Skip to content

FLOW-10 - Validate betaRef parameter in createYieldVaultManager #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
liobrasil wants to merge 2 commits into
base: main
Choose a base branch
from
Open

FLOW-10 - Validate betaRef parameter in createYieldVaultManager #146

liobrasil wants to merge 2 commits into from
+205 −0

Conversation

@liobrasil
Copy link
Contributor

@liobrasil liobrasil commented Jan 13, 2026
edited
Loading

Summary

  • Adds pre-condition to createYieldVaultManager that calls FlowYieldVaultsClosedBeta.validateBeta
  • Makes the Beta gating behavior explicit and consistent with other Beta-gated methods

Quantstamp Audit Finding

FLOW-10: Unused betaRef Parameter in YieldVaultManager Creation (Undetermined)

The createYieldVaultManager function accepts a betaRef parameter but did not use it in the function body. The recommendation was to invoke FlowYieldVaultsClosedBeta.validateBeta inside the function for consistency with other Beta-gated methods.

Test plan

  • Verify that createYieldVaultManager rejects invalid betaRef
  • Verify that valid betaRef still allows creation of YieldVaultManager

Closes #141

🤖 Generated with Claude Code

@liobrasil @claude
Fix: Validate betaRef parameter in createYieldVaultManager
488fe2c 
Add pre-condition to createYieldVaultManager that invokes
FlowYieldVaultsClosedBeta.validateBeta to verify the betaRef
is valid, making the Beta gating behavior explicit and consistent
with other Beta-gated methods.

Addresses Quantstamp audit finding FLOW-10.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@liobrasil liobrasil requested a review from a team as a code owner January 13, 2026 13:10
This was referenced Jan 13, 2026
Closed
Open
@liobrasil liobrasil changed the title Fix: FLOW-10 - Validate betaRef parameter in createYieldVaultManager FLOW-10 - Validate betaRef parameter in createYieldVaultManager Jan 15, 2026
@vishalchangrani
Copy link

vishalchangrani commented Jan 20, 2026

Please can you a add a test for this change? ty

turbolent
turbolent reviewed Jan 21, 2026
View reviewed changes
cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc
access(all) let capID: UInt64
access(all) let isRevoked: Bool

init(_ capID: UInt64, _ isRevoked: Bool) {
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below: Use the argument label to document what the parameters mean, they make the call-sites easier to understand:

Suggested change
init(_ capID: UInt64, _ isRevoked: Bool) {
init(capID: UInt64, isRevoked: Bool) {

cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc
/// Issue a capability from the contract/deployer account and record its ID
access(contract) fun _issueBadgeCap(_ addr: Address): Capability<auth(Beta) &BetaBadge> {
let p = self._badgePath(addr)
let cap: Capability<auth(Beta) &BetaBadge> =
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Type annotation is unnecessary and can be inferred

Suggested change
let cap: Capability<auth(Beta) &BetaBadge> =
let cap =

cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc
Comment on lines +114 to +115
if info.isRevoked {
assert(info.isRevoked, message: "Beta access revoked")
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assert is a no-op, in this branch info.isRevoked is always true

cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc

/// Per-user badge storage path (under the *contract/deployer* account)
access(contract) fun _badgePath(_ addr: Address): StoragePath {
return StoragePath(identifier: "FlowYieldVaultsBetaBadge_".concat(addr.toString()))!
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use string templates:

Suggested change
return StoragePath(identifier: "FlowYieldVaultsBetaBadge_".concat(addr.toString()))!
return StoragePath(identifier: "FlowYieldVaultsBetaBadge_\(addr.toString())")!

cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc

/// Ensure the admin-owned badge exists for the user
access(contract) fun _ensureBadge(_ addr: Address) {
let p = self._badgePath(addr)
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below: Use descriptive variable names:

Suggested change
let p = self._badgePath(addr)
let path = self._badgePath(addr)

cadence/contracts/mocks/FlowYieldVaultsClosedBeta_validate_beta_false.cdc
Comment on lines +27 to +29
access(all) view fun getOwner(): Address {
return self.assignedTo
}
Copy link
Member

@turbolent turbolent Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just make assignedTo access(all) and remove this unnecessary getter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turbolent turbolent turbolent left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FLOW-10 Unused betaRef Parameter in Yieldvaultmanager Creation

4 participants

@liobrasil @vishalchangrani @turbolent