Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Smart Vault>Medium findings>Insufficient test coverage
GeneralOverview
Findings
Medium (1)Insufficient test coverage
Low (4)
Informational (3)
DiscussionReentrancy guard modifier
Threat ModelWhat are threat models?RewardVault.solSmartVault.solSmartVaultManager.sol
Audit ResultsAssessment Results
Category: Protocol Risks

Insufficient test coverage

Medium Impact
Medium Severity
N/A Likelihood

Description

When building a complex contract with multiple moving parts (state changes) and dependencies, comprehensive testing is essential. This includes testing for both positive and negative scenarios on every function that touches the contract's state.

Positive tests should verify that each function's side effect is as expected, while negative tests should cover every revert, preferably in every logical branch.

The test coverage for this project should be expanded to include all contracts, and all functions — not just surface-level functions. It is important to test the invariants required for ensuring security and also verify any mathematical properties from the project's specification.

Unit tests for each individual function are not fully implemented. The tests are written based on scenario-based flows, primarily focusing on setting vault, deposit, withdraw, and claim under general vault configurations. The testing did not include any scenarios involving removeAllocation.

Impact

Good test coverage has multiple effects:

  • It finds bugs and design flaws early (preaudit or prerelease).

  • It gives insight into areas for optimization (e.g., gas cost).

  • It displays code maturity.

  • It bolsters customer trust in the product.

  • It improves understanding of how the code functions, integrates, and operates — for developers and auditors alike.

  • It increases development velocity long-term.

The last point may seem contradictory given the time investment to create and maintain tests. To expand upon it, tests help developers trust their own changes. It is difficult to know if a code refactor — or even just a small one-line fix — breaks other code if there are no tests. This is especially true for new developers or those returning to the code after a prolonged absence.

Tests have your back here. They are an excellent indicator that the existing functionality was most likely not broken by a change to the code. Without a comprehensive test suite, the above benefits are lost. This increases the likelihood of bugs and vulnerabilities going unnoticed until after deployment, which can be costly and damaging to the project's reputation.

Recommendations

We recommend building a rigorous test suite that includes all contracts to ensure that the system operates securely and as intended.

Remediation

River also provided the following response to this issue:

We will add more test cases to improve test coverage and ensure comprehensive testing of the functionality.

Zellic © 2025Back to top ↑