Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Extensible Vaults>Medium findings>Inaccessible contract balance due to flawed withdrawal mechanism
GeneralOverview
Findings
Medium (1)Inaccessible contract balance due to flawed withdrawal mechanism
Low (1)
DiscussionPrivileged role operationUpdated business logic in the isValidSignature function now restricts calls to off-chain only
Patch ReviewPatch ReviewChanges in contract structureIntroduction of new contracts
Category: Business Logic

Inaccessible contract balance due to flawed withdrawal mechanism

Medium Impact
Medium Severity
Medium Likelihood

Description

The ListaEarnStrategyManager contract has a design flaw where its totalBalance function correctly tracks both vault shares and direct asset balance held by the contract, but the withdraw function can only withdraw assets from the vault. This creates a scenario where assets that accumulate directly in the contract balance become permanently inaccessible.

The totalBalance function calculates the following:

function totalBalance() external view returns (uint256) {
  return vault.convertToAssets(vault.balanceOf(address(this)))
    + IERC20(vault.asset()).balanceOf(address(this));
}

However, the withdraw function only handles vault withdrawals:

function withdraw(uint256 amount, address receiver)
  external
  onlyRole(WITHDRAWAL_ROLE)
  nonReentrant
{
  require(amount > 0, StdError.ZeroAmount());

  uint256 shares = vault.withdraw(amount, receiver, address(this));
  require(shares > 0, ListaEarnStrategyManager__ZeroSharesReturned());

  emit Withdraw(asset, receiver, amount, shares);
}

Impact

The ExtensibleVault.totalAssets function that aggregates ListaEarnStrategyManager's totalBalance values, which includes inaccessible contract balances, will report these assets as available, but they cannot be withdrawn. In extreme cases where significant assets become trapped in contract balances, the vault reports high totalAssets but will be unable to honor withdrawal requests.

function totalAssets()
  public
  view
  virtual
  override(IExtensibleVault, ERC4626Upgradeable)
  returns (uint256)
{
  address[] memory managers = getRoleMembers(MANAGER_ROLE);
  uint256 managerAssets = 0;
  for (uint256 i = 0; i < managers.length; i++) {
    managerAssets += IManager(managers[i]).totalBalance();
  }
  return managerAssets + IERC20(asset()).balanceOf(address(this));
}

Recommendations

Implement a comprehensive withdrawal strategy that handles both vault and direct contract balance to ensure all tracked assets from totalBalance remain accessible.

Remediation

This issue has been acknowledged by Mitosis, and a fix was implemented in commit b30eddef.

Zellic © 2025Back to top ↑