocate, which triggers signContractWithEscrow, so the CyberCorp never has a chance to review the submitted metadata.

function submitEOI(
    bytes32 roundId,
    EOI memory eoi,
    string[] memory globalValues,
    string[] memory partyValues,
    bytes memory signature,
    uint256 salt,
    address[] memory conditions,
    bytes32 secretHash
) external returns (bytes32 agreementId, uint256 tokenId) {
    // [...]
    (agreementId, tokenId) = RoundManagerStorage.submitEOI(
        LexScrowStorage.lexScrowStorage(),
        roundId,
        eoi,
        globalValues,
        partyValues,
        signature,
        salt,
        conditions,
        secretHash
    );
    // [...]
    if (round.roundType == RoundType.FCFS) {
        this.allocate(agreementId, eoi.maxAmount);
    }
}

An investor can therefore record arbitrary statements (for example, claiming a 10,000 USD commitment while only escrowing 100 USD) that the CyberCorp is forced to cosign, producing a finalized agreement whose on-chain terms do not match the funds actually committed.

Impact

Because FCFS rounds autofinalize, any participant can craft misleading or abusive metadata without CyberCorp review.

Recommendations

We recommend validating agreement metadata before acceptance by allowing the CyberCorp to configure an allowlist of permitted globalValues entries and making submitEOI reject any submission that includes values outside that list.

Remediation

MetaLex provided the following response to this finding:

The final legal agreements will be structured in such a way that will protect from malicious input attempts. The deal will follow the investment amount, subject to the round min/max, and the tokenized certificates will only reflect the actual paid amount. Founders will have the ability, and legal backing, to handle someone intentionally putting false text fields into the legal agreement.

Zellic © 2025Back to top ↑