Address FlowALP QuantStamp Audit Findings #209
Description
QuantStamp Security Audit - FlowALP
This issue tracks remediation of QuantStamp security audit items for FlowALP.
Audit Report: FlowALPInitialReport_second_round.pdf (shared internally)
Audit Details:
- Type: Lending Protocol
- Timeline: 2026-02-11 through 2026-02-25
- Language: Cadence
- Auditors: Yamen Merhi, Mostafa Yassin, Gereon Mendler
Summary (from report):
| Severity | Count |
|---|---|
| High | 4 |
| Medium | 13 |
| Low | 12 |
| Informational | 2 |
| Total Findings | 31 |
Auditor Suggestions: 1
Checklist
High (4)
- FLO-1: Uncollected Protocol Fees Are Permanently Lost when Reserves Are Low #210 FLO-1: Uncollected Protocol Fees Are Permanently Lost when Reserves Are Low
- FLO-2: setInsuranceRate() and setStabilityFeeRate() Retroactively Applies New Rates and Fails to Update Interest Rates #211 FLO-2: setInsuranceRate() and setStabilityFeeRate() Retroactively Applies New Rates and Fails to Update Interest Rates
- FLO-3: Automatic Rebalancing Drains topUpSource Even if the Position Remains Liquidatable #212 FLO-3: Automatic Rebalancing Drains topUpSource Even if the Position Remains Liquidatable
- FLO-4: createPaidRebalancer Is Permissionless Where Anyone Can Drain Admin's Flow #213 FLO-4: createPaidRebalancer Is Permissionless Where Anyone Can Drain Admin's Flow
Medium (13)
- FLO-5: Inconsistent Flag Behavior: pullFromTopUpSource Bypasses Rebalancing While pushToDrawDownSink Forces It #214 FLO-5: Inconsistent Flag Behavior: pullFromTopUpSource Bypasses Rebalancing While pushToDrawDownSink Forces It
- FLO-6: withdrawAndPull() Can Leave Position Below minHealth Due to Deposit Rate Limiting #215 FLO-6: withdrawAndPull() Can Leave Position Below minHealth Due to Deposit Rate Limiting
- FLO-7: Minimum Position Balance Invariant Can Be Circumvented via Deposits and Are Ignored in View Functions #216 FLO-7: Minimum Position Balance Invariant Can Be Circumvented via Deposits and Are Ignored in View Functions
- FLO-8: setInterestCurve() Updates Rates Immediately, Exposing Users to Slippage #217 FLO-8: setInterestCurve() Updates Rates Immediately, Exposing Users to Slippage
- FLO-9: regenerateDepositCapacity() Permanently Inflates the depositCapacityCap #218 FLO-9: regenerateDepositCapacity() Permanently Inflates the depositCapacityCap
- FLO-10: asyncUpdate Single Position Revert Blocks Entire Batch #219 FLO-10: asyncUpdate Single Position Revert Blocks Entire Batch
- FLO-11: Inconsistent Moet Accounting Leads to Supply Inflation and Liquidity Mirages #220 FLO-11: Inconsistent Moet Accounting Leads to Supply Inflation and Liquidity Mirages
- FLO-12: Fee Calculation Diverges From Rate Allocation Formula #221 FLO-12: Fee Calculation Diverges From Rate Allocation Formula
- FLO-13: Fee collection drains reserves below seize amount, causing revert #222 FLO-13: Fee collection drains reserves below seize amount, causing revert
- FLO-14: Deposit Rate Limiting Throttles Critical Rebalance Top-Ups #223 FLO-14: Deposit Rate Limiting Throttles Critical Rebalance Top-Ups
- FLO-15: Same-Token Shortcut Incorrectly Linearizes a Ratio-Based Health Computation #224 FLO-15: Same-Token Shortcut Incorrectly Linearizes a Ratio-Based Health Computation
- FLO-16: Potential Underflow when Subtracting a Token's Effective Collateral Contribution From the Total #225 FLO-16: Potential Underflow when Subtracting a Token's Effective Collateral Contribution From the Total
- FLO-17: Refund Destination Changes After Recurring Config Updates #226 FLO-17: Refund Destination Changes After Recurring Config Updates
Low (12)
- FLO-18: perSecondInterestRate() Uses Linear Instead of Logarithmic Decomposition #227 FLO-18: perSecondInterestRate() Uses Linear Instead of Logarithmic Decomposition
- FLO-19: dexOraclePriceDeviationInRange() Enforces Asymmetric Price Bounds #228 FLO-19: dexOraclePriceDeviationInRange() Enforces Asymmetric Price Bounds
- FLO-20: createPosition() Causes Storage Bloat by Redundantly Issuing Pool Capabilities #229 FLO-20: createPosition() Causes Storage Bloat by Redundantly Issuing Pool Capabilities
- FLO-21: Mandatory drawDownSink in createPosition() Contradicts Optional Design #230 FLO-21: Mandatory drawDownSink in createPosition() Contradicts Optional Design
- FLO-22: maxWithdraw() View Function Incorrectly Caps Credit Position Withdrawals #231 FLO-22: maxWithdraw() View Function Incorrectly Caps Credit Position Withdrawals
- FLO-23: Manual Liquidations Bypass Configured Top-up Sources #232 FLO-23: Manual Liquidations Bypass Configured Top-up Sources
- FLO-24: Updating Health Bounds Fails to Queue Position for Automatic Rebalancing #233 FLO-24: Updating Health Bounds Fails to Queue Position for Automatic Rebalancing
- FLO-25: Dex Price Susceptible to Sandwich Attacks in Liquidation #234 FLO-25: Dex Price Susceptible to Sandwich Attacks in Liquidation
- FLO-26: seizeType and debtType Can Be the Same Token in Liquidation #235 FLO-26: seizeType and debtType Can Be the Same Token in Liquidation
- FLO-27: Stale Supervisor Uuid Bricks Recovery Calls #236 FLO-27: Stale Supervisor Uuid Bricks Recovery Calls
- FLO-28: Safe Refund Ordering Can Brick Config Rotation #237 FLO-28: Safe Refund Ordering Can Brick Config Rotation
- FLO-29: Per-Position Reentrancy Lock Does Not Protect Shared Pool State During External Callbacks #238 FLO-29: Per-Position Reentrancy Lock Does Not Protect Shared Pool State During External Callbacks
Informational (2)
- FLO-30: depositLimit() Prevents Full Exhaustion of Capacity and Creates Transaction Order Dependency #239 FLO-30: depositLimit() Prevents Full Exhaustion of Capacity and Creates Transaction Order Dependency
- FLO-31: Supported Tokens Cannot Be Removed #240 FLO-31: Supported Tokens Cannot Be Removed
Auditor Suggestions (1)
- S1: General Improvements #241 S1: General Improvements