Concrete engaged Halborn to conduct a security assessment on their smart contract beginning on April 22nd, 2024 and ending on May 1st, 2024. A security assessment on smart contracts was performed on the scoped smart contracts provided to the Halborn team.

2. Assessment Summary

The team at Halborn was provided one week for the engagement and assigned a full-time security engineer to verify the security of the smart contract. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

Ensure that smart contract functions operate as intended.
Identify potential security issues with the smart contracts.

In summary, Halborn identified some security risks that were mostly addressed/acknowledged by the Concrete team.

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:

Research into architecture and purpose.
Smart contract manual code review and walkthrough.
Graphing out functionality and contract logic/connectivity/functions (solgraph).
Manual assessment of use and safety for the critical Solidity variables and functions in scope to identify any arithmetic related vulnerability classes.
Manual testing by custom scripts.
Testnet deployment (Foundry).

3.1 Out-of-scope

External libraries and financial-related attacks.
Files located under src/examples/* folder.

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.

The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.

The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.

The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.

The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):

Captures whether the attack requires compromising a specific account.

Attack Cost (AC):

Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.

Attack Complexity (AX):

Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.

Metrics:

EXPLOITABILITY METRIC ( $m_e$ )	METRIC VALUE	NUMERICAL VALUE
Attack Origin (AO)	Arbitrary (AO:A) Specific (AO:S)	1 0.2
Attack Cost (AC)	Low (AC:L) Medium (AC:M) High (AC:H)	1 0.67 0.33
Attack Complexity (AX)	Low (AX:L) Medium (AX:M) High (AX:H)	1 0.67 0.33

Exploitability

E

is calculated using the following formula:

$E = \prod m_e$

4.2 IMPACT

Confidentiality (C):

Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.

Integrity (I):

Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.

Availability (A):

Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.

Deposit (D):

Measures the impact to the deposits made to the contract by either users or owners.

Yield (Y):

Measures the impact to the yield generated by the contract for either users or owners.

Metrics:

IMPACT METRIC ( $m_I$ )	METRIC VALUE	NUMERICAL VALUE
Confidentiality (C)	None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C)	0 0.25 0.5 0.75 1
Integrity (I)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Availability (A)	None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C)	0 0.25 0.5 0.75 1
Deposit (D)	None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C)	0 0.25 0.5 0.75 1
Yield (Y)	None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C)	0 0.25 0.5 0.75 1

Impact

I

is calculated using the following formula:

$I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}$

4.3 SEVERITY COEFFICIENT

Reversibility (R):

Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.

Scope (S):

Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.

Metrics:

SEVERITY COEFFICIENT ( $C$ )	COEFFICIENT VALUE	NUMERICAL VALUE
Reversibility ( $r$ )	None (R:N) Partial (R:P) Full (R:F)	1 0.5 0.25
Scope ( $s$ )	Changed (S:C) Unchanged (S:U)	1.25 1

Severity Coefficient

C

is obtained by the following product:

$C = rs$

The Vulnerability Severity Score

S

is obtained by:

$S = min(10, EIC * 10)$

The score is rounded up to 1 decimal places.

Severity	Score Value Range
Critical	9 - 10
High	7 - 8.9
Medium	4.5 - 6.9
Low	2 - 4.4
Informational	0 - 1.9

5. SCOPE

REPOSITORY

(a) Repository: money-printer

(b) Assessed Commit ID: e70780b

src/vault/ConcreteMultiStrategyVault.sol
src/swapper/Swapper.sol
src/swapper/OraclePlug.sol

↓ Expand ↓

Out-of-Scope: src/examples/ExampleStrategyBaseImplementation.sol

Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

High

Medium

Low

Informational

Security analysis	Risk level	Remediation Date
Single step ownership transfer process	Informational	Acknowledged
Owner can renounce Ownership	Informational	Acknowledged
A single compromised account can lock up the protocol	Informational	Acknowledged
Checked increments in for loops increases gas consumption	Informational	Solved - 05/07/2024
Missing checks for index out of bounds	Informational	Solved - 05/07/2024
Use external instead of public methods	Informational	Solved - 05/07/2024
PUSH0 is not supported by all chains	Informational	Acknowledged

