Merge pull request #11 from centrifuge/audit

Audit fixes
centrifuge · Jun 17, 2024 · 765bc7a · 765bc7a
2 parents e0a9287 + 0433dbe
commit 765bc7a
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -18,5 +18,11 @@ To run all tests locally, where `[FORK_URL]` is a valid RPC endpoint for Base:
 forge test --fork-url [FORK_URL]
 ```
 
+## Audit reports
+
+| Auditor | Report link |
+|---|---|
+| Cantina Managed | [`June 2024`](https://github.com/centrifuge/morpho-market/blob/main/audits/2023-06-cantina.pdf) |
+
 ## License
 This codebase is licensed under [GNU Lesser General Public License v3.0](https://github.com/centrifuge/liquidity-pools/blob/main/LICENSE).
diff --git a/audits/2023-06-cantina.pdf b/audits/2023-06-cantina.pdf
diff --git a/src/PermissionedERC20Wrapper.sol b/src/PermissionedERC20Wrapper.sol
@@ -43,6 +43,8 @@ contract PermissionedERC20Wrapper is Auth, ERC20PermissionedBase {
     IAttestationService public attestationService;
     IAttestationIndexer public attestationIndexer;
 
+    event File(bytes32 indexed what, address data);
+
     constructor(
         string memory name_,
         string memory symbol_,
@@ -67,6 +69,7 @@ contract PermissionedERC20Wrapper is Auth, ERC20PermissionedBase {
         else if (what == "service") attestationService = IAttestationService(data);
         else if (what == "memberlist") memberlist = Memberlist(data);
         else revert("PermissionedERC20Wrapper/file-unrecognized-param");
+        emit File(what, data);
     }
 
     // --- Permission checks ---
@@ -93,6 +96,9 @@ contract PermissionedERC20Wrapper is Auth, ERC20PermissionedBase {
 
     // --- Helpers ---
     function recover(address account) public auth returns (uint256) {
+        if (account == address(this)) {
+            revert ERC20InvalidReceiver(account);
+        }
         return _recover(account);
     }
 

diff --git a/src/VaultOracle.sol b/src/VaultOracle.sol
@@ -5,7 +5,7 @@ import {IOracle} from "src/interfaces/IOracle.sol";
 import {Auth} from "lib/liquidity-pools/src/Auth.sol";
 import {IERC20Metadata} from "lib/openzeppelin-contracts/contracts/token/ERC20/extensions/IERC20Metadata.sol";
 
-interface IERC4626 {
+interface IERC7575 {
     function share() external view returns (address share);
     function asset() external view returns (address asset);
     function convertToAssets(uint256 shares) external view returns (uint256 assets);
@@ -14,7 +14,7 @@ interface IERC4626 {
 contract VaultOracle is Auth, IOracle {
     uint8 public constant PRICE_DECIMALS = 36;
 
-    IERC4626 public vault;
+    IERC7575 public vault;
     uint256 public singleShare;
     uint256 public assetScaling;
 
@@ -39,7 +39,7 @@ contract VaultOracle is Auth, IOracle {
     }
 
     function _updateVault(address vault_) internal {
-        vault = IERC4626(vault_);
+        vault = IERC7575(vault_);
 
         uint8 shareDecimals = IERC20Metadata(vault.share()).decimals();
         require(shareDecimals < PRICE_DECIMALS, "VaultOracle/share-decimals-too-high");