Assessment reportsPublic findings
Back to Zellic site
Assessment reports>StakeKit>Medium findings>Centralization risk
GeneralOverview
Findings
Critical (1)
High (1)
Medium (3)Drain and financial loss resulting from rounding issueFreezing of users' funds due to excessive fee settingsCentralization risk
Low (1)
Patch ReviewPatch Review
Threat ModelWhat are threat models?AllocatorVaultV1.sol
Audit ResultsAssessment Results
Category: Protocol Risks

Centralization risk

Medium Severity
Low Impact
Low Likelihood

Description

In the claimAdditionalRewards function, the contract checks if the target is whitelisted and if the rewards-asset address is not the underlying or strategy address. This prevents even the owner from withdrawing the underlying or strategy tokens. However, the admin can set the target address to strategy by allowing the strategy address to be whitelisted, and then the admin can withdraw all the strategy tokens using the approve function. This centralization risk can prevent users from withdrawing their unclaimed rewards.

require(whitelistedTargets[target][functionSelector], "Target not whitelisted");

require(rewardsAsset != address(underlying), "Cannot claim underlying asset");
require(rewardsAsset != address(strategy), "Cannot claim strategy asset");
require(rewardsAsset != address(this), "Cannot claim vault asset");

Impact

By abusing this functionality with an admin account, the admin can withdraw all the strategy tokens.

Recommendations

Add a check for the target address.

Remediation

This issue has been acknowledged by StakeKit, and a fix was implemented in commit 3d9b9f45.

Zellic © 2025Back to top ↑