Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Nukem Loans>Threat Model>_deposit
GeneralOverview
Findings
Critical (3)
High (3)
Medium (2)
Low (1)
DiscussionInitializer called in constructorBorrowing on behalf of the Market contractPotential storage-collision issueSaferERC20 additional checksEIP-712 implementationMarket setters should only be called onceUtilizing eth-brownie for testingCentralizationAMM oracle pricing
Threat ModelWhat are threat models?AbstractSwapper.solAuctions.solCollateral.solCredit.sol
Debt.sol_deposit_withdrawerasetotalSupply
EIP712.solERC20Base.solERC20Permit.solEnFi4626.solLendingStrategy.solMarket.solProxyManager.solRoles.solSaferERC20.solUniswapV2Swapper.sol
Audit ResultsSummary

Function: _deposit(uint256 assets, address receiver)

This pays off debt.

Inputs

  • assets

    • Control: Full.

    • Constraints: None.

    • Impact: Amount of assets.

  • receiver

    • Control: Full.

    • Constraints: None.

    • Impact: Whose debt to payoff.

Branches and code coverage (including function calls)

Intended branches

  • Debt is paid off.

  • User can borrow again.

Negative behavior

  • Zero check.

Function call analysis

  • _deposit -> asset.safeTransferFromWithAmount(msg.sender, credit, assets)

    • What is controllable? assets (checks).

    • If return value controllable, how is it used and how can it go wrong? Amount transferred.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