Vault Contracts v2 - Rho Labs

1. Introduction

Rho Labs engaged Halborn to perform a security assessment of their smart contracts from July 15th, 2025, to July 28th, 2025. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.

The Rho Labs codebase in scope consists of a smart contract system for asset management, featuring ERC4626-compliant vaults, allocator and off-chain strategy vaults, a secure router for user and vault interactions, and robust access control. The system supports oracle-driven NAV reporting, and protocol-level controls for asset flows and permissions.

2. Assessment Summary

Halborn was allocated 10 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.

The objectives of this assessment were to:

• Identify potential security vulnerabilities within the smart contracts.

• Verify that the smart contract functionality operates as intended.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of potential risks, which were mostly addressed by the Rho Labs team. The primary recommendations were:

• Replace vault.maxWithdraw(vaultAddress, vaultAddress, packages) with vault.maxWithdraw(address(this), address(this), packages) in _calcTotalSubVaultsAssets to ensure the calculation reflects the parent vault’s actual claim on the subVault’s assets.

• Fund the vault with a meaningful initial deposit immediately after deployment and before allowing public deposits, ensuring a fair initial share/asset ratio.

• Enforce at vault or ERC20Storage initialization that any asset marked as a wrapped native token has the same number of decimals as the native token for the deployment chain.

3. Test Approach and Methodology

Halborn conducted a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy within the scope of this assessment. While manual testing is crucial for identifying flaws in logic, processes, and implementation, automated testing enhances coverage of smart contracts and quickly detects deviations from established security best practices.

The following phases and associated tools were employed throughout the term of the assessment:

• Research into the platform's architecture, purpose and use.

• Manual code review and walkthrough of smart contracts to identify any logical issues.

• Comprehensive assessment of the safety and usage of critical Solidity variables and functions within scope that could lead to arithmetic-related vulnerabilities.

• Local testing using custom scripts (Foundry).

• Fork testing against main networks (Foundry).

• Static security analysis of scoped contracts, and imported functions (Slither).