Assessment reportsPublic findings
Back to Zellic site
Assessment reports>GTE>Threat Model>sell
GeneralOverview
Findings
Critical (2)
Medium (1)
Low (2)
Informational (1)
DiscussionThe executeRoute does not revert on unsupported function selector
Threat ModelWhat are threat models?
Launchpad.solbuylaunchsell
MegaRouterFacet.sol
Audit ResultsAssessment Results

Function: sell(address token, address recipient, uint256 amountInBase, uint256 worstAmountOutQuote)

This function allows selling the previously bought LaunchToken tokens but only during the bonding-curve sale phase.

Inputs

  • token

    • Control: Full control.

    • Constraints: The status active of this token should be true, and launches should contain the token info.

    • Impact: The address of the LaunchToken to be sold.

  • recipient

    • Control: Full control.

    • Constraints: No constraints.

    • Impact: The address of the recipient of USDC.

  • amountInBase

    • Control: Full control.

    • Constraints: The caller should own at least amountInBase tokens.

    • Impact: The desired amount of LaunchToken to be sold.

  • worstAmountOutQuote

    • Control: Full control.

    • Constraints: No constraints.

    • Impact: The minimum amount of USDC to be received as result of selling LaunchToken.

Branches and code coverage

Intended branches

  • Tokens have been sold successfully.

Negative behavior

  • The caller owns fewer LaunchToken tokens than amountInBase.

  • The token status is not active, because it doesn't exists

  • The token status is not active, because liquidity was transferred to the Uniswap pool.

  • worstAmountInQuote is greater than amountInQuote.

Function call analysis

  • data.bondingCurve.getAverageCostInY(token, this.baseToX(data.baseSoldFromCurve), this.baseToX(nextAmountSold))

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? The returned amountOutQuote can be less or more than expected. If amountOutQuote is less than expected, the user can sell tokens cheaper than expected but not less than worstAmountInQuote; otherwise, the resulting amount can be more than expected, so the user will sell tokens at an inflated price.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

  • SafeTransferLib.safeTransferFrom(token, msg.sender, address(this), amountInBase)

    • What is controllable? amountInBase.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value here.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

  • SafeTransferLib.safeTransfer(address(this.quoteAsset), recipient, amountOutQuote)

    • What is controllable? recipient.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value here.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

Zellic © 2025Back to top ↑