Assessment reports>Cove>Threat Model>requestDeposit

Function: requestDeposit(uint256 assets, address controller, address owner)

This function allows a user to request a deposit of assets to the basket. The assets are immediately transferred to this contract.

Inputs

  • assets

    • Control: Fully controlled by the caller.

    • Constraints: Nonzero.

    • Impact: The amount of assets to deposit.

  • controller

    • Control: Fully controlled by the caller.

    • Constraints: The controller must not have the last pending and claimable deposit request.

    • Impact: The address of the controller of the deposit request being created.

  • owner

    • Control: Fully controlled by the caller.

    • Constraints: None at this level.

    • Impact: The address of the owner of the assets being deposited.

Branches and code coverage

Intended branches

  • Check AssetRegistry(assetRegistry).hasPausedAssets(bitFlag).

  • Update depositRequest and lastDepositRequestId mappings.

  • Transfer owner's assets to this contract.

Negative behavior

  • Revert if assets is zero.

  • Revert if controller has the last pending deposit request.

  • Revert if controller has the last claimable deposit request.

  • Revert if any of the assets in the bitFlag are paused.

Function call analysis

  • AssetRegistry(this.assetRegistry).hasPausedAssets(this.bitFlag)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? A user can request a deposit of paused assets.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • SafeERC20.safeTransferFrom(IERC20(this.asset()), owner, address(this), assets)

    • What is controllable? owner and assets.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