Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Cega>Threat Models>Function: processWithdrawalQueue(address vaultAddress, uint256 maxProcessCount)
GeneralOverview
Findings
High (2)
Medium (4)
Low (1)
Informational (2)
DiscussionCentralization risksUsing non-ERC20 token standardsImpossibility of reentrancy in the queue-processing functions
Threat ModelsWhat are threat models?CegaState.sol
FCNProduct.solFunction: addOptionBarrier(address vaultAddress, OptionBarrier optionBarrier)Function: addToDepositQueue(uint256 amount, address receiver)Function: addToWithdrawalQueue(address vaultAddress, uint256 amountShares, address receiver)Function: calculateCurrentYield(address vaultAddress)Function: calculateVaultFinalPayoff(address vaultAddress)Function: checkBarriers(address vaultAddress)Function: createVault(string _tokenName, string _tokenSymbol, uint256 _vaultStart)Function: openVaultDeposits(address vaultAddress)Function: processDepositQueue(address vaultAddress, uint256 maxProcessCount)Function: processWithdrawalQueue(address vaultAddress, uint256 maxProcessCount)Function: receiveAssetsFromCegaState(address vaultAddress, uint256 amount)Function: removeOptionBarrier(address vaultAddress, uint256 index, string _asset)Function: removeVault(address vaultAddress)Function: rolloverVault(address vaultAddress)Function: setIsDepositQueueOpen(bool _isDepositQueueOpen)Function: setKnockInStatus(address vaultAddress, bool newState)Function: setManagementFeeBps(uint256 _managementFeeBps)Function: setMaxDepositAmountLimit(uint256 _maxDepositAmountLimit)Function: setTradeData(address vaultAddress, uint256 _tradeDate, uint256 _tradeExpiry, uint256 _aprBps, uint256 _tenorInDays)Function: setVaultMetadata(address vaultAddress, FCNVaultMetadata metadata)Function: setVaultStatus(address vaultAddress, VaultStatus _vaultStatus)Function: setYieldFeeBps(uint256 _yieldFeeBps)Function: updateOptionBarrierOracle(address vaultAddress, uint256 index, string _asset, string newOracleName)
Oracle.sol

Function: processWithdrawalQueue(address vaultAddress, uint256 maxProcessCount)

Processes all the queued withdrawals in the withdrawal queue.

Inputs

  • vaultAddress

    • Control: Fully controlled.

    • Constraints: Vault must have a status of FeesCollected or Zombie.

    • Impact: This vault's metadata is updated.

  • maxProcessCount

    • Control: Fully controlled.

    • Constraints: N/A.

    • Impact: Used to constrain the amount of gas used by this function.

Branches and code coverage (including function calls)

Intended branches

  • Should update relevant FCNProduct storage variables correctly.

  • Should update relevant vault metadata properties correctly.

  • Should set the vault's status to WithdrawalQueueProcessed if the entire deposit queue is processed.

  • Should set the vault's status to Zombie if the specific preconditions are met.

  • Should emit a WithdrawalQueueProcessed event.

Negative behaviour

  • Should revert if the vault's status is not set to FeesCollected or Zombie.

  • Should revert if called by a non--trader-admin role.

Function call analysis

  • vault.redeem(withdrawal.amountShares, withdrawal.receiver)

    • What is controllable? withdrawal.amountShares, withdrawal.receiver.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Denial of service on revert, as processing the withdrawal queue is crucial to the functionality of this contract. Withdrawals may be accounted for twice on reentry, and some withdrawals will not be accounted for at all in that scenario.

Zellic © 2025Back to top ↑