Zellic - Audit Reports

Component: ICS20Transfer

Function: `sendtransfer`

This function initiates an ICS20 transfer.

Inputs

msg_
- Control: Arbitrary.
- Constraints: msg_.amount > 0.
- Impact: The msg_ contains the transfer parameters.

Branches and code coverage

Intended branches

It gets the escrow if it already exists for said token — otherwise, it deploys a new beacon escrow.

It calls the escrow's callback.

If the token is native, it generates a new denom.

If token is returning back to origin, it burns escrow tokens.

Function call analysis

_transferfrom(_msgsender(), address(escrow), msg_.denom, msg_.amount)
- what is controllable? msg_.denom and msg_.amount.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.
escrow.recvcallback(msg_.denom, _msgsender(), msg_.amount)
- what is controllable? msg_.denom and msg_.amount.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: `OnRecvPacket`

This is a recv callback, executed when receiving an ICS20 IBC packet.

Inputs

msg_
- Control: Arbitrary.
- Constraints: Several constraints ensuring valid packet details such as versioning and port — also, packet amount > 0.
- Impact: The received IBC ICS20 message.

Branches and code coverage

Intended branches

If the packet is a forwarded IBC token, it removes the prefix.

If the packet is a native-forwarded IBC token, it removes the prefix and sends back native tokens.

If token is returning back to origin, it burns escrow tokens.

If receiving a new token, it generates a new IBC-ERC-20 and mints relevant tokens.

Function call analysis

IBCERC20(erc20Address).mint(address(escrow), packetData.amount)
- what is controllable? packetData.amount.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.
_getOrCreateIBCERC20(newDenom, address(escrow))
- what is controllable? Nothing.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: `onAckPacket`

This is a packet-acknowledgment callback, refunding tokens back to the sender and minting the tokens if they were burned from the escrow.

Inputs

msg_
- Control: Arbitrary.
- Constraints: None.
- Impact: Contains the parameters required for the acknowledgement.

Branches and code coverage

Intended branches

It refunds tokens and mints if tokens that were sent back were burned instead of escrowed.

Function call analysis

IBCERC20(erc20Address).mint(address(escrow), packetData.amount)
- what is controllable? Nothing.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.
escrow.send(IERC20(erc20Address), refundee, packetData.amount)
- what is controllable? packetData.amount, granted the relevant packet was sent initially.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: `onTimeoutPacket`

This is a time-out--acknowledgment callback, refunding tokens back to the sender and minting the tokens if they were burned from the escrow.

Inputs

msg_
- Control: Arbitrary.
- Constraints: None.
- Impact: Contains the parameters required for the timeout call.

Branches and code coverage

Intended branches

It refunds tokens and mints if tokens that were sent back were burned instead of escrowed.

Function call analysis

IBCERC20(erc20Address).mint(address(escrow), packetData.amount)
- what is controllable? Nothing.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.
escrow.send(IERC20(erc20Address), refundee, packetData.amount)
- what is controllable? packetData.amount, granted the relevant packet was sent initially.
- If the return value is controllable, how is it used and how can it go wrong? N/A.
- what happens if it reverts, reenters, or does other unusual control flow? N/A.

Component: ICS20Transfer

Function: sendtransfer

Inputs

Branches and code coverage

Function call analysis

Function: OnRecvPacket

Inputs

Branches and code coverage

Function call analysis

Function: onAckPacket

Inputs

Branches and code coverage

Function call analysis

Function: onTimeoutPacket

Inputs

Branches and code coverage

Function call analysis

Function: `sendtransfer`

Function: `OnRecvPacket`

Function: `onAckPacket`

Function: `onTimeoutPacket`