Mystic Finance

We express our gratitude to the Mystic Finance team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Mystic Finance is a fork of Aave v3.1 that adds KYC integration, semi-permissioned pools, vault management, and custody control features to the core Aave protocol.

Audit Summary

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are partially provided.

• Technical description is not provided.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is N/A.

• Deployment and basic user interactions are covered with tests.

• Negative cases are covered.

• Interactions by several users are tested.

Mystic Finance is a fork of Aave v3.1 that adds KYC integration, semi-permissioned pools, vault management, and custody control features to the core Aave protocol. The main contracts of the audit scope are:

• Vault: an ERC4626-compliant vault contract that allows users to deposit a base asset which is then allocated across multiple Aave-like lending pools ("Mystic pools") according to curator-defined allocation percentages.

• VaultFactory: a factory that allows authorized curators to create and manage MysticVault instances while maintaining a registry of deployed vaults.

• SemiPermissionedPool: a specialized version of the Aave Pool contract that implements permission controls for liquidators and pool users while providing calldata-optimized functions.

• KYCPortal: this contract manages KYC (Know Your Customer) permissions and access control for partners, users, and liquidators in a DeFi protocol through a role-based system.

• CustodyController: a custody management contract that handles asset deposits and withdrawals with multi-role authorization, allowing designated operators to request withdrawals that must be approved by custodians before execution.

Privileged roles

Vault

• OWNER: Can set fees, fee recipient, and has all curator capabilities.

• CURATOR: Can add/remove other curators, add/update pools and asset allocations, set withdrawal timelock, set max deposit/withdrawal limits.

• FEE_RECIPIENT: Can withdraw accrued fees.

VaultFactory

• DEFAULTADMINROLE: Can add/remove curators.

• CURATOR_ROLE: Can create new vaults.

• owner: Set at deployment, stored but not used in this contract (though passed to created vaults).

SemiPermissionedPool

• POOL_USER: Can perform borrowing, repaying, rate swapping, collateral management, and rebalancing operations.

• LIQUIDATOR: Can perform liquidation calls on positions.

• ACL_MANAGER: Controls the access list that determines who is a pool user or liquidator.

KYCPortal

• OWNER: Can add relayers.

• RELAYER: Can add/remove pool users and partners.

• LIQUIDATOR_ADMIN: Can add/remove liquidators (this role is granted to partners).

• PARTNER: A special status that grants all pool user permissions plus liquidator admin capabilities.

• LIQUIDATOR: Can perform liquidations (with different types: regular, investor, regulated).

CustodyController

• DEFAULTADMINROLE: Can grant/revoke all other roles.

• TREASURYMANAGERROLE: Can pause/unpause, add assets/targets, update custody wallet/locker, set withdrawal limits, manage withdrawal operators.

• WITHDRAWALOPERATORROLE: Can deposit assets and request withdrawals.

• CUSTODIANOPERATORROLE: Can update withdrawal request status and trigger callbacks.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope