Tier 3 Adevarlabs 12/2025 Predeposit + Vault
All protocols 2 deal-breaker FAILs 6 open issues P0: 3 6 EOA surfaces 2 contracts 3 audits
HyperEVM Vault (Managed Single-Asset) TVL $11.98M
Altura Trade
Audited 04/07/2026 · 2mo ago Automated Pipeline Tier: Simple Framework V1.2.3
Deal Breaker Gate
FAIL
2 of 23 deal breakers failed
Score
0 /100
Grade F
Risk Level
Critical
Aggregate finding
Re-check Cadence
N/A
Suggested for next assessment
Findings
Two deal breakers triggered. The OPERATOR EOA can drain the entire vault balance (~$12M) via moveAssets() with no multisig, no timelock, and no per-call cap. The Oracle REPORTER EOA can set arbitrary share prices because the rate limiter (maxPpsMoveBps) is configured to 0 (disabled) and the ADMIN EOA can re-disable it at any time. All six privileged roles across NavVault and NavOracle are EOAs — no multisig, no DAO, no on-chain governance. The deal-breaker gate fails on EOA fund control and manual price control.
- ▸ OPERATOR EOA can drain entire ~$12M vault via moveAssets() — no multisig, no timelock, no cap
- ▸ Oracle REPORTER EOA can set arbitrary PPS via reportNav(); maxPpsMoveBps = 0 (rate limiter disabled)
- ▸ ADMIN EOA can change liquidityRecipient instantly via setLiquidityRecipient() — no timelock
- ▸ ADMIN EOA can re-disable rate limiter at any time via setConfig() on the oracle
- ▸ All 6 privileged roles across vault + oracle are EOAs — no multisig, no DAO, no governance
- ▸ Three external audits (Adevarlabs, Omniscia, Sherlock) and clean Slither — issues are operational, not code-level
Technical findings only — not financial advice.
Trust Surfaces
Who can move funds, and how fast| Surface | Controller | Type | Min Delay | Worst Case |
|---|---|---|---|---|
| NavVault — moveAssets() (drain vault) | 0x03987D5FA639023904378614537aC4FAFE1f8813 ↗ | EOA | Instant | Transfer the entire vault balance (~$12M) to liquidityRecipient in a single transaction |
| NavVault — setLiquidityRecipient() | 0xbF33F8aAC7b90662bf346eB0bE42f7761308ef6E ↗ | EOA | Instant | Redirect the moveAssets() destination to any address; in combination with OPERATOR a single ADMIN+OPERATOR coordination drains funds anywhere |
| NavOracle — reportNav() (set share price) | 0x12f8F492ca503CA5505b67d42D63C91113E3D967 ↗ | EOA | Instant | Set arbitrary PPS — inflate to extract from depositors or deflate to dilute existing holders. Rate limiter disabled (maxPpsMoveBps = 0) |
| NavOracle — setConfig() (rate-limiter config) | 0xbF33F8aAC7b90662bf346eB0bE42f7761308ef6E ↗ | EOA | Instant | Re-disable maxPpsMoveBps or change staleness window; renders any future rate-limit hardening unenforceable |
| NavVault — setOracle() (replace oracle) | 0xbF33F8aAC7b90662bf346eB0bE42f7761308ef6E ↗ | EOA | 24h | Replace the NAV oracle with an attacker-controlled implementation. The 1-day timelock is the only public delay window in the entire protocol |
| NavVault & NavOracle — pause()/unpause() | 0xff0c2fba221cbc1011b294e3803851ee9df009ef ↗ | EOA | Instant | Block user deposits/withdrawals indefinitely (denial-of-service); does not enable theft on its own |
NavVault — moveAssets() (drain vault)
EOA Controller 0x0398…8813 ↗
Min delay Instant
Worst case Transfer the entire vault balance (~$12M) to liquidityRecipient in a single transaction
NavVault — setLiquidityRecipient()
EOA Controller 0xbF33…ef6E ↗
Min delay Instant
Worst case Redirect the moveAssets() destination to any address; in combination with OPERATOR a single ADMIN+OPERATOR coordination drains funds anywhere
NavOracle — reportNav() (set share price)
EOA Controller 0x12f8…D967 ↗
Min delay Instant
Worst case Set arbitrary PPS — inflate to extract from depositors or deflate to dilute existing holders. Rate limiter disabled (maxPpsMoveBps = 0)
NavOracle — setConfig() (rate-limiter config)
EOA Controller 0xbF33…ef6E ↗
Min delay Instant
Worst case Re-disable maxPpsMoveBps or change staleness window; renders any future rate-limit hardening unenforceable
NavVault — setOracle() (replace oracle)
EOA Controller 0xbF33…ef6E ↗
Min delay 24h
Worst case Replace the NAV oracle with an attacker-controlled implementation. The 1-day timelock is the only public delay window in the entire protocol
NavVault & NavOracle — pause()/unpause()
EOA Controller 0xff0c…09ef ↗
Min delay Instant
Worst case Block user deposits/withdrawals indefinitely (denial-of-service); does not enable theft on its own
Deal Breaker Matrix
PASS 12 FAIL 2 N/A 9 Inconclusive 0
Access Control & Governance
| Item | Status | Evidence |
|---|---|---|
| EOA Upgrade Control | N/A | Not a proxy. No upgrade mechanism. |
| EOA Fund Control | FAIL | OPERATOR (EOA 0x0398...8813) calls moveAssets() to transfer all vault funds to liquidityRecipient (EOA 0xFC45...0ADf). ADMIN (EOA 0xbF33...ef6E) can change recipient instantly. No multisig, no timelock, no cap. |
| >60% Governance Centralization | N/A | No governance token. |
| Governance Mechanism Bypass | N/A | No governance mechanism. |
