Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Avantis>Discussion>Checks-effects-interactions pattern broken
GeneralOverview
Findings
Critical (6)
High (9)
Medium (6)
Low (10)
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.solTrading.solTradingStorage.solTranche.solVaultManager.solVeTranche.sol
Audit ResultsSummary

Checks-effects-interactions pattern broken

The function claimRebate transfers the USDC to the user before setting rebates to zero. 

function claimRebate() external {
    usdc.transfer(msg.sender, rebates[msg.sender]);
    rebates[msg.sender] = 0;
}

Although this is currently not a security issue, if the protocol decides to use any other token in the future with hooks on transfer, it would be a security risk.

Zellic © 2025Back to top ↑