Mythril Analysis
Overview
Mythril is a symbolic execution tool for EVM bytecode that detects security vulnerabilities by exploring execution paths. It is particularly effective at finding integer overflow/underflow, reentrancy, and access control issues.
Scope
| Contract | Network | Description |
|---|---|---|
KingsVaultV2.sol |
Ethereum | Synchronous ERC-4626 vault |
KingsVaultV2Async.sol |
Ethereum | Async redeem vault (escrow-based) |
Controller.sol |
Ethereum | UUPS-upgradeable coordinator |
AaveV3Strategy.sol |
Ethereum | Aave V3 lending strategy adapter |
ERC4626Strategy.sol |
Ethereum | Generic ERC-4626 strategy adapter |
HyperStrategy.sol |
Ethereum | CCTP V2 cross-chain strategy (Ethereum-side) |
Key Vulnerability Classes
| SWC ID | Name | Relevance to King's Vault |
|---|---|---|
| SWC-107 | Reentrancy | withdraw, claim, emergencyRedeem, executeRedeem — all transfer USDC |
| SWC-101 | Integer Overflow/Underflow | Dual-pricing share conversions, fee share calculation, _processingAssets decrement |
| SWC-105 | Unprotected Ether Withdrawal | Fee collection via share minting; harvestOnlyForController |
| SWC-106 | Unprotected SELFDESTRUCT | UUPS proxy upgrade on Controller |
| SWC-115 | Authorization through tx.origin |
Must use msg.sender for all role checks |
| SWC-104 | Unchecked Call Return Value | External calls to Aave Pool, ERC-4626 vaults, CoreWriter, CCTP MessageTransmitter |
Areas of Focus
- Share Price Manipulation via Dual-Pricing: Explore whether symbolic execution reveals paths where
_convertToShares/_convertToAssetscan be manipulated through specific deposit/withdraw/confirm orderings to bypassMAX/MINprotection. - Fee Calculation Edge Cases: Edge cases where
prevSupply == 0,prevAssets == 0, ornewAssets <= prevAssetsmight cause division by zero or unexpected fee share minting inController._calculateFee(). - Cross-Function Reentrancy (Async Vault): Interactions between
withdraw → executeRedeem → claimthat could exploit escrow state inconsistencies mid-transaction. - Emergency Function Safety: Verify
emergencyRedeem()in bothKingsVaultV2andKingsVaultV2Asynccannot extract more than a user's pro-rata share via repeated calls or share manipulation. - CCTP Message Replay: Verify
HyperStrategy.completeDivest()andupdateRemoteState()cannot be replayed — relying on CCTP transmitter's internal nonce enforcement.
Running
myth analyze src/vaults/KingsVaultV2Async.sol --solc-json mythril.config.json --execution-timeout 900
myth analyze src/controllers/Controller.sol --solc-json mythril.config.json --execution-timeout 900
Results should be committed to this page after each audit cycle.