Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Extensible Vaults>Discussion>Privileged role operation
GeneralOverview
Findings
Medium (1)
Low (1)
DiscussionPrivileged role operationUpdated business logic in the isValidSignature function now restricts calls to off-chain only
Patch ReviewPatch ReviewChanges in contract structureIntroduction of new contracts

Privileged role operation

All manager contracts (ExternalManager, ListaCDPStrategyManager, ListaEarnStrategyManager, and yoVaultManager) implement a withdraw function protected only by the WITHDRAWAL_ROLE, allowing any address granted this role to extract funds to arbitrary receivers instead of being exclusive to the contract ExtensibleVault. This design creates an access-control vulnerability where administrators can grant WITHDRAWAL_ROLE to malicious actors or where compromised accounts with this role can drain manager funds.

function withdraw(uint256 amount, address receiver)
external
onlyRole(WITHDRAWAL_ROLE)
nonReentrant
{
    [...]
}

Consider implementing a multi-signature or DAO mechanism alongside timelock controls for critical operations such as role assignments. This would help prevent single-point-of-failure vulnerabilities in admin accounts.

Remediation

Mitosis provided the following response:

WITHDRAWAL_ROLE will actually be integrated with properly implemented on-chain contracts such as ExtensibleVault in the actual contract setup, and in such cases, there are practically no issues.

Zellic © 2025Back to top ↑