Address FlowYieldVaultsEVM QuantStamp Audit Findings #15
Description
QuantStamp Security Audit - FlowYieldVaultsEVM
This issue tracks remediation of QuantStamp security audit items for the FlowYieldVaultsEVM cross-VM bridge.
Audit Report: https://drive.google.com/file/d/1Cyt6OuiLAPxoch4N0FYN3JUw31sxJOJD/view?usp=sharing
Audit Details:
- Type: EVM Integration
- Timeline: 2026-01-05 through 2026-01-16
- Auditors: Hytham Farah, Mostafa Yassin, Yamen Merhi
Summary (from report):
| Severity | Count |
|---|---|
| High | 2 |
| Medium | 4 |
| Low | 5 |
| Informational | 5 |
| Total Findings | 16 |
Auditor Suggestions: 3
Checklist
High (2)
- FLOW-1: Double-refund on failed CREATE/DEPOSIT operations #16 FLOW-1: Double-refund on failed CREATE/DEPOSIT operations
- FLOW-2: No recovery mechanism for stuck PROCESSING requests #17 FLOW-2: No recovery mechanism for stuck PROCESSING requests
Medium (4)
- FLOW-3: Cross-VM state desync when completeProcessing fails after successful operation #18 FLOW-3: Cross-VM state desync when completeProcessing fails after successful operation
- FLOW-4: ERC20 transfer failure creates permanently failing request #19 FLOW-4: ERC20 transfer failure creates permanently failing request
- FLOW-5: claimRefund Can Orphan Pending Requests and Prevent Cleanup #20 FLOW-5: claimRefund Can Orphan Pending Requests and Prevent Cleanup
- FLOW-6: Unfinalized Processing Requests Can Wedge the Global Queue #21 FLOW-6: Unfinalized Processing Requests Can Wedge the Global Queue
Low (5)
- FLOW-7: Sentinel Hygiene: Reserved NO_YIELDVAULT_ID and Create Placeholder Id #22 FLOW-7: Sentinel Hygiene: Reserved NO_YIELDVAULT_ID and Create Placeholder Id
- FLOW-8: No Recovery Mechanism for Stray Tokens or Native Funds #23 FLOW-8: No Recovery Mechanism for Stray Tokens or Native Funds
- FLOW-9: Yieldvault Id Misbinding Can Corrupt Local Registry #24 FLOW-9: Yieldvault Id Misbinding Can Corrupt Local Registry
- FLOW-10: FIFO Queue Is Not Enforced on-Chain yet Costs O(n) to Maintain #25 FLOW-10: FIFO Queue Is Not Enforced on-Chain yet Costs O(n) to Maintain
- FLOW-11: Unbounded YieldVault ownership arrays #26 FLOW-11: Unbounded YieldVault ownership arrays
Informational (5)
- FLOW-12: Escrow Balance Events Missing on COA Processing #27 FLOW-12: Escrow Balance Events Missing on COA Processing
- FLOW-13: ERC20 Transfer Success Is Not Verified #28 FLOW-13: ERC20 Transfer Success Is Not Verified
- FLOW-14: Withdraw and Close Requests Are Encoded as Native-only Exits #29 FLOW-14: Withdraw and Close Requests Are Encoded as Native-only Exits
- FLOW-15: User Pending Balance View Is Native-Only #30 FLOW-15: User Pending Balance View Is Native-Only
- FLOW-16: Precision loss in cross-VM amount conversions #31 FLOW-16: Precision loss in cross-VM amount conversions
Auditor Suggestions (3)
- S1: Blocklist Batch Add Uses Allowlist-Zero Error #32 S1: Blocklist Batch Add Uses Allowlist-Zero Error
- S2: Scheduler handler selection assumes single handler type #33 S2: Scheduler handler selection assumes single handler type
- S3: Constructor Should Validate Critical Parameters #34 S3: Constructor Should Validate Critical Parameters