post-audit report

On this one I couldn't really put that much time into it but I still have one confirmed finding with a couple of duplicates... ```markdown **Spent**: Around 9 hours **What did I do?** Read about the protocol, skimmed through Morpho's hooks and found a vulnerability. I also started to explore the AcrossV3 adapter flow to see if something feels out of place but I just got more lost than what I already was honestly. I need to read the ERCs and shit. **Any Findings?** https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?finding=59 **How do I feel?** Pretty good, a bit overwhelmed because I didn't find anything else but tomorrow is a new day. **What to do next?** - check inflow / outflow hooks execution flow - understand SuperNativePaymaster **File**: `src/core/validators/SuperDestinationValidator.sol` **Function**: `isValidDestinationSignature()` # 23/05 **Spent**: Around 5 hours **What did I do?** A lot about the whole user flow regarding INFLOW/OUTFLOW/NONACCOUTYING hook types and trying to find some weird edge case around the SuperDestinationExecutor which I think I found something interesting but I have no PoC yet. ``` After this point I had to do other stuff since on the 25th i had my flight to Prague. Let's see what I missed: https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?order_by=reputation&created_by=cmichel&finding=185 **Why did I miss this?** I actually saw this one but I didn't even report it. It was just an informational, I guess I should report everything. https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?order_by=reputation&created_by=cmichel&finding=190 **Why did I miss this?** This is crazy. How did I not catch this one? Even in the walkthrough you could understand by the way that they were talking about this part that it wasn't really tested. This is why good documentation is good, cmichel was able to read step by step if it was actually doing what the Natspec described and figured out that it wasn't. Key lesson is to read what the devs want and compare to what it's actually written. https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?order_by=reputation&created_by=cmichel&finding=312 **Why did I miss this?** Most of these bugs seem to be things I could've caught If i looked for a bit longer... This one is really interesting and I remember ```usePrevHookAmount``` was something that looked interesting to be because there's complexity.. Most of these bugs with less duplicates are hidden in the complexity. The one thing that I found was an easy spot because it's just a clear logic bug, these ones would need to be analyzed carefully. Logic bugs such as the one that I found are less rewarded than protocol-specific logic bugs such as this one. It's really nothing special.. if ```usePrevHookAmount``` we should use ```.outAmount``` from the previous computation (previous hook). Then I could've checked every hook to see if this was true, there's no need to write invariant tests for this it's just purely understanding the protocol and how the devs want it to work. Most of the times it doesn't work as the devs want it to. https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?order_by=reputation&created_by=cmichel&finding=320 **Why did I miss this?** After auditing a couple of these you would know that DeBridge has this and looking at documentation also helps. https://cantina.xyz/code/ba62fa4e-f933-4eec-b9ac-868325f4a694/findings?order_by=reputation&created_by=cmichel&finding=319 **Why did I miss this?** Interesting bug: ``` function cooldownShares(uint256 shares) external ensureCooldownOn returns (uint256 assets) { if (shares > maxRedeem(msg.sender)) revert ExcessiveRedeemAmount(); assets = previewRedeem(shares); cooldowns[msg.sender].cooldownEnd = uint104(block.timestamp) + cooldownDuration; cooldowns[msg.sender].underlyingAmount += uint152(assets); _withdraw(msg.sender, address(silo), msg.sender, assets, shares); } ``` This function doesn't burn any tokens but in the hooks we are measuring ```usedShares``` as the balance so it's never going to return anything else than ```0``` since nothing actually comes out of the account. SIK FUCKING BUG I LOVE IT I wish I had more time/energy to spend on this audit it's an amazing codebase. Time for the next ones.