Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Avantis>Threat Model>forceUnlock
GeneralOverview
Findings
Critical (6)
High (9)
Medium (6)
Low (10)
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.solTrading.solTradingStorage.solTranche.solVaultManager.sol
VeTranche.solclaimRewardsforceUnlocklockunlock
Audit ResultsSummary

Function: forceUnlock(uint256 _tokenId)

This force unlocks a token if its lock time has passed — to be called by keepers.

Inputs

  • _tokenId

    • Control: Fully controlled by caller.

    • Constraints: lockTimeByTokenId[_tokenId] should be less than block.timestamp, and tokensByTokenId[_tokenId] should be greater than zero.

    • Impact: The ID of the token to unlock.

Branches and code coverage

Intended branches

  • The function internally calls _claimRewards, which updates the rewards and transfers rewards to the owner of tokenId.

  • The function burns the token with id = tokenId.

  • The shares are transferred back to the owner of the tokenId.

Negative behavior

  • Revert if lockTimeByTokenId[_tokenId] > block.timestamp.

  • Revert if tokensByTokenId[_tokenId] = 0.

Function call analysis

  • this._claimRewards(_tokenId) -> SafeERC20.safeTransfer(IERC20(this.tranche.asset()), this._ownerOf(tokenId), this.rewardsByTokenId[tokenId])

    • What is controllable? this._ownerOf(_tokenId) and this.rewardsByTokenId[_tokenId].

    • If the return value is controllable, how is it used and how can it go wrong? The reward amount is transferred to the owner of the token; an incorrect owner may result in incorrect reward transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._claimRewards(_tokenId) -> this.tranche.asset()

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

  • this.tranche.transfer(this._ownerOf(_tokenId), this.tokensByTokenId[_tokenId])

    • What is controllable? this._ownerOf(_tokenId) and this.tokensByTokenId[_tokenId].

    • If the return value is controllable, how is it used and how can it go wrong? The remaining unlocked tokens are transferred to the owner; incorrect values may lead to incorrect token transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

Zellic © 2025Back to top ↑