Breakage analysis per dependency

Concrete's assessment for RD-F-052 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Breakage analysis: (1) External strategy protocol (Aave, Morpho, Silo) exploit: vault loses NAV proportional to allocation; Allocator must manually deallocate — no automatic exit. Halborn V2 finding 'Strategy removal allowed while holding allocated funds' (Low, Risk Accepted) confirms. (2) ConcreteFactory compromise: all vaults upgradeable to malicious implementation instantly — no timelock confirmed (governance-admin-analyst to confirm). (3) LayerZero pre-deposit path failure: ~$120M in pre-deposit/destination-chain positions stranded if PredepostVaultOApp or LayerZero endpoint fails; not permanent loss but significant operational impact. (4) Strategy self-reporting failure (totalAllocatedValue() returns incorrect value): vault NAV miscalculated until next Allocator intervention. (5) AllocateModule failure: new allocation calls revert; withdrawal from unallocated idle capital still works.

Sources #

Audit
Halborn Blueprint Finance Earn V2 Core Audit (Sep 2025)Halborn Earn V2 Core audit Sep 2025 — 'Strategy removal allowed while holding allocated funds' (Low, Risk Accepted) — primary source for strategy-failure breakage analysisretrieved 2026-05-17
GitHub
PredepostVaultOApp.sol — LayerZero OApp for pre-deposit claim routingsrc/periphery/predeposit/PredepostVaultOApp.sol — OAppUpgradeable inheritance; _lzSend() for pre-deposit claim deliveryretrieved 2026-05-17

Methodology #

Produce a short per-dependency text describing which protocol functions halt or degrade and impact severity if each declared dependency fails.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-052 score yellow collected_at 2026-05-17 14:36:59