Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Avantis>Threat Model>closeTradeMarket
GeneralOverview
Findings
Critical (6)
High (9)
Medium (6)
Low (10)
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.sol
Trading.solcancelOpenLimitOrdercloseTradeMarketexecuteLimitOrderopenTradeupdateMarginupdateOpenLimitOrderupdateTpAndSl
TradingStorage.solTranche.solVaultManager.solVeTranche.sol
Audit ResultsSummary

Function: closeTradeMarket(uint256 _pairIndex, uint256 _index, uint256 _amount, bytes[] priceUpdateData)

This closes a trade using market execution.

Inputs

  • _pairIndex

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The index of the trading pair for the open trade.

  • _index

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The index of the open trade.

  • _amount

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The collateral by which to update the margin.

  • priceUpdateData

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: Pyth price update data.

Branches and code coverage

Intended branches

  • Generates an new orderId for the close trade market and calls fulfill in the price aggregator.

  • The fulfill in the price aggregator fetches the price from the oracle and then calls the callback function in TradingCallbacks.

  • The callback function unregisters the trade and unregisters the pending market order.

Negative behavior

  • Revert if pending orders are more than or equal to the max pending market order value.

  • Revert if the market order is already closed.

  • Revert if the leverage of the trade is zero.

Function call analysis

  • this.storageT.openTrades(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Checks the existence of the open trade; incorrect values may lead to incorrect trade information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this.storageT.openTradesInfo(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Retrieves additional information about the open trade; incorrect values may lead to incorrect information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert; no reentrancy scenarios.

  • this.storageT.pendingOrderIdsCount(msg.sender)

    • What is controllable? msg.sender.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the count of pending orders for the user.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this.storageT.maxPendingMarketOrders()

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the max pending market orders.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.storageT.priceAggregator().getPrice(_pairIndex, OrderType.MARKET_CLOSE)

    • What is controllable? pairIndex.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the orderId of the current order.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this.storageT.storePendingMarketOrder(PendingMarketOrder(Trade(msg.sender, t.pairIndex, 0, 0, t.positionSizeUSDC, 0, t.buy, t.leverage, t.tp, t.sl, 0), 0, t.openPrice, _slippageP), orderId, True)

    • What is controllable? msg.sender, t.pairIndex, t.positionSizeUSDC, t.buy, t.leverage, t.tp, t.sl, t.openPrice, and _slippageP.

    • If the return value is controllable, how is it used and how can it go wrong? Stores the pending market order — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.storageT.priceAggregator().fulfill{value: msg.value}

    • What is controllable? msg.value.

    • If the return value is controllable, how is it used and how can it go wrong? Fulfills the update margin order — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

Zellic © 2025Back to top ↑