Assessment reportsPublic findings
Back to Zellic site
Assessment reports>GTE>Threat Model>pullFromAccount
GeneralOverview
Findings
Critical (1)
High (2)
Medium (5)
Low (1)
DiscussionTest suite
Threat ModelWhat are threat models?CLOB.sol
CLOBManager.solapproveOperatorcreditAccountdebitAccountdepositdisapproveOperatorpullFromAccountpushToAccountsettleIncomingOrderwithdraw
GTERouter.solSimpleLaunchpad.sol
Audit ResultsAssessment Results

Function: pullFromAccount(address account, address token, uint256 amount)

This function allows a trusted market contract created by the owner of the contract using the createMarket function to transfer tokens from the account.

Inputs

  • account

    • Control: Full control.

    • Constraints: N/A.

    • Impact: The account address from which tokens will be transferred to this contract.

  • token

    • Control: Full control.

    • Constraints: The balance of the account and allowance should be sufficient.

    • Impact: The token address that will be transferred to this contract.

  • amount

    • Control: Full control.

    • Constraints: The balance of the account and allowance should be sufficient.

    • Impact: The amount of tokens that will be transferred to this contract.

Branches and code coverage

Intended branches

  • Tokens have been successfully transferred.

Negative behavior

  • The caller is not a trusted market.

  • The allowance is not enough.

  • The account balance is not enough.

Function call analysis

  • SafeTransferLib.safeTransferFrom(token, account, address(this), amount)

    • What is controllable? token, account, and amount.

    • If the return value is controllable, how is it used and how can it go wrong? This function does not return a value.

    • What happens if it reverts, reenters or does other unusual control flow? Transfers amount of tokens from the account to this contract.

Zellic © 2025Back to top ↑