| Timelock Backdoors | PASS | Oracle replacement has 1-day timelock. No bypass functions found (emergencyExecute, fastTrack, etc.). No timelock on moveAssets, setLiquidityRecipient, setExitFeeBps, setEpochSeconds. |
| No Emergency Controls | PASS | pause()/unpause() via GUARDIAN role on both vault and oracle. |
Oracle & Price Integrity
| Item | Status | Evidence |
|---|---|---|
| Direct Pool Price Oracle | N/A | Managed single-asset vault. Share price from admin-reported NAV; no DEX pool oracle. |
| Manual Price Control | FAIL | REPORTER (EOA 0x12f8...3D967) calls reportNav(pps, ts) on NavOracle to set arbitrary PPS. maxPpsMoveBps = 0 → rate limiter disabled. No governance approval. No timelock. ADMIN can re-disable rate limiter at any time via setConfig(). |
Smart Contract Architecture
| Item | Status | Evidence |
|---|---|---|
| Known Compiler Bugs | PASS | Solidity ^0.8.21. No known CVEs. |
| No Reentrancy Protection | PASS | ReentrancyGuard (nonReentrant) on all 15 state-changing fund functions. |
| Unlimited Minting | PASS | Shares minted only via ERC4626 deposit()/mint() — requires matching asset transfer. |
| Unsafe Delegatecall | PASS | No delegatecall or .call{} in custom code. |
| Uninitialized Implementation | N/A | Not a proxy. |
| Unprotected Initializer | N/A | No initializer. Constructor only. |
Audit & Verification
| Item | Status | Evidence |
|---|---|---|
| No Audit + High TVL | PASS | TVL ~$12M. 3 audits: Adevarlabs (Dec 2025), Omniscia (Jan 2026), Sherlock (Feb 2026). |
| Unverified Contracts | PASS | 2/2 core contracts verified (NavVault, NavOracle). |
| Critical Unfixed Issues | PASS | No critical/high unfixed issues known (audit report details not reviewed in detail per scope). |
Economic & Liquidity
| Item | Status | Evidence |
|---|---|---|
| Zero Flash Loan Protection | PASS | Oracle-driven NAV not manipulable via flash loans (PPS set off-chain by REPORTER). Instant withdrawals limited by vault liquidity. |
| Broken Tokenomics | PASS | ~5.7% return since inception. Strategies: market making, basis/funding arb, RWA. No unsustainable emission. |
| No Slippage Protection | PASS | depositWithCheck(minShares), withdrawWithCheck(maxShares), redeemWithCheck(minAssets), mintWithCheck(maxAssets) all present. |
Cross-Chain & Bridges
| Item | Status | Evidence |
|---|---|---|
| Centralized Bridge | N/A | Not a bridge protocol. |
| No Transfer Limits | N/A | Not a bridge protocol. |
| No Token Verification | N/A | Not a bridge protocol. |
Open Issues
P0: 3P1: 2P2: 1
- P0 Critical · Access Control Timeline: ImmediateOPERATOR EOA can drain vault via moveAssets()Impact: Full loss of vault funds (~$12M)Recommendation: Migrate OPERATOR to multisig (3/5 minimum). Add timelock or per-epoch cap to moveAssets().
- P0 Critical · Oracle Timeline: ImmediateOracle REPORTER can set arbitrary PPSImpact: Share price manipulation → extraction or dilutionRecommendation: Enable maxPpsMoveBps (e.g., 100 = 1% max move per update). Migrate REPORTER to multisig or MPC.
- P0 High · Access Control Timeline: ImmediateAll roles are EOAs, no multisigImpact: Single key compromise = full protocol controlRecommendation: Migrate DEFAULT_ADMIN, OPERATOR, GUARDIAN to multisigs. Use hardware wallets for all signers.
- P1 High · Access Control Timeline: 1 weeksetLiquidityRecipient() has no timelockImpact: ADMIN can redirect fund destination instantlyRecommendation: Add timelock (minimum 48h) to setLiquidityRecipient().
- P1 High · Oracle Timeline: 1 weekADMIN can re-disable oracle rate limiterImpact: setConfig(staleness, 0) disables maxPpsMoveBpsRecommendation: Consider making rate-limiter floor immutable or require governance approval to lower it.
- P2 Medium · Operations Timeline: 1 monthNo bug bounty programImpact: Reduced incentive for responsible disclosureRecommendation: Launch bug bounty on Immunefi with meaningful rewards (>$100K max).
Contract Inventory
Verified
Compiler: 0.8.21
Verified
Compiler: 0.8.21
Audit History
Tier 2 Sherlock 02/2026 Vault + WithdrawalWrapper (contest model)
Protocol
Website: https://altura.trade ↗
Launched: 2025-12
TVL Source: Oracle NAV (not listed on DeFiLlama)
Operations
Bug Bounty: None detected
All role assignments (6)
| Contract | Role | Holder | Powers |
|---|---|---|---|
| NavVault | DEFAULT_ADMIN | 0xbF33...ef6E (EOA) | Set config (oracle, recipient, fees, epoch). Grant/revoke roles. |
| NavVault | OPERATOR | 0x0398...8813 (EOA) | moveAssets() — transfer entire vault balance to liquidityRecipient |
| NavVault | GUARDIAN | 0xff0c...09ef (EOA) | pause()/unpause() the vault |
| NavOracle | DEFAULT_ADMIN | 0xbF33...ef6E (EOA) | setConfig() — staleness window and maxPpsMoveBps rate limiter |
| NavOracle | REPORTER | 0x12f8...3D967 (EOA, deployer) | reportNav(pps, ts) — set the share price the vault uses |
| NavOracle | GUARDIAN | 0x0398...8813 (EOA, = vault OPERATOR) | pause()/unpause() the oracle |