Skip to content

FLOW-9: Yieldvault Id Misbinding Can Corrupt Local Registry #24

New issue
New issue
Closed
#43
Closed
FLOW-9: Yieldvault Id Misbinding Can Corrupt Local Registry#24
#43
Assignees
m-Peter
Labels
LowLow severity security finding⎈ QuantStampQuantStamp audit finding
@liobrasil

Description

@liobrasil
liobrasil
opened on Jan 19, 2026

Severity: Low

Files Affected

  • solidity/src/FlowYieldVaultsRequests.sol

Description

In completeProcessing() in FlowYieldVaultsRequests, the authorized COA supplies a yieldVaultId and the contract sets request.yieldVaultId = yieldVaultId. On successful CREATE_YIELDVAULT, it calls _registerYieldVault() to mark the ID valid and assign local ownership, and on successful CLOSE_YIELDVAULT it calls _unregisterYieldVault() to remove local ownership and invalidate the ID.

However:

  • The contract does not defensively bind the completion-time yieldVaultId to the request's originally intended yieldVaultId for non-CREATE flows
  • _registerYieldVault() does not enforce that yieldVaultId is not already registered
  • _unregisterYieldVault() clears global registry state even if the array-level "swap-and-pop" safety check fails

This could lead to COA operational mistakes corrupting the EVM-side registry view by overwriting ownership, creating duplicate entries, or invalidating an unrelated YieldVault ID.

Example (misbound CLOSE unregisters the wrong vault)

  1. Alice owns YieldVaultId 7 and Bob owns YieldVaultId 8 (both registered on EVM).
  2. Alice submits a CLOSE_YIELDVAULT request for 7. Cadence closes 7 successfully.
  3. Authorized COA mistake: calls EVM completeProcessing(..., success=true, yieldVaultId=8, ...) for Alice’s request.
  4. EVM runs _unregisterYieldVault(8, Alice, ...); even if the user-array removal check fails, it still clears validYieldVaultIds[8] and deletes yieldVaultOwners[8].
  5. Result: Bob’s vault 8 is removed from the EVM registry even though it still exists on Cadence, breaking Bob’s future EVM interactions.

Recommendation

  • Enforce strong ID binding in completeProcessing() for DEPOSIT/WITHDRAW/CLOSE by requiring the supplied yieldVaultId matches the request's stored yieldVaultId
  • Add a uniqueness guard in _registerYieldVault() (reject registering an already-valid yieldVaultId)
  • Only clear validYieldVaultIds/yieldVaultOwners in _unregisterYieldVault() after proving the YieldVault is actually registered under the provided user

Parent Issue: #15

Metadata

Metadata

Assignees

Labels

LowLow severity security finding⎈ QuantStampQuantStamp audit finding

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions