Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Maia DAO Ulysses Protocol>Threat Model>redeemDeposit
GeneralOverview
Findings
Low (2)
DiscussionInsufficient verification in CoreRootRouterEnhanced validation in two functionsInaccurate status updateTest suite
Threat ModelWhat are threat models?
BranchBridgeAgent.solcallOutSignedcallOutSignedAndBridgeredeemDepositredeemDepositretrieveDepositretrySettlement
BranchPort.solRootBridgeAgent.solRootPort.solVirtualAccount.sol
Audit ResultsSummary

Function: redeemDeposit(uint32 _depositNonce, address _recipient, address _localTokenAddress)

The function allows for the partial redemption of deposits, specifically for hTokens that are equivalent to the _localTokenAddress provided by the caller. To facilitate this, several conditions must be met: the deposit corresponding to the _depositNonce must exist, the caller must be the owner of the deposit, and the retrieveDeposit function must be executed and successfully delivered to the Root chain, executed there, and responded back to this chain to change the deposit's status to STATUS_FAILED. After successfully transferring tokens to the _recipient, the deposit information for these tokens will be removed. However, the complete deposit data will only be deleted from storage after the full redemption of all tokens. Therefore, it will be possible to call this function again if deposit.tokens.length is not zero.

Inputs

  • _depositNonce

    • Control: The caller controls the _depositNonce.

    • Constraints: The caller must be the owner of the deposit object related to this _depositNonce.

    • Impact: Determines which deposit object is being accessed for redemption.

  • _recipient

    • Control: Full control.

    • Constraints: N/A.

    • Impact: The address of the receiver of the deposited tokens.

  • _localTokenAddress

    • Control: Full control.

    • Constraints: The caller must have the same hToken in the deposit object as _localTokenAddress to perform redemption.

    • Impact: The deposit will be partially redeemed only for the corresponding _localTokenAddress.

Branches and code coverage

No tests have been implemented for this function.

Function call analysis

  • this._clearToken(_recipient, deposit.hTokens[i], deposit.tokens[i], deposit.amounts[i], deposit.deposits[i]) -> IBranchPort(this.localPortAddress).bridgeIn(_recipient, _hToken, _amount - _deposit)

    • What is controllable? The _recipient is under the caller's control, while the rest of the data is sourced from an existing deposit owned by the caller.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value.

    • What happens if it reverts, reenters or does other unusual control flow? The function will revert if the BranchPort fails to mint _hToken tokens.

  • this._clearToken(_recipient, deposit.hTokens[i], deposit.tokens[i], deposit.amounts[i], deposit.deposits[i]) -> IBranchPort(this.localPortAddress).withdraw(_recipient, _token, _deposit)

    • What is controllable? The _recipient is under the caller's control, while the rest of the data is sourced from an existing deposit owned by the caller.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value.

    • What happens if it reverts, reenters or does other unusual control flow? The function will revert if the BranchPort does not have a sufficient amount of the underlying _token.

Zellic © 2024Back to top ↑