Assessment reports>Cove>Threat Model>proRataRedeem

Function: proRataRedeem(uint256 shares, address to, address from)

This function enables the caller to immediately redeem shares for all assets associated with this basket. This is a synchronous operation and does not require the rebalance process to be completed.

Inputs

  • shares

    • Control: Fully controlled by the caller.

    • Constraints: None at this level.

    • Impact: The amount of shares to redeem.

  • to

    • Control: Fully controlled by the caller.

    • Constraints: None at this level.

    • Impact: The address to which the redeemed assets are sent.

  • from

    • Control: Fully controlled by the caller.

    • Constraints: If from is not the caller, the caller must be approved by from.

    • Impact: The address to redeem shares from.

Branches and code coverage

Intended branches

  • Call _harvestManagementFee with feeBps and feeCollector.

  • Call _spendAllowance with from as owner and msg.sender as spender.

  • Burn shares from the basket.

  • Call proRataRedeem with shares and to as arguments.

Function call analysis

  • BasketManager(this.basketManager).managementFee(address(this))

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • BasketManager(this.basketManager).feeCollector()

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._harvestManagementFee(feeBps, feeCollector) -> this._mint(feeCollector, fee) -> this._update(address(0), account, value) -> ERC20PluginsUpgradeable._update -> ERC20PluginsUpgradeable._updateBalances(address plugin, address from, address to, uint256 amount)

    • What is controllable? feeCollector and fee are controllable by the basket manager.

    • If the return value is controllable, how is it used and how can it go wrong? feeBps and feeCollector are controllable by the basket manager.

    • What happens if it reverts, reenters or does other unusual control flow? It can reenter the contract while updating balances calling owner's plugins before updating claimable fees in FeeCollector but ERC20PluginsUpgradeable._update has reentrancy guard.

  • this._harvestManagementFee(feeBps, feeCollector) -> FeeCollector(feeCollector).notifyHarvestFee(fee)

    • What is controllable? feeBps and feeCollector are controllable by the basket manager.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • _burn(from, shares) -> this._update(account, address(0), value) -> ERC20PluginsUpgradeable._update -> ERC20PluginsUpgradeable._updateBalances(address plugin, address from, address to, uint256 amount)

    • What is controllable? from and shares.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? It can reenter the contract while updating balances calling from's plugins before calling proRataRedeem which decreases asset balances. It can be used to manipulate the price of this LP token.

  • BasketManager(this.basketManager).proRataRedeem(totalSupplyBefore, shares, to)

    • What is controllable? totalSupplyBefore, shares, and tototalSupplyBefore can be partially controllable by depositing or redeeming huge shares.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