Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Threat Models>claimFees
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.solBondBaseSDA.sol
BondBaseTeller.solsetReferrerFeesetProtocolFeeclaimFeespurchase_handleTransfers
BondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.solBondFixedTermTeller.sol
Audit ResultsResults

claimFees(ERC20[] memory tokens_, address to_) external

  1. Intended behavior.

    • This feature allows any user to withdraw their rewards.

  2. Negative behavior.

    • Shouldn’t allow to withdraw someone else's tokens, only the assigned for caller amount of tokens.

    • Should reject if there is not enough token amount for withdraw.

    • Shouldn’t call safeTransfer function if send value is zero. There isn’t this kind of check here. should not reject the transaction but move on to the next token.

    • Shouldn’t be able to transfer an arbitrary amount of tokens. This is properly checked since it queries for the rewards[user] when checking the amount.

  3. Preconditions.

    • caller should have unspent reward for corresponding token address

    • Assumes that there isn’t a way to double count the same reward token for a user

  4. Postconditions.

    • The value of the assigned for caller amount of tokens should be reseted to zero. Also it should be done before safeTransfer call.

    • The caller receives no more tokens than they are supposed to.

    • The user's balance increased for each token by the amount they were supposed to receive.

    • The contract balance decreased for each token by the amount they previously sent to the user.

  5. Inputs.

    • ERC20[] memory tokens_: controlled

    • address to_: controlled

  6. Examine all function calls the function makes.

    a. Call to token.safeTransfer(to_, send);

    • What is controllable? (callee, params, return value): token - controlled, to_ - controlled

    • If return value controllable, how is it used and how can it go wrong? there is no return value

    • What happens if it reverts or tries to reenter?: will be reverted if the contract doesn’t have enough tokens

Zellic © 2024Back to top ↑