7. Findings & Tech Details

7.1 Single step ownership transfer process

Informational

Description

Ownership of the contracts can be lost as the RewardManager,TokenRegistry,ImplementationRegistry,DeploymentManager and VaultFactory contract is inherited from the Ownable contract, and their ownership can be transferred in a single-step process. The address the ownership is changed to should be verified to be active or willing to act as the owner.


function transferOwnership(address newOwner) public virtual onlyOwner {
    require(newOwner != address(0), "Ownable: new owner is the zero address");
    _transferOwnership(newOwner);
}

function _transferOwnership(address newOwner) internal virtual {
    address oldOwner = _owner;
    _owner = newOwner;
    emit OwnershipTransferred(oldOwner, newOwner);
}

BVSS

AO:S/AC:L/AX:L/C:N/I:N/A:M/D:N/Y:N/R:N/S:U (1.0)

Recommendation

Consider using the Ownable2Step https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable2Step.sol library over the Ownable library.

Remediation Plan

ACKNOWLEDGED : The Concrete team acknowledged the issue. Since each of the contracts is owned by other contracts, the ability to transfer or renounce ownership is significantly limited. The use of Ownable2Step requires that the new owner accept ownership. Without a significant re-write of the existing contracts (which would negate the functionality of Ownable2Step) this is not feasible.

7.2 Owner can renounce Ownership

Informational

Description

Typically, the contract’s owner is the account that deploys the contract. As a result, the owner is able to perform certain privileged activities.

The Openzeppelin’s Ownable used in this project contract implements renounceOwnership. This can represent a certain risk if the ownership is renounced for any other reason than by design. Renouncing ownership will leave the contract without an owner, thereby removing any functionality that is only available to the owner.

function renounceOwnership() public virtual onlyOwner {
    _transferOwnership(address(0));

BVSS

AO:S/AC:L/AX:L/C:N/I:N/A:M/D:N/Y:N/R:N/S:U (1.0)

Recommendation

To mitigate the risks associated with unintended or unauthorized ownership transfers, it is recommended to adopt a more secure ownership transfer mechanism, such as OpenZeppelin's Ownable2Step. This implementation requires a two-step process for ownership transfer: first, the current owner initiates the transfer by specifying a new owner, and then the new owner must accept the ownership. This process adds an additional layer of security by ensuring that ownership is only transferred after explicit confirmation from both parties involved.

Implementing Ownable2Step will not only enhance the security of the contracts by preventing accidental or malicious ownership transfers but also ensure that any systems or contracts relying on its authorization remain consistent and up-to-date. This recommendation aligns with best practices for contract ownership management and governance within the Ethereum ecosystem.

Remediation Plan

7.3 A single compromised account can lock up the protocol

Informational

Description

The ability to pauseVault() and unpauseVault() the protocol is unilaterally controlled by a single admin account, which if compromised could be exploited to attempt to lock up the protocol and extort users.

It is advised that these capabilities are separated into distinct roles in an effort to reduce the consolidation of power that could be wielded in the event of a protocol exploit.

BVSS

AO:S/AC:L/AX:L/C:N/I:N/A:M/D:N/Y:N/R:N/S:U (1.0)

Recommendation

Consider adopting both an UNPAUSE_ROLE and PAUSE_ROLE.

Remediation Plan

ACKNOWLEDGED : The Concrete team acknowledged the issue. The client belief that the likelihood of this is exceptionally low. The admin role will be granted to a multi-sig to prevent rogue action. If they were to introduce a pause and unpause role, the same multisig would be provided in both roles, negating any positive benefits and creating unnecessary overhead.

7.4 Checked increments in for loops increases gas consumption

Informational

Description

Most of the solidity for loops use an uint256 variable counter that increments by 1 and starts at 0. These increments don't need to be checked for over/underflow because the variable will never reach the max capacity of uint256 as it would run out of gas long before that happens.

