search
Active Boosts

#46092 [SC-Insight] AgentVault::destroy mismatch between comment documentation and contract behavior

Submitted on May 24th 2025 at 18:37:18 UTC by @hunter0xweb3 for Audit Comp | Flare | FAssetsarrow-up-right

  • Report ID: #46092

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AgentVault.sol

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

The documentation comments in AgentVault::destroy states that all funds (tokens and native balance) are transfer out to AgentVaultOwner However destroy functionality behaves different

hashtag
Vulnerability Details

The documentation comments in AgentVault::destroy states that all funds (tokens and native balance) are transfered out to AgentVaultOwner https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/implementation/AgentVault.sol#L189-L190:

    // Used by asset manager when destroying agent.
    // Completely erases agent vault and transfers all funds to the owner.

However destroy functionality behaves different because it allows sending the funds to an arbitrary address (defined on call by assetManager). https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/implementation/AgentVault.sol#L189-L218

@>    function destroy(address payable _recipient)
        external override
        onlyAssetManager
        nonReentrant
    {
        uint256 length = usedTokens.length;
        for (uint256 i = 0; i < length; i++) {
            IERC20 token = usedTokens[i];
            uint256 useFlags = tokenUseFlags[token];
            //... snippet; undelegation logic...
            if ((useFlags & TOKEN_DEPOSIT) != 0) {
                uint256 balance = token.balanceOf(address(this));
                if (balance > 0) {
@>                    token.safeTransfer(_recipient, balance);
                }
            }
        }
        // transfer native balance, if any (used to be done by selfdestruct)
@>      Transfers.transferNAT(_recipient, address(this).balance);
    }

This leads to a mismatch between documentation and contract behavior leading to potentially loss of funds and mismatch behavior between documentation and implementation described in detail in impact section

A better approach is use assetManager.getAgentVaultOwner(address(this)) to retrieve the owner address like used in AgentVault::transferExternalToken

hashtag
Impact Details

  • Extra parameter defined in AgentVault::destroy leading to potentially loss of funds if non owner controlled address is provided by assetManager

  • Mismatch between documentation and contract behavior

hashtag
References

https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/implementation/AgentVault.sol#L189-L190 https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/implementation/AgentVault.sol#L191-L218 https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/implementation/AgentVault.sol#L124-L132

hashtag
Proof of Concept

hashtag
Proof of Concept

AgentVault::destroy is called with _recipient parameter address non controlled by AgentVault's owner Loss of funds occurs because of mismatch between documentation and contract behavior

Previous#46071 [SC-Low] Ultra-low amount of total shares in collateral poolNext#46108 [SC-Medium] Minting Cap can by bypassed while self minting

Was this helpful?