Test Coverage

Contract	Address	Instruction Coverage
WETH9_ADDR	0x508f2c434E66Df1706CBa7Ae137976C814B5633E	100%
MRA_ADDR	0x176e781009cF95d4d8e670257f14881550713Bb0	100%
TRANSFER_PROXY_ADDR	0x94f640cEFf1cA6B76754866C5787B12C83149C02	92%
PROXY_ADMIN_ADDR	0xf0451A329D0D52a82A3dfB4EF19C46b308a21094	100%
LIEN_TOKEN_IMPL_ADDR	0x2a2757C864353cE2FF0Be99673951569254042E1	94%
LIEN_TOKEN_PROXY_ADDR	0x1D196F665caCd3CC23f63623f564C8e23ab5E47e	N/A
CLEARING_HOUSE_IMPL_ADDR	0x3225cbd94963A397261AB5cF4BF4320F29c0E2c0	N/A
COLLATERAL_TOKEN_IMPL_ADDR	0x14d5B1dDc587cFfF9db704cc9e4f0839434cb302	81%
COLLATERAL_TOKEN_PROXY_ADDR	0x3082B3ba5DDC99b7f22964E3F3e85167e416caCc	N/A
SOLO_IMPLEMENTATION_ADDR	0x08eC89afE747A1AFB637fD67D4901593347b4ebE	N/A
PUBLIC_VAULT_IMPLEMENTATION_ADDR	0xd28EDD6D47B1A9419Db2bEB60031cA99ce8d1334	79%
WITHDRAW_PROXY_ADDR	0xBEE027AF760DcAe7C3CE105876b92f41023e6BE8	91%
BEACON_PROXY_ADDR	0x16eeC124c11461C630685F578c02eb76ab4e269B	100%
ASTARIA_ROUTER_IMPL_ADDR	0x03D83c83694A205aEB87aBD0E1800CA5093e62Cf	89%
ASTARIA_ROUTER_PROXY_ADDR	0x77740EdeFC4a462e37d62B198F91deE7799953c3	N/A

The instruction coverage is calculated based on source map of original program. Instructions generated for Solidity internal libraries and static/pure functions are not counted.

Vulnerabilities from Invariants Violation

Medium 00: Unable to reset protocol fee recipient once set.

Setting feeTo to zero will lead to revert of execution. Setting feeTo to address(0) is equivalent of cancel the protocol fee.

https://github.com/spearbit-audits/fuzzing-astaria-core/blob/c5890761a127e3c7624ef9d05a2382758dd65bd2/src/AstariaRouter.sol#L335

Untitled

https://github.com/spearbit-audits/fuzzing-astaria-core/blob/c5890761a127e3c7624ef9d05a2382758dd65bd2/src/AstariaRouter.sol#L899

Medium 01: Low resilience against compromised auth/guardian account

If auth’d account of AstariaRouter get compromised, they can change StrategyValidator or other file to DOS an existing loan.

Guardian account has the privilege to upgraded the implementation of vaults by calling AstariaRouter.fileGuardain(File[]) with FileType.Implementation.

Under the extreme situation when guardian account is compromised, either EOA private key leaking or Multi-Sig wallet signatures leaking, the bad actor could instantly upgrade the implementation of vault to any customize contract and drain the contract without giving the service owner any timing to recover the fund or notify the users to withdraw.

Possible Mitigation

Add TimeLock restriction for AstariaRouter.fileGuardian

PoC of one scenario: