Assessment reportsPublic findings
Back to Zellic site
Assessment reports>StakeKit>Patch Review>Patch Review
GeneralOverview
Findings
Critical (1)
High (1)
Medium (3)
Low (1)
Patch ReviewPatch Review
Threat ModelWhat are threat models?AllocatorVaultV1.sol
Audit ResultsAssessment Results

Patch Review

Incorrect performance fee calculation

We've reviewed the changes introduced in commit , specifically addressing the incorrect performance fee calculation in computeHarvestFee() which lead to undercharging on gains.

The fix resolves the undercharging issue by changing the perfFeeNum to multiply by SECONDS_IN_YEAR rather than timeElapsed. The updated logic appears sound.

-uint256 perfFeeNum = config.performanceFee * timeElapsed;
+uint256 perfFeeNum = config.performanceFee * SECONDS_IN_YEAR;

We also reviewed:

  • Upgrade safety: No concerns identified with respect to fee changes.

  • Integer safety: Confirmed that the calculation remains safe under 256-bit constraints; no risk of overflow.

  • Access control: The newly introduced claimMiscellaneousRewards function includes appropriate access control for sending non-strategy tokens to fee-recipient.

Based on our review, this patch effectively resolves the reported issue and introduces no new security concerns.

Zellic © 2025Back to top ↑