Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Filecoin Services Payments>Threat Model>depositWithPermitAndApproveOperator
GeneralOverview
Findings
Low (1)
Informational (2)
Threat ModelWhat are threat models?
Payments.solModule: Payments.solcreateRaildepositdepositWithPermitdepositWithPermitAndApproveOperatordepositWithPermitAndIncreaseOperatorApprovalincreaseOperatorApprovalmodifyRailLockupmodifyRailPaymentsetOperatorApprovalsettleRailsettleTerminatedRailWithoutValidationterminateRailwithdrawwithdrawTo
Audit ResultsAssessment Results

Function: depositWithPermitAndApproveOperator(address token, address to, uint256 amount, uint256 deadline, uint8 v, byte[32] r, byte[32] s, address operator, uint256 rateAllowance, uint256 lockupAllowance, uint256 maxLockupPeriod)

This function performs a permit-based deposit and simultaneously approves operator with the provided rate, lockup, and max lockup-period allowances for to.

Inputs

  • token

    • Control: Fully controlled by the caller.

    • Constraints: Must be a non-native ERC-20 supporting EIP-2612.

    • Impact: Asset to deposit and token namespace for operator approval.

  • to

    • Control: Fully controlled by the caller.

    • Constraints: Must be nonzero and equal to msg.sender (permit recipient check).

    • Impact: Account credited and permit signer.

  • amount

    • Control: Fully controlled by the caller.

    • Constraints: N/A.

    • Impact: Intended amount to deposit (credited via balance delta).

  • deadline

    • Control: Fully controlled by the caller.

    • Constraints: Must be valid per token’s permit rules.

    • Impact: Permit-validity window.

  • v

    • Control: Fully controlled by the caller.

    • Constraints: Part of a valid ECDSA signature per EIP-2612.

    • Impact: Authorizes the allowance used for transfer.

  • r

    • Control: Fully controlled by the caller.

    • Constraints: Part of a valid ECDSA signature per EIP-2612.

    • Impact: Authorizes the allowance used for transfer.

  • s

    • Control: Fully controlled by the caller.

    • Constraints: Part of a valid ECDSA signature per EIP-2612.

    • Impact: Authorizes the allowance used for transfer.

  • operator

    • Control: Fully controlled by the caller.

    • Constraints: Must be nonzero.

    • Impact: Operator to approve.

  • rateAllowance

    • Control: Fully controlled by the caller.

    • Constraints: N/A.

    • Impact: Max cumulative payment rate the operator may configure.

  • lockupAllowance

    • Control: Fully controlled by the caller.

    • Constraints: N/A.

    • Impact: Max cumulative lockup the operator may configure/use.

  • maxLockupPeriod

    • Control: Fully controlled by the caller.

    • Constraints: N/A.

    • Impact: Max lockup period (in epochs) the operator may set.

Branches and code coverage

Intended branches

  • Use EIP-2612 permit to grant allowance, perform ERC-20 transferFrom into the contract, and increase to’s internal balance by amount (credit delta).

  • Reject zero recipient / incorrect permit recipient.

  • Reject invalid/expired permit.

  • Success path (sets flags/allowances, emits OperatorApprovalUpdated).

  • Zero-operator-address revert.

Zellic © 2025Back to top ↑