Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Maia DAO Ulysses Protocol>Threat Model>redeemSettlement
GeneralOverview
Findings
Low (2)
DiscussionInsufficient verification in CoreRootRouterEnhanced validation in two functionsInaccurate status updateTest suite
Threat ModelWhat are threat models?BranchBridgeAgent.solBranchPort.sol
RootBridgeAgent.solforceResumeReceiveredeemSettlementretrieveSettlement
RootPort.solVirtualAccount.sol
Audit ResultsSummary

Function: redeemSettlement(uint32 _settlementNonce, address _recipient)

This function allows the caller to redeem the assets associated with the settlement. The function ensures that the caller is authorized to redeem this settlement. It transfers each global token associated with this settlement to the specified recipient. After the redemption process is complete, the settlement is deleted from storage.

Inputs

  • _settlementNonce

    • Control: Fully controlled by the caller.

    • Constraints: The function requires that the settlement corresponding to this nonce exists and is in a state that allows redemption.

    • Impact: Specifies the particular settlement to be redeemed.

  • _recipient

    • Control: Fully controlled by the caller.

    • Constraints: There are no constraints.

    • Impact: The function will transfer the redeemed assets to this address.

Branches and code coverage

Intended branches

  • Check that the settlement was deleted.

  • Check that the assets have been successfully transferred to the receiver if _dstChainId != localChainId.

  • Check that the assets have been successfully transferred to the receiver if _dstChainId == localChainId.

Negative behavior

  • The status of the settlement is not STATUS_FAILED.

  • The caller is not the owner of the settlement.

Function call analysis

  • IRootPort(this.rootPortAddress).bridgeToRoot(_recipient, IRootPort(this.rootPortAddress).getGlobalTokenFromLocal(_hToken, _dstChainId), settlement.amounts[i], settlement.deposits[i], _dstChainId)

    • What is controllable? The caller controls only the _recipient address.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value.

    • What happens if it reverts, reenters or does other unusual control flow? The function will revert if deposit is more than amount — also if the RootPort contract fails to mint tokens and if the RootPort contract has an insufficient amount of tokens to transfer to the _recipient account.

  • IRootPort(this.rootPortAddress).getGlobalTokenFromLocal(_hToken, _dstChainId)

    • What is controllable? The caller does not control the parameters directly.

    • If the return value is controllable, how is it used and how can it go wrong? The function returns the address of the token in this chain associated with _hToken in srcChain. The caller does not control this association.

    • What happens if it reverts, reenters or does other unusual control flow? If getGlobalToken was not set for this _hToken, the function will return the zero address.

Zellic © 2024Back to top ↑