Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Avantis>Threat Model>updateTpAndSl
GeneralOverview
Findings
Critical (6)
High (9)
Medium (6)
Low (10)
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.sol
Trading.solcancelOpenLimitOrdercloseTradeMarketexecuteLimitOrderopenTradeupdateMarginupdateOpenLimitOrderupdateTpAndSl
TradingStorage.solTranche.solVaultManager.solVeTranche.sol
Audit ResultsSummary

Function: updateTpAndSl(uint256 _pairIndex, uint256 _index, uint256 _newSl, uint256 _newTP, bytes[] priceUpdateData)

This updates the take profit and stop loss for an open trade.

Inputs

  • _pairIndex

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The index of the trading pair.

  • _index

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The index of the order.

  • _newSl

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The new stop-loss price.

  • _newTP

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: The new take-profit price.

  • priceUpdateData

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: Pyth price update data.

Branches and code coverage

Intended branches

  • The function calls _updateTp and _updateSl to update take profit and stop loss, respectively.

  • [x] Test coverage

  • In _updateSl, if the pair does not have guaranteed stop loss enabled, call the updateSl in storage contract.

  • [x] Test coverage

  • In _updateSl, if the pair has guaranteed stop loss enabled, take the dev governance fees from the initial position, update the trade, and call fulfill in the aggregator to fulfill the order.

  • [x] Test coverage

Negative behavior

  • Revert if block.number - tpLastUpdated is less than limitOrdersTimelock.

  • [] Negative test

  • Revert if block.number - slLastUpdated is less than limitOrdersTimelock.

  • [] Negative test

  • If stop loss deviates more than maxSlDist, revert the transactions.

  • [] Negative test

  • Revert if leverage is zero.

  • [] Negative test

Function call analysis

  • this._updateTp(_pairIndex, _index, _newTP) -> this.storageT.openTrades(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Checks the existence of the open trade; incorrect values may lead to incorrect trade information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateTp(_pairIndex, _index, _newTP) -> this.storageT.openTradesInfo(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Retrieves additional information about the open trade; incorrect values may lead to incorrect information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateTp(_pairIndex, _index, _newTP) -> this.storageT.updateTp(msg.sender, _pairIndex, _index, _newTp)

    • What is controllable? msg.sender, _pairIndex, _index, and _newTp.

    • If the return value is controllable, how is it used and how can it go wrong? Updates the TP value — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.openTrades(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Checks the existence of the open trade; incorrect values may lead to incorrect trade information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.openTradesInfo(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Retrieves additional information about the open trade; incorrect values may lead to incorrect information retrieval.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.priceAggregator()

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? Returned value is the PriceAggregator contract, to which calls will be made.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> aggregator.pairsStorage().guaranteedSlEnabled(_pairIndex)

    • What is controllable? _pairIndex.

    • If the return value is controllable, how is it used and how can it go wrong? Returns if SL is guaranteed enabled for this pair index.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> aggregator.pairsStorage()

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? Returned value is the TradingStorage contract, to which calls will be made.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.updateSl(msg.sender, _pairIndex, _index, _newSl)

    • What is controllable? msg.sender, _pairIndex, _index, and _newSl.

    • If the return value is controllable, how is it used and how can it go wrong? Updates the SL for the order — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.handleDevGovFees(t.trader, t.pairIndex, levPosUSDC / 2, False, True, t.buy)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? This call handles fees based on trade parameters, and controlling it directly is not feasible.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> this.storageT.updateTrade(t)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? Updates the trade — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> aggregator.getPrice(_pairIndex, OrderType.UPDATE_SL)

    • What is controllable? _pairIndex.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the orderId of the current order.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> aggregator.storePendingSlOrder(orderId, PendingSl(msg.sender, _pairIndex, _index, t.openPrice, t.buy, _newSl))

    • What is controllable? msg.sender, _pairIndex, _index, and _newSl.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._updateSl(_pairIndex, _index, _newSl, priceUpdateData) -> aggregator.fulfill{value: msg.value}

    • What is controllable? msg.value.

    • If the return value is controllable, how is it used and how can it go wrong? Fulfills the update margin order — no return value.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire call will revert —- no reentrancy scenarios.

Zellic © 2025Back to top ↑