BVSS

AO:A/AC:H/AX:H/C:M/I:N/A:N/D:N/Y:N/R:N/S:U (0.5)

Recommendation

It is recommended to uncheck the increments in for loops to save gas. For example, instead of:

for (uint256 i; i < len; i++) {
                Strategy memory strategy = strategies[i];
                //We control both the length of the array and the external call
                //-next-line calls-loop
                uint256 withdrawable = strategy.strategy.previewRedeem(strategy.strategy.balanceOf(address(this)));
                if (diff.mulDiv(strategy.allocation.amount, 10_000, Math.Rounding.Ceil) > withdrawable) {
                    revert InsufficientFunds(strategy.strategy, diff * strategy.allocation.amount, withdrawable);
                }
                uint256 amountToWithdraw = amount_.mulDiv(strategy.allocation.amount, 10_000, Math.Rounding.Ceil);
                //We control both the length of the array and the external call
                //-next-line unused-return,calls-loop
                strategy.strategy.withdraw(amountToWithdraw, receiver_, address(this));
                totalWithdrawn += amountToWithdraw;
            }

Use:

for (uint256 i; i < len;) {
                Strategy memory strategy = strategies[i];
                //We control both the length of the array and the external call
                //-next-line calls-loop
                uint256 withdrawable = strategy.strategy.previewRedeem(strategy.strategy.balanceOf(address(this)));
                if (diff.mulDiv(strategy.allocation.amount, 10_000, Math.Rounding.Ceil) > withdrawable) {
                    revert InsufficientFunds(strategy.strategy, diff * strategy.allocation.amount, withdrawable);
                }
                uint256 amountToWithdraw = amount_.mulDiv(strategy.allocation.amount, 10_000, Math.Rounding.Ceil);
                //We control both the length of the array and the external call
                //-next-line unused-return,calls-loop
                strategy.strategy.withdraw(amountToWithdraw, receiver_, address(this));
                totalWithdrawn += amountToWithdraw;
                unchecked {++i};
            }

Remediation Plan

SOLVED : The Concrete team solved the issue by adding unchecked statement.

7.5 Missing checks for index out of bounds

Informational

Description

The functions pullFundsFromSingleStrategy, pushFundsIntoSingleStrategy, and addStrategy fail to implement checks for out-of-bounds access on the array of strategies with which the vault can interact.

/**
     * @notice Pulls funds back from a single strategy into the vault.
     * @dev Can only be called by the vault owner.
     * @param index_ The index of the strategy from which to pull funds.
     */
    function pullFundsFromSingleStrategy(uint256 index_) external onlyOwner {
        Strategy memory strategy = strategies[index_];
        // slither-disable-next-line unused-return
        strategy.strategy.redeem(strategy.strategy.balanceOf(address(this)), address(this), address(this));
        if (!IERC20(asset()).approve(address(strategy.strategy), 0)) revert ERC20ApproveFail();
    }

    /**
     * @notice Pushes funds from the vault into a single strategy based on its allocation.
     * @dev Can only be called by the vault owner. Reverts if the vault is idle.
     * @param index_ The index of the strategy into which to push funds.
     */
    function pushFundsIntoSingleStrategy(uint256 index_) external onlyOwner {
        if (vaultIdle) revert VaultIsIdle();
        Strategy memory strategy = strategies[index_];
        // slither-disable-next-line unused-return
        strategies[index_].strategy.deposit(
            totalAssets().mulDiv(strategy.allocation.amount, 10_000, Math.Rounding.Floor), address(this)
        );
    }

When the replace_ parameter is set to true, the function did not perform a check on the index.

