.svg)
Summary
The most critical subjects covered in our audit are access control, integration with lending protocols, permissionless functions during winddown and slippage protection. We identified issues regarding insufficient input validation in the funding modules, see Funds can be locked in FundingAave during winddown and FundingMorpho.depledge() does not sanitize collateralToken. Moreover, the swapper selection by an allocator or by any user during winddown can be abused to extract value from the Box due to a lack of reentrancy protection, see Read-only reentrancy. These issues were addressed and fixed in the second version of the codebase. Security regarding all the aforementioned subjects is good.
The general subjects covered are timelock mechanics, shutdown procedure and functional correctness. Security regarding correctness is improvable, see Box cannot receive native currency. Security regarding all the remaining topics is high.
In summary, we find that the codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Steakhouse Box Smart Contracts
Steakhouse implements a modular vault system centered around Box, an ERC-4626 child vault that holds a base asset, invests in whitelisted ERC-20 tokens, and interacts with lending protocols through funding modules. Adapters connect Box to a parent Vault V2 by Morpho, enabling controlled deposits, withdrawals, and allocations. The system includes factories for deploying components and enforces role-based permissions and timelocks for managing operations and assets.