Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Cove>Threat Model>requestRedeem
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (1)
Informational (1)
DiscussionTransparent intent of redeemal might lead to unintended consequencesShares can round down to zeroWeights can pass uncheckedDenial-of-service risk where attackers can disrupt rebalance process with BasketManagerUtils.completeRebalance() functionality
Threat ModelWhat are threat models?AnchoredOracle.solAssetRegistry.solBasketManagerUtils.sol
BasketToken.solcancelDepositRequestcancelRedeemRequestclaimFallbackSharesclaimFallbackSharesdepositdepositfallbackRedeemTriggerfulfillDepositfulfillRedeemmintmintprepareForRebalanceproRataRedeemredeemrequestDepositrequestRedeemsetBitFlagsetOperatorwithdraw
CoWSwapAdapter.solCoWSwapClone.solFeeCollector.solManagedWeightStrategy.sol
Audit ResultsAssessment Results

Function: requestRedeem(uint256 shares, address controller, address owner)

This function allows a user to request a redemption of shares from the basket. The shares are immediately transferred to this contract.

Inputs

  • shares

    • Control: Fully controlled by the caller.

    • Constraints: Nonzero.

    • Impact: The amount of shares to redeem.

  • controller

    • Control: Fully controlled by the caller.

    • Constraints: The controller must not have the last pending/claimable redeem request and claimable fallback shares.

    • Impact: The address of the controller of the redeem request being created.

  • owner

    • Control: Fully controlled by the caller.

    • Constraints: None at this level.

    • Impact: The address of the owner of the redeemed shares.

Branches and code coverage

Intended branches

  • Check AssetRegistry(assetRegistry).hasPausedAssets(bitFlag).

  • Call _spendAllowance(owner, msg.sender, shares) if msg.sender is not owner and owner is not an operator of msg.sender.

  • Update redeemRequest and lastRedeemRequestId mappings.

  • Transfer owner's shares to this contract.

Negative behavior

  • Revert if shares is zero.

  • Revert if controller has the last pending redeem request.

  • Revert if controller has the last claimable redeem request.

  • Revert if controller has claimable fallback shares.

  • Revert if any of the assets in the bitFlag are paused.

Function call analysis

  • AssetRegistry(this.assetRegistry).hasPausedAssets(this.bitFlag)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? A user can request a deposit for paused assets.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._transfer(owner, address(this), shares) -> this._update(from, to, value) -> ERC20PluginsUpgradeable._update -> ERC20PluginsUpgradeable._updateBalances(address plugin, address from, address to, uint256 amount)

    • What is controllable? owner and shares.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? It can reenter the contract while updating balances calling owner's plug-ins, but ERC20PluginsUpgradeable._update has a reentrancy guard.

Zellic © 2025Back to top ↑