Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Smart Vault>Low findings>Deposit-cap bypass
GeneralOverview
Findings
Medium (1)
Low (4)Missing reward-configuration checkDeposit-cap bypassUser rewards can be lostIncorrect tracking of staking amount
Informational (3)
DiscussionReentrancy guard modifier
Threat ModelWhat are threat models?RewardVault.solSmartVault.solSmartVaultManager.sol
Audit ResultsAssessment Results
Category: Business Logic

Deposit-cap bypass

Low Impact
Low Severity
Low Likelihood

Description

The _beforeDeposit function verifies if the depositor is whitelisted and if the deposit amount is within the deposit cap. However, there are two issues with the current implementation:

  1. The receiver address is not checked against the whitelist. This allows a depositor to use multiple receiver accounts to bypass the depositCapPerUser limit.

  2. Even if the receiver is whitelisted initially, the _update, claim, and withdraw functions do not verify whitelist status. This means a depositor can transfer their shares to any account to bypass the deposit cap after the initial deposit.

if (_isWhitelistMode() && !_isWhitelisted(depositor)) {
    revert NotWhitelisted(depositor);
}

// [...]

if (balanceOf(receiver) + scaledAmount > depositCapPerUser) {
    revert DepositCapPerUserExceeded(amount, _vaultConfig.depositCapPerUser);
}

Impact

The deposit-cap mechanism can be bypassed by using multiple accounts, allowing unauthorized users to claim rewards and withdraw funds from the vault.

Recommendations

We recommend the following.

  1. Add whitelist verification for the receiver address in the _beforeDeposit function.

  2. Implement whitelist checks in the _update function to ensure only whitelisted accounts can interact with the vault.

Remediation

River also provided the following response to this issue:

This is the expected behavior by design.

Zellic © 2025Back to top ↑