redpen

VaultProtocol mainnet-beta

Vau1...WvEx

Security C

Critical	0
High	1
Medium	1
Low	2

VaultProtocol has two security issues that should be addressed before handling significant user funds. No critical vulnerabilities were found, but the missing signer validation and unchecked arithmetic present meaningful risk under adversarial conditions.

TRACER AUDIT

Security Findings

High Findings 1

Missing signer validation on withdraw instruction

The withdraw instruction does not verify that the authority account is a signer. Any account can be passed as the authority and the transaction will succeed, allowing unauthorized withdrawals from any vault.

📍 programs/vault/src/instructions/withdraw.rs:34

Fix: Add `#[account(signer)]` constraint to the authority account in the Accounts struct, or add an explicit `require!(authority.is_signer, VaultError::MissingSigner)` check at the start of the instruction handler.

Medium Findings 1

Integer arithmetic without overflow protection

Fee calculation on line 67 uses unchecked addition. In Rust release builds, integer overflow wraps silently. A carefully crafted deposit amount could cause fee_amount to wrap to near-zero, allowing a depositor to pay almost no fees.

📍 programs/vault/src/instructions/deposit.rs:67

Fix: Replace `base_fee + protocol_fee` with `base_fee.checked_add(protocol_fee).ok_or(VaultError::Overflow)?` to handle overflow explicitly.

Low Findings 2

Missing account ownership check on vault_state

The vault_state account is not verified to be owned by this program. A spoofed account with matching data layout could be passed in without triggering a validation error.

📍 programs/vault/src/instructions/deposit.rs:18

Fix: Add `#[account(owner = crate::ID)]` constraint to vault_state, or verify `vault_state.owner == &crate::ID` explicitly.

Unused account increases transaction size unnecessarily

The fee_collector account is included in the Accounts struct but never read or written in this instruction path. Unused accounts increase transaction size and should be removed.

📍 programs/vault/src/instructions/withdraw.rs:12

Fix: Remove fee_collector from the Accounts struct for the withdraw instruction if it is not used in this path.

RedPen Tracer gives you a full automated security scan of your Solana program with findings, severity ratings, and remediation guidance.

Get a Tracer audit - $799

RedPen Security - redpen.sh