Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>GTE>Threat Model>clobDeposit
GeneralOverview
Findings
Critical (1)
High (1)
Medium (1)
Low (2)
Informational (1)
DiscussionThe executeRoute does not revert on unsupported function selector
Threat ModelWhat are threat models?Launchpad.sol
MegaRouterFacet.solclobCancelclobDepositclobPostLimitOrderclobWithdrawexecuteRoute
Audit ResultsAssessment Results

Function: clobDeposit(address token, uint256 amount, bool fromRouter)

This function allows depositing the specified amount of token to the CLOBManager contract.

Inputs

  • token

    • Control: Full control.

    • Constraints: CLOBManager allows depositing arbitrary tokens.

    • Impact: The address of the token will be deposited to the CLOBManager contract.

  • amount

    • Control: Full control.

    • Constraints: The caller should own enough tokens to transfer them to the CLOBManager contract.

    • Impact: The amount of token to be transferred to the CLOBManager contract.

  • fromRouter

    • Control: Full control.

    • Constraints: N/A.

    • Impact: If fromRouter is true, then the tokens are transferred to this contract, and approval is granted to the CLOBManager contract to use these tokens. Otherwise, tokens will be transferred from the caller account.

Branches and code coverage

Intended branches

  • Tokens are successfully deposited when fromRouter is true.

  • Tokens are successfully deposited when fromRouter is false.

Negative behavior

  • The amount exceeds the caller’s balance of the token.

Function call analysis

  • SafeTransferLib.safeTransferFrom(token, msg.sender, address(this), amount)

    • What is controllable? token and amount.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value here.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

  • SafeTransferLib.safeApprove(token, address(this.clobFactory), amount)

    • What is controllable? token and amount.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value here.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

  • this.clobFactory.deposit(msg.sender, token, amount, fromRouter)

    • What is controllable? token, amount, and fromRouter.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value here.

    • What happens if it reverts, reenters or does other unusual control flow? There are no problems here.

Zellic © 2025Back to top ↑