function addStrategy(uint256 index_, bool replace_, Strategy calldata newStrategy_)
        external
        nonReentrant
        onlyOwner
        takeFees
    {
        //Ensure that allotments do not total > 100%
        uint256 allotmentTotals = 0;
        uint256 len = strategies.length;
        for (uint256 i; i < len; i++) {
            allotmentTotals += strategies[i].allocation.amount;
        }

        if (replace_) {
            if (allotmentTotals - strategies[index_].allocation.amount + newStrategy_.allocation.amount > 10000) {
                revert AllotmentTotalTooHigh();
            }
            // slither-disable-next-line unused-return
            strategies[index_].strategy.redeem(
                strategies[index_].strategy.balanceOf(address(this)), address(this), address(this)
            );
            if (!IERC20(asset()).approve(address(strategies[index_].strategy), 0)) revert ERC20ApproveFail();

            emit StrategyReplaced(strategies[index_], newStrategy_);

            strategies[index_] = newStrategy_;
            if (!IERC20(asset()).approve(address(newStrategy_.strategy), type(uint256).max)) revert ERC20ApproveFail();
        } else {
            if (allotmentTotals + newStrategy_.allocation.amount > 10000) {
                revert AllotmentTotalTooHigh();
            }
            strategies.push(newStrategy_);
            if (!IERC20(asset()).approve(address(newStrategy_.strategy), type(uint256).max)) revert ERC20ApproveFail();
        }
        emit StrategyAdded(newStrategy_);
    }

Proof of Concept

Passing index 4 to the strategies array triggered a panic due to out-of-bounds access.

function test_pullFundsFromSingleStrategy(uint256 amount_) public {
        //uint256 amount_ = 1e18;
        vm.assume(amount_ <= 100_000_000 * 1e18);
        vm.assume(amount_ > 0);
        amount_ = amount_ * 1e18;
        (ConcreteMultiStrategyVault newVault, Strategy[] memory strats) = _createNewVault(false, false, false);
        uint256 hazelsAmount = amount_;
        asset.mint(hazel, hazelsAmount);
        vm.prank(hazel);
        asset.approve(address(newVault), hazelsAmount);

        uint256 preDepositBalance = asset.balanceOf(hazel);
        assertEq(preDepositBalance, amount_, "Predeposit balance == amount");

        vm.prank(hazel);
        uint256 hazelShares = newVault.deposit(hazelsAmount, hazel);

        assertEq(hazelShares, amount_ * 1e9, "Shares with Offset");
        assertEq(
            MockERC4626(address(strats[0].strategy)).balanceOf(address(newVault)),
            amount_.mulDiv(3333, 10_000, Math.Rounding.Ceil) * 1e9,
            "Strategy 0 balance"
        );
        assertEq(
            MockERC4626(address(strats[1].strategy)).balanceOf(address(newVault)),
            amount_.mulDiv(3333, 10_000, Math.Rounding.Ceil) * 1e9,
            "Strategy 1 balance"
        );
        assertEq(
            MockERC4626(address(strats[2].strategy)).balanceOf(address(newVault)),
            amount_.mulDiv(3333, 10_000, Math.Rounding.Ceil) * 1e9,
            "Strategy 2 balance"
        );

        vm.prank(admin);
        newVault.pullFundsFromSingleStrategy(4);

        assertEq(MockERC4626(address(strats[0].strategy)).balanceOf(address(newVault)), 0, "Strategy 0 balance");
        assertEq(
            MockERC4626(address(strats[1].strategy)).balanceOf(address(newVault)),
            amount_.mulDiv(3333, 10_000, Math.Rounding.Ceil) * 1e9,
            "Strategy 1 balance"
        );
        assertEq(
            MockERC4626(address(strats[2].strategy)).balanceOf(address(newVault)),
            amount_.mulDiv(3333, 10_000, Math.Rounding.Ceil) * 1e9,
            "Strategy 2 balance"
        );
    }

Evidence:

BVSS

AO:A/AC:L/AX:L/C:N/I:N/A:N/D:N/Y:N/R:N/S:U (0.0)

Recommendation

It is advisable to implement out-of-bounds checks when accessing arrays in Solidity. Additionally, providing an error message when attempting to fetch data beyond the array's limit can inform the user about the cause of the execution reversion.

Remediation Plan

SOLVED : The Concrete team solved the issue by adding array index checks.

