Prepared by:
HALBORN
Last Updated 07/31/2025
Date of Engagement: June 18th, 2025 - July 1st, 2025
100% of all REPORTED Findings have been addressed
All findings
14
Critical
0
High
0
Medium
2
Low
4
Informational
8
Canopy engaged Halborn to conduct a security assessment of some packages for Movement blockchain, beginning on June 18th, 2025, and ending on July 1st, 2025. This security assessment focused on the smart contracts within the Satay-movement GitHub repository, commit hashes, and further details can be found in the Scope section of this report. The primary focus of this audit is to review the new Meridian strategy and a newly implemented rewards notification feature within the LayerBank and Echelon strategies.
Canopy is a yield aggregator on the Movement network that enables efficient interaction with multiple DeFi protocols through modular strategies composed of predefined operations. It also provides automated vaults that optimize fund allocations and rebalance strategy debt ratios, offering a streamlined approach to yield generation with reduced user intervention.
All remediations described in this report were completed prior to the following commit, which serves as a consolidated snapshot of the final codebase. This commit also includes some additional modifications that do not impact the security of the project. While remediations may have been implemented across multiple earlier commits, this single commit includes all relevant changes and can be used for verification purposes:
1ad23ffefe263ce88de0a328952af41e22c1c1ff
The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.
The purpose of this assessment is to:
Ensure that smart contract functions operate as intended.
Identify potential security issues with the smart contracts.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Canopy team. The main ones were the following:
Make the withdraw_fa function publicly accessible in the Meridian strategy and add proper authorization checks to allow fee recipients to withdraw their strategy shares.
Create a deposit function that allows Meridian strategy deposits to be handled through the appropriate FA path while supporting the required CoinType parameter.
Add validation in the rewards notification functions to skip processing when the reward asset matches the strategy's base asset.
Fix the claim_behalf function to query balances from the on_behalf_of address instead of the signer's address when calculating claimed rewards.
Halborn performed a combination of the manual view of the code and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the smart contract assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation, automated testing techniques help enhance the coverage of smart contracts. They can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the assessment:
Research into the architecture, purpose, and use of the platform.
Manual code review and walkthrough.
Manual assessment of the critical Move variables and functions in scope to identify any vulnerability classes related to arithmetic or logic.
Cross-contract call controls.
Logical controls related to the platform architecture.
Integration testing using the Aptos Framework.
While the audit team conducted a thorough static review and manual analysis, dynamic validation (e.g., automated test execution or proof-of-concept reproduction) could not be performed due to technical constraints outside the scope of this engagement. Specifically, a build error caused by third-party package dependencies prevented the execution of the existing test suite within the audit environment.
As a result, end-to-end tests could not be executed, and certain behaviors could not be verified through runtime instrumentation. Although this limited the ability to validate some edge cases dynamically, the findings presented are based on careful source code analysis and reflect the issues observable through that approach.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
2
Low
4
Informational
8
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Fee Recipients Cannot Access Earned Fees in Meridian Strategy | Medium | Solved - 07/09/2025 |
| Router's Meridian Strategy Deposit Path Mismatch Makes Strategy Inaccessible | Medium | Solved - 07/09/2025 |
| Reward Notification Lacks Base Asset Exclusion Check | Low | Solved - 07/07/2025 |
| Incorrect Balance Query in LayerBank Airdrop Block's claim_behalf Function | Low | Solved - 07/07/2025 |
| Inconsistent Error Codes Across Strategy Implementations | Low | Risk Accepted - 07/07/2025 |
| Permanent Upkeep Interval Limitation in LayerBank and Echelon Strategies | Low | Solved - 07/07/2025 |
| Missing Validation of Rewards Pool Address | Informational | Solved - 07/09/2025 |
| Missing Validation of Upkeep Interval Thresholds | Informational | Solved - 07/07/2025 |
| Redundant State Update in Initial Rewards Pool Assignment | Informational | Solved - 07/07/2025 |
| Missing Zero Amount Validation in Echelon Strategy Vault Deposit Functions | Informational | Solved - 07/07/2025 |
| Documentation Inconsistencies in Strategy Comments | Informational | Solved - 07/07/2025 |
| Unused Code | Informational | Solved - 07/07/2025 |
| Unnecessary Variable Assignments | Informational | Solved - 07/07/2025 |
| Inefficient Global Borrow of Strategy Resource in Rewards Pool Setter | Informational | Solved - 07/07/2025 |
//Medium
//Medium
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Canopy - SCA #2
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
