Organization
- @morpho
Engagement Type
Spearbit Web3
Period
-
Repositories
Researchers
Findings
Low Risk
1 findings
0 fixed
1 acknowledged
Informational
2 findings
1 fixed
1 acknowledged
Low Risk1 finding
isInRegistry does not check whether parent vault was deployed by a designated VaultV2 factory
State
- Acknowledged
Severity
- Severity: Low
≈
Likelihood: High×
Impact: Low Submitted by
Saw-mon and Natalie
Description
Both
isInRegistryimplementations inMorphoMarketV1RegistryandMorphoVaultV1Registrydo not check whether the parent vault of the adapter was deployed by a fixed designatedVaultV2factory.Recommendation
Introduce an immutable
VaultV2factory in these contracts and inisInRegistrycheck that the parent vault of the adapter was deployed by that fixedVaultV2factory.
Informational2 findings
Duplicate
State
- Acknowledged
Severity
- Severity: Informational
Submitted by
MiloTruck
Context: RegistryList.sol#L32-L38
Description:
In
RegistryList,addSubRegistry()does not check ifsubRegistryalready exists in thesubRegistrieslist:/// @dev Adding a subRegistry that reverts or makes looping too gas consuming will make new registries uneffective/// (vaults will not be able to validate adapters that would be validated by registries that have been added after).function addSubRegistry(address subRegistry) external { require(msg.sender == owner, "Not owner"); subRegistries.push(subRegistry); emit AddSubRegistry(subRegistry);}As such, duplicate sub-registries can be added to the
subRegistrieslist. However, note that there is no impact apart fromisInRegistry()possibly consuming more gas.Recommendation:
This behavior could be documented.
Morpho: Acknowledged.
Spearbit: Acknowledged.
sub-registries could break the add-only assumption for adapters
Severity
- Severity: Informational
Submitted by
Saw-mon and Natalie
Description
The add only assumption needs to be transitively assumed/stated/forced for sub-registries of a registry.
Recommendation
Perhaps it can be added to the documentation.