Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Orderly Strategy Vault>Design>Component: LedgerImplC
GeneralOverview
Findings
Informational (1)
DiscussionCCTP supportTypos in the codebaseExecution ordering
DesignComponent: Protocol VaultComponent: LedgerImplCComponent: Protocol Vault LedgerComponent: VaultCrossChainManagerComponent: CrossChainRelayUpgradeableComponent: LedgerCrossChainManagerUpgradeableComponent: VaultCrossChainManagerUpgradeableComponent: LedgerImplAComponent: VaultManagerComponent: Ledger
Audit ResultsAssessment Results

Component: LedgerImplC

Description

LedgerImplC is the third extension of the Ledger contract, specifically tailored for supporting Solana-based accounts and withdrawals. It handles deposits and withdrawals associated with Solana public keys, adding them to Ledger’s records in the same way as Ethereum-based accounts. This contract also integrates cross-chain calls for approving and finalizing withdrawals.

Invariants

  1. Solana account integrity

    • Deposits and withdrawals must reference a valid accountId that matches the broker hash and the Solana public key, verified by Utils.validateAccountId.

    • If an account has never been registered, its first Solana-based deposit automatically registers it with a pubkey.

  2. Balance freezing and finalization

    • Whenever a withdrawal is initiated, the appropriate amount is frozen in both the Ledger and the VaultManager.

    • Finalizing (or in the case of Solana, immediate finalization) ensures no duplicate withdrawal or double-spend can occur.

  3. Broker and token allowlists

    • Any broker or token involved in deposits or withdrawals must be on the VaultManager allowlist.

    • If vaultManager.getAllowedBroker or vaultManager.getAllowedChainToken return false, the transaction reverts.

  4. Signature validation

    • Solana-specific withdrawals require an EIP-712--like verification by Signature.verifyWithdrawSol. This prevents unauthorized parties from initiating a withdrawal.

Test coverage

Key cases covered

  1. EIP-712 verification

    • Ensures valid chainId and signature data pass the Signature.verifyWithdrawSol check for a Solana-based withdrawal

  2. EIP-712 failure

    • Demonstrates that incorrect or manipulated signature data fails verification and is rejected

  3. Depositing funds

    • Verifies that calling accountDepositSol correctly registers the Solana public key if unregistered, credits the ledger balance, and increments the vault balance

  4. Withdrawal approval

    • Confirms that for Solana, an immediate finalization of the withdrawal occurs if all conditions pass — balances are moved into a frozen state then finalized in one step

  5. Broker denial

    • Reverts if the provided brokerHash is disallowed, blocking unapproved brokers from using the system

  6. Fee limits

    • Fails a withdrawal if the requested fee exceeds the configured max withdrawal fee, preventing users from paying excessive fees and ensuring stable operation

Attack surface

  • Invalid Solana signatures

    • Calls to verifyWithdrawSol ensure that each Solana-based request is signed by the genuine holder of the associated Solana pubkey. If the signature is invalid, the withdrawal reverts.

  • Unauthorized broker or token

    • The system enforces a broker and token allowlist. Any deposit or withdrawal with a disallowed brokerHash or token fails.

  • Frozen-balance manipulation

    • The ledger and the vault must freeze the same withdrawal amount. If freezing is tampered with, the system would quickly lose track of correct balances. The onlyLedger modifier mitigates external tampering.

  • Cross-chain vulnerabilities

    • Solana-based operations rely on ILedgerCrossChainManagerV2 calls. A compromised cross-chain manager could attempt fraudulent withdrawals. However, signature checks, broker checks, and chain token allowlists mitigate this risk.

Zellic © 2025Back to top ↑