059.md

Plain Inky Porpoise

Medium

UsualX is not fully ERC4626 compliant

Summary

UsualX.sol is not ERC4626 contrary to contract's documentation, which will lead to integration issues.

Root Cause

Various functions in UsualX.sol do not follow the ERC4626 specification, breaking composibility. It also runs contrary to the protocol and external integrations expectation as from the documentation, it is expected to be.

The UsualX contract is an upgradeable ERC4626-compliant yield-bearing vault. It extends the YieldBearingVault contract, incorporating features such as whitelisting, blacklisting, withdrawal fees, and yield distribution linearly over a predefined yield period.

1. maxDeposit doesn't return 0 when the vault is paused or the caller is blacklisted therefore does not factor in global and user-specific limits.

MUST factor in both global and user-specific limits, like if deposits are entirely disabled (even temporarily) it MUST return 0.

2. maxMint same as maxDeposit doesn't factor that the vault can be pauesed and doesnt return 0.

MUST factor in both global and user-specific limits, like if mints are entirely disabled (even temporarily) it MUST return 0.

3. maxWithdraw doesn't factor in the fact that vault can be paused and doesn't return 0, when it is.

MUST factor in both global and user-specific limits, like if withdrawals are entirely disabled (even temporarily) it MUST return 0.

4. maxRedeem doesn't factor in the fact that vault can be paused and doesn't return 0, when it is.

MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Lack of compliance with the EIP breaking composability and integrations.

PoC

No response

Mitigation

Bring the functions up to the standard for full compliance.