Assessment reports>Avantis>Threat Model>forceUnlock

Function: forceUnlock(uint256 _tokenId)

This force unlocks a token if its lock time has passed — to be called by keepers.

Inputs

  • _tokenId

    • Control: Fully controlled by caller.

    • Constraints: lockTimeByTokenId[_tokenId] should be less than block.timestamp, and tokensByTokenId[_tokenId] should be greater than zero.

    • Impact: The ID of the token to unlock.

Branches and code coverage

Intended branches

  • The function internally calls _claimRewards, which updates the rewards and transfers rewards to the owner of tokenId.

  • The function burns the token with id = tokenId.

  • The shares are transferred back to the owner of the tokenId.

Negative behavior

  • Revert if lockTimeByTokenId[_tokenId] > block.timestamp.

  • Revert if tokensByTokenId[_tokenId] = 0.

Function call analysis

  • this._claimRewards(_tokenId) -> SafeERC20.safeTransfer(IERC20(this.tranche.asset()), this._ownerOf(tokenId), this.rewardsByTokenId[tokenId])

    • What is controllable? this._ownerOf(_tokenId) and this.rewardsByTokenId[_tokenId].

    • If the return value is controllable, how is it used and how can it go wrong? The reward amount is transferred to the owner of the token; an incorrect owner may result in incorrect reward transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this._claimRewards(_tokenId) -> this.tranche.asset()

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

  • this.tranche.transfer(this._ownerOf(_tokenId), this.tokensByTokenId[_tokenId])

    • What is controllable? this._ownerOf(_tokenId) and this.tokensByTokenId[_tokenId].

    • If the return value is controllable, how is it used and how can it go wrong? The remaining unlocked tokens are transferred to the owner; incorrect values may lead to incorrect token transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

Zellic © 2025Back to top ↑