Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Cove>Discussion>Transparent intent of redeemal might lead to unintended consequences
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (1)
Informational (1)
DiscussionTransparent intent of redeemal might lead to unintended consequencesShares can round down to zeroWeights can pass uncheckedDenial-of-service risk where attackers can disrupt rebalance process with BasketManagerUtils.completeRebalance() functionality
Threat ModelWhat are threat models?AnchoredOracle.solAssetRegistry.solBasketManagerUtils.solBasketToken.solCoWSwapAdapter.solCoWSwapClone.solFeeCollector.solManagedWeightStrategy.sol
Audit ResultsAssessment Results

Transparent intent of redeemal might lead to unintended consequences

We have analyzed the design concerning the transparent intent of the "redemption" of shares during the rebalancing procedure, which implicitly requires swapping the basket tokens into base tokens.

It is evident that anyone can assume the Manager will eventually need to rebalance some of the baskets. When low-liquidity tokens are involved, the likelihood of potential issues increases. In such scenarios, for the rebalancing to occur, the Manager is either

  • forced to accept a lower price than desirable for the base asset, or

  • forced to wait for a satisfactory price.

In either case, it makes little sense for a malicious party to propose selling at an acceptable price for the baskets. Because baskets are designed to ensure that rebalancing occurs, a malicious party would have incentives to force a peer-to-peer exchange through CoW Swap that is acceptable enough for the baskets but leaves room for profit (assuming they can outbid private market makers and other DEXes that CoW Swap deals with).

Additionally, we have identified the following potential attack vector:

  1. A malicious user monitors the proposeRebalance call.

  2. The malicious user creates a honeypot peer-to-peer order at an attractive price so that the CoW Swap quote returns a higher minAmount, which the basket manager uses as a reference.

  3. The basket manager calls executeTokenSwap and submits the order to the CoW Swap API off chain.

  4. The malicious user times their action to cancel the order just in time so that it does not go through, forcing CoW Swap to attempt to fill the order with an out-of-bounds minAmount (i.e., outside what the honeypot proposed).

  5. The swap is delayed temporarily, and the funds in the clone cannot be claimed back, thereby causing a temporary denial of service of the rebalancing.

Although this scenario is highly unlikely and involves some degree of risk for the malicious user, it is important to consider its implications.

We note that the Cove Finance team has stated that the attack vectors are feasible; however, they do not consider using low-liquidity tokens in the baskets. We leave this section for potential future consideration.

Zellic © 2025Back to top ↑