Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Cove>Threat Model>fulfillRedeem
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (1)
Informational (1)
DiscussionTransparent intent of redeemal might lead to unintended consequencesShares can round down to zeroWeights can pass uncheckedDenial-of-service risk where attackers can disrupt rebalance process with BasketManagerUtils.completeRebalance() functionality
Threat ModelWhat are threat models?AnchoredOracle.solAssetRegistry.solBasketManagerUtils.sol
BasketToken.solcancelDepositRequestcancelRedeemRequestclaimFallbackSharesclaimFallbackSharesdepositdepositfallbackRedeemTriggerfulfillDepositfulfillRedeemmintmintprepareForRebalanceproRataRedeemredeemrequestDepositrequestRedeemsetBitFlagsetOperatorwithdraw
CoWSwapAdapter.solCoWSwapClone.solFeeCollector.solManagedWeightStrategy.sol
Audit ResultsAssessment Results

Function: fulfillRedeem(uint256 assets)

This function allows the basket manager to fulfill all pending redeem requests for the current request. The shares in this contract are burned, and the assets are transferred to the basket manager.

Inputs

  • assets

    • Control: Fully controlled by the basket manager.

    • Constraints: Nonzero.

    • Impact: The amount of assets the current redemption will be fulfilled with.

Branches and code coverage

Intended branches

  • Set fulfilledAssets of the current request to assets.

  • Burn sharesPendingRedemption shares from the basket.

  • Transfer assets to the basket manager.

Negative behavior

  • Revert if the caller is not the basket manager.

  • Revert if sharesPendingRedemption is zero.

  • Revert if assets is zero.

  • Revert if the current request has already been fulfilled.

Function call analysis

  • this._burn(address(this), sharesPendingRedemption) -> this._update(account, address(0), value) -> ERC20PluginsUpgradeable._update -> ERC20PluginsUpgradeable._updateBalances(address plugin, address from, address to, uint256 amount)

    • What is controllable? sharesPendingRedemption.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • SafeERC20.safeTransferFrom(IERC20(this.asset()), msg.sender, address(this), assets)

    • What is controllable? Can increase assets by redeeming more shares.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