7.6 Use external instead of public methods

Informational

Description

The following methods are public and could be external. External is more gas optimize that public, so it should be used as much as possible.

swapTokensForReward() should be declared external:
- Swapper.swapTokensForReward() (swapper/Swapper.sol#75-94).
setRewardManager() should be declared external:
- Swapper.setRewardManager() (swapper/Swapper.sol#102-105).
disableTokenForSwap() should be declared external:
- Swapper.disableTokenForSwap() (swapper/Swapper.sol#111-113).

BVSS

AO:A/AC:L/AX:L/C:N/I:N/A:N/D:N/Y:N/R:N/S:U (0.0)

Recommendation

Use external instead of public methods.

Remediation Plan

SOLVED : The Concrete team solved the issue by replacing public to external.

7.7 PUSH0 is not supported by all chains

Informational

Description

The compiler for Solidity 0.8.20 switches the default target EVM version to Shanghai, which means that the generated bytecode will include PUSH0 opcodes. Be sure to select the appropriate EVM version in case you intend to deploy on a chain other than mainnet like L2 chains that may not support PUSH0, otherwise deployment of your contracts will fail.

BVSS

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

It is important to consider the targeted deployment chains before writing smart contracts because, in the future, there might exist a need for deploying the contracts in a network that could not support new opcodes from Shanghai or Cancun EVM versions.

Remediation Plan

ACKNOWLEDGED : The Concrete team acknowledged the issue. It is their stance that this a low probability over a given time horizon. Additionally, if the client elects to deploy to a chain that is incompatible with Shanghai, it can be created a contract that utilizes an older Solidity version.

8. Automated Testing

Halborn used automated testing techniques to enhance the coverage of certain areas of the scoped contracts. Among the tools used was Slither, a Solidity static analysis framework. After Halborn verified all the contracts in the repository and was able to compile them correctly into their ABI and binary formats, Slither was run on the all-scoped contracts. This tool can statically verify mathematical relationships between Solidity variables to detect invalid or inconsistent usage of the contracts' APIs across the entire code-base. One High and Medium issues have been found using automated testing that may be it's important to be considered:

ConcreteMultiStrategyVault

Swapper and OraclePlug

StrategyBase

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Test approach and methodology

3.1 Out-of-scope

4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Single step ownership transfer process
7.2 Owner can renounce ownership
7.3 A single compromised account can lock up the protocol
7.4 Checked increments in for loops increases gas consumption
7.5 Missing checks for index out of bounds
7.6 Use external instead of public methods
7.7 Push0 is not supported by all chains

Money Printer

Blueprint Finance

Table of Contents

1. Introduction

2. Assessment Summary

3. Test Approach and Methodology

3.1 Out-of-scope

4. RISK METHODOLOGY

4.1 EXPLOITABILITY

Attack Origin (AO):

Attack Cost (AC):

Attack Complexity (AX):

Metrics:

4.2 IMPACT

Confidentiality (C):

Integrity (I):

Availability (A):

Deposit (D):

Yield (Y):

Metrics:

4.3 SEVERITY COEFFICIENT

Reversibility (R):

Scope (S):

Metrics:

5. SCOPE

6. Assessment Summary & Findings Overview

7. Findings & Tech Details

7.1 Single step ownership transfer process

Description

BVSS

Recommendation

Remediation Plan

7.2 Owner can renounce Ownership

Description

BVSS

Recommendation

Remediation Plan

7.3 A single compromised account can lock up the protocol

Description

BVSS

Recommendation

Remediation Plan

7.4 Checked increments in for loops increases gas consumption

Description

BVSS

Recommendation

Remediation Plan

7.5 Missing checks for index out of bounds

Description

Proof of Concept

BVSS

Recommendation

Remediation Plan

7.6 Use external instead of public methods

Description

BVSS

Recommendation

Remediation Plan

7.7 PUSH0 is not supported by all chains

Description

BVSS

Recommendation

Remediation Plan

8. Automated Testing

ConcreteMultiStrategyVault

Swapper and OraclePlug

StrategyBase

Table of Contents