Contracts using un-audited version of Solady library

[hats-bug-reporter]

Github username: --
Twitter username: --
Submission hash (on-chain): 0x7eab7f2fb6837d2516e7b494d658617f0d003ebb5116b00b3030a4f8fff48220
Severity: low

Description:
Description\

EthMultiVault.sol has utilized solady's FixedPointMathLib.sol and LibZip.sol libraries in contracts. The functionalies mainly like mulDiv() and mulDivUp() has been extensively used from these solady contracts.

Following functions have used:

1. _feeOnRaw(),
2. convertToShares(),
3. convertToAssets()

The issue is that, current contracts have used a very old version of solady i.e version": "0.0.201 is being used. This is verified from lib folder in contracts repo. This version is not audited from audit firms.

The latest version of Solady is version": "0.0.213 which has several bugs fixed over the last 12 minor versions with lots of gas optimizations and refactoring.

All changes related to FixedPointMathLib can be checked at https://github.com/Vectorized/solady/commits/main/src/utils/FixedPointMathLib.sol?before=65a32cda377153622c4ad49ca79c0127e0f32a73+35

Its recommended to avoid using deprecated or old versions of external libraries and should use latest versions of external libraries.

Solady has gone through rigorous security reviews by top Audit firms like Cantina. All reports can be checked at https://github.com/Vectorized/solady/tree/main/audits

Recommendation to fix
Recommend to use latest version of Solady which has fixed bugs found in security audits.

[mihailo-maksa]

The reported issue regarding the use of an older, unaudited version of the Solady library in EthMultiVault.sol has been reviewed. Here is our comprehensive perspective:

Issue Description:
The issue highlights that the contracts use an older version of the Solady library (0.0.201), which is not audited. It is recommended to use the latest audited version of the library to benefit from bug fixes and optimizations.

Impact:
Using an older version of the library that has not been audited can introduce potential risks if there are undiscovered bugs or vulnerabilities in that version. Updating to the latest audited version ensures that any known issues have been addressed.

Conclusion:
While it is generally a good practice to use the latest audited versions of external libraries, no issues have been found with the utility functions (mulDiv and mulDivUp) from the Solady library that we used. Therefore, we consider this issue to be more of a suggestion for best practices rather than a security vulnerability.

Status: This issue is invalid.

[0xRizwan]

@mihailo-maksa I see more benefits in updating latest version of solady than with currenly used year old version. This could be considered as minor issue. #72 is similar such issue where there is no security risk so similar judgement should be there for this isue but i respect your decision. Thank you.

[mihailo-maksa]

Thanks for your feedback. However, this issue doesn’t meet any of the criteria for acceptance (as explained in more detail below), as none of the functions are practically impacted by the version of the Solady library used.

Scope of the Bug Bounty Program

The scope includes the core contracts of the Intuition protocol:

• EthMultiVault.sol
• AtomWallet.sol

Examples of What's in Scope

• Stealing or freezing user assets (ETH)
• Unauthorized pausing or unpausing of the protocol
• Internal accounting errors leading to incorrect fee charges or asset distribution
• Unauthorized changes to contract configuration

Out of Scope

• Non-security-related suggestions (we believe your issue lies here)
• Efficiency improvements
• Known weaknesses documented in audits

Severity Levels (examples)

• High/Critical: Unauthorized manipulation, theft, freezing of funds
• Medium: Exploits compromising user experience
• Low: Non-critical functionality issues without user fund loss

Please refer to the readme file for more details on intended behavior and the developer docs.