Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Cove>Threat Model>prepareForRebalance
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (1)
Informational (1)
DiscussionTransparent intent of redeemal might lead to unintended consequencesShares can round down to zeroWeights can pass uncheckedDenial-of-service risk where attackers can disrupt rebalance process with BasketManagerUtils.completeRebalance() functionality
Threat ModelWhat are threat models?AnchoredOracle.solAssetRegistry.solBasketManagerUtils.sol
BasketToken.solcancelDepositRequestcancelRedeemRequestclaimFallbackSharesclaimFallbackSharesdepositdepositfallbackRedeemTriggerfulfillDepositfulfillRedeemmintmintprepareForRebalanceproRataRedeemredeemrequestDepositrequestRedeemsetBitFlagsetOperatorwithdraw
CoWSwapAdapter.solCoWSwapClone.solFeeCollector.solManagedWeightStrategy.sol
Audit ResultsAssessment Results

Function: prepareForRebalance(uint16 feeBps, address feeCollector)

This function advances the deposit and redeem epochs. It ensures that the previous deposit and redeem requests have been fulfilled before advancing the epochs. It also harvests the management fee.

Inputs

  • feeBps

    • Control: Controllable by the basket manager.

    • Constraints: The fee must be less than or equal to 3,000.

    • Impact: The management fee in basis points to be harvested.

  • feeCollector

    • Control: Controllable by the basket manager.

    • Constraints: None at this level.

    • Impact: The address that will receive the harvested management fee.

Branches and code coverage

Intended branches

  • Increase nextDepositRequestId by two.

  • Increase nextRedeemRequestId by two.

  • Call _harvestManagementFee(feeBps, feeCollector).

  • Update lastManagementFeeHarvestTimestamp to block.timestamp.

  • Mint fee to feeCollector.

  • Call FeeCollector(feeCollector).notifyHarvestFee(fee).

Negative behavior

  • Revert if the caller is not the basket manager.

  • Revert if previousDepositRequest.totalDepositAssets is greater than zero and previousDepositRequest.fulfilledShares is zero.

  • Revert if previousRedeemRequest.totalRedeemShares is greater than zero, previousRedeemRequest.fulfilledAssets is zero, and previousRedeemRequest.fallbackTriggered is false.

  • Revert if feeBps is greater than 3,000.

Function call analysis

  • this._harvestManagementFee(feeBps, feeCollector) -> this._mint(feeCollector, fee) -> this._update(address(0), account, value) -> ERC20PluginsUpgradeable._update

    • What is controllable? feeCollector and fee are controllable by the basket manager.

    • If the return value is controllable, how is it used and how can it go wrong? feeBps and feeCollector are controllable by the basket manager.

    • What happens if it reverts, reenters or does other unusual control flow? It can reenter the contract while updating balances calling owner's plug-ins before updating claimable fees in FeeCollector, but ERC20PluginsUpgradeable._update has a reentrancy guard.

  • this._harvestManagementFee(feeBps, feeCollector) -> FeeCollector(feeCollector).notifyHarvestFee(fee)

    • What is controllable? feeBps and feeCollector are controllable by the basket manager.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