Skip to content

feat: added withdrawal output with asset in for oracles [SUP-15736] #822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Oct 27, 2025
Merged

feat: added withdrawal output with asset in for oracles [SUP-15736] #822

merged 17 commits into from
Oct 27, 2025

Conversation

@supervaulter
Copy link
Contributor

No description provided.

@linear
Copy link

linear bot commented Oct 7, 2025

SUP-15736 Update `YieldSourceOracle` contacts in core

@octane-security-app
Copy link

octane-security-app bot commented Oct 7, 2025
edited
Loading

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

  • AbstractYieldSourceOracle.sol: Added getWithdrawalShareOutput function to calculate withdrawal share outputs in the smart contract.
  • ERC4626YieldSourceOracle.sol: Added a new function, getWithdrawalShareOutput, for previewing withdrawal outputs of assets.
  • ERC5115YieldSourceOracle.sol: "Added functions for withdrawal share output calculation and internalized asset/share output logic."
  • ERC7540YieldSourceOracle.sol: Refactored conversion functions; added getWithdrawalShareOutput for asset conversion tracking.
  • PendlePTYieldSourceOracle.sol: Functions for share and asset conversions are now handled by internal methods _getShareOutput and _getAssetOutput.
  • SpectraPTYieldSourceOracle.sol: The contract now includes _getShareOutput and _getAssetOutput functions and adds getWithdrawalShareOutput for obtaining assets from shares.
  • StakingYieldSourceOracle.sol: The smart contract now includes a getWithdrawalShareOutput function, returning the input assets.
  • IYieldSourceOracle.sol: Added a function to calculate shares received for asset withdrawals, aiding in simulations and exchange rate assessments.
  • MockYieldSourceOracle.sol: Added getWithdrawalShareOutput function to return input assets unchanged.

🔗 Commit Hash: 3851d32

@graphite-app
Copy link
Contributor

graphite-app bot commented Oct 7, 2025

How to use the Graphite Merge Queue

Add the label contracts to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

graphite-app[bot]
graphite-app bot reviewed Oct 7, 2025
View reviewed changes
@supervaulter supervaulter changed the base branch from dev to pre-dev October 7, 2025 15:21
cursor[bot]

This comment was marked as outdated.

Sign in to view

@graphite-app graphite-app bot requested a review from 0xTimepunk October 7, 2025 15:56
@octane-security-app
Copy link

Overview

Vulnerabilities found: 5                                                                                
Severity breakdown: 2 Informational, 2 High, 1 Medium
Warnings found: 4                                                                                

Detailed findings

src/accounting/BaseLedger.sol

  • Constant PPS/decimals in StakingYieldSourceOracle combined with unbound oracle ID selection causes fee miscalculation in ledger accounting. See more
  • Permissionless, user-chosen oracle configuration IDs accepted without whitelist in executor/ledger causes protocol fee bypass and fee hijacking. See more

src/accounting/oracles/ERC7540YieldSourceOracle.sol

  • Rounding/fee-exclusion in ERC7540YieldSourceOracle.getWithdrawalShareOutput causes optimistic/incorrect withdrawal quotes and reverts. See more

src/accounting/oracles/StakingYieldSourceOracle.sol

  • Missing PPS normalization for Unknown flavors in SuperYieldSourceOracle causes misquoted pricePerShare for non-18-decimal bases. See more

src/hooks/vaults/5115/Redeem5115VaultHook.sol

  • Unit mismatch between canonical asset and tokenOut in ERC-5115 accounting causes fee under-collection. See more

Warnings

src/accounting/oracles/ERC4626YieldSourceOracle.sol

  • Unbounded exponentiation of token decimals in yield source oracles causes per-asset denial-of-service via overflow reverts. See more

src/accounting/oracles/PendlePTYieldSourceOracle.sol

  • Unchecked exponentiation/scaling in PendlePTYieldSourceOracle with untrusted market decimals/rates causes view-function DoS. See more
  • Unbounded pow10 scaling in PendlePTYieldSourceOracle causes view-function DoS for misconfigured/abnormal markets. See more

src/executors/SuperExecutorBase.sol

  • Unvetted manager-controlled ledger configuration in SuperLedgerConfiguration used by SuperExecutorBase causes principal expropriation during withdrawals. See more

🔗 Commit Hash: 3851d32
🛡️ Octane Dashboard: All vulnerabilities

@graphite-app
Copy link
Contributor

graphite-app bot commented Oct 7, 2025

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (10/07/25)

1 reviewer was added to this PR based on 's automation.

cursor[bot]

This comment was marked as outdated.

Sign in to view

graphite-app[bot]
graphite-app bot reviewed Oct 7, 2025
View reviewed changes
cursor[bot]

This comment was marked as outdated.

Sign in to view

balanced-tree
balanced-tree reviewed Oct 8, 2025
View reviewed changes
cursor[bot]

This comment was marked as outdated.

Sign in to view

@codecov
Copy link

codecov bot commented Oct 8, 2025

Codecov Report

❌ Patch coverage is 44.44444% with 15 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...c/accounting/oracles/PendlePTYieldSourceOracle.sol 0.00% 11 Missing ⚠️
.../accounting/oracles/SpectraPTYieldSourceOracle.sol 0.00% 4 Missing ⚠️

📢 Thoughts on this report? Let us know!

0xTimepunk
0xTimepunk reviewed Oct 16, 2025
View reviewed changes
Copy link
Contributor

@0xTimepunk 0xTimepunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way it is calculated for 5115 is strange.
I'd pass this through Sujith and octane for a final review

Are we gonna deploy these contracts on prod? It will void the final audit

cursor[bot]

This comment was marked as outdated.

Sign in to view

graphite-app[bot]
graphite-app bot reviewed Oct 27, 2025
View reviewed changes
@0xTimepunk 0xTimepunk merged commit 71ae51d into pre-dev Oct 27, 2025
2 of 3 checks passed
@0xTimepunk 0xTimepunk deleted the feat/update-oracles-SUP-15736 branch October 27, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@balanced-tree balanced-tree balanced-tree left review comments

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@0xTimepunk 0xTimepunk 0xTimepunk approved these changes

@super-timepunk super-timepunk Awaiting requested review from super-timepunk

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@supervaulter @0xTimepunk @balanced-tree