Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Cove>Threat Model>mint
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (1)
Informational (1)
DiscussionTransparent intent of redeemal might lead to unintended consequencesShares can round down to zeroWeights can pass uncheckedDenial-of-service risk where attackers can disrupt rebalance process with BasketManagerUtils.completeRebalance() functionality
Threat ModelWhat are threat models?AnchoredOracle.solAssetRegistry.solBasketManagerUtils.sol
BasketToken.solcancelDepositRequestcancelRedeemRequestclaimFallbackSharesclaimFallbackSharesdepositdepositfallbackRedeemTriggerfulfillDepositfulfillRedeemmintmintprepareForRebalanceproRataRedeemredeemrequestDepositrequestRedeemsetBitFlagsetOperatorwithdraw
CoWSwapAdapter.solCoWSwapClone.solFeeCollector.solManagedWeightStrategy.sol
Audit ResultsAssessment Results

Function: mint(uint256 shares, address receiver, address controller)

This function transfers a user's shares owed for a previously fulfilled deposit request.

Inputs

  • shares

    • Control: Fully controlled by the caller.

    • Constraints: This must match _maxMint(fulfilledShares, depositAssets, depositRequest.totalDepositAssets).

    • Impact: The amount of shares to receive.

  • receiver

    • Control: Fully controlled by the caller.

    • Constraints: None at this level.

    • Impact: The address to receive the shares.

  • controller

    • Control: Fully controlled by the caller.

    • Constraints: The caller must be the controller or an operator of the controller.

    • Impact: The address of the controller of the deposit request.

Branches and code coverage

Intended branches

  • Set depositRequest.depositAssets[controller] to zero.

  • Transfer shares to receiver.

Negative behavior

  • Revert if the caller is not the controller or an operator of the controller.

  • Revert if shares does not match _maxMint(fulfilledShares, depositAssets, depositRequest.totalDepositAssets).

Function call analysis

  • this._claimDeposit(depositRequest, assets, shares, receiver, controller) -> this._transfer(address(this), receiver, shares) -> this._update(from, to, value) -> ERC20PluginsUpgradeable._update -> ERC20PluginsUpgradeable._updateBalances(address plugin, address from, address to, uint256 amount)

    • What is controllable? shares, receiver, and controller.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? It can reenter the contract while updating balances calling receiver's plug-ins, but this function follows the checks-effects-interactions pattern.

Zellic © 2025Back to top ↑