Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Nukem Loans>Threat Model>borrow
GeneralOverview
Findings
Critical (3)
High (3)
Medium (2)
Low (1)
DiscussionInitializer called in constructorBorrowing on behalf of the Market contractPotential storage-collision issueSaferERC20 additional checksEIP-712 implementationMarket setters should only be called onceUtilizing eth-brownie for testingCentralizationAMM oracle pricing
Threat ModelWhat are threat models?AbstractSwapper.solAuctions.solCollateral.solCredit.solDebt.solEIP712.solERC20Base.solERC20Permit.solEnFi4626.solLendingStrategy.sol
Market.solborrowcheckSignatureleveragerecallregisterCollateralregisterCreditregisterDebtregisterVsCreditsetAuctionssetStrategysetSwappersetTreasury
ProxyManager.solRoles.solSaferERC20.solUniswapV2Swapper.sol
Audit ResultsSummary

Function: borrow(address authorizer, address market, uint256 price, uint256 deadline, uint256 amount, address receiver, address owner, uint8 v, bytes32 r, bytes32 s)

This allows borrowing with signature.

Inputs

  • authorizer

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be the owner of the contract and part of a valid signature.

    • Impact: Authorizer of the borrow.

  • market

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be the address of the contract.

    • Impact: Market address.

  • price

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be a valid price.

    • Impact: Price of the borrow.

  • deadline

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be in the future and part of a valid signature.

    • Impact: Deadline of the borrow.

  • amount

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be a valid amount --- not included in the signature.

    • Impact: Amount of the borrow.

  • receiver

    • Control: Fully controlled by the caller.

    • Constraints: None here --- not included in the signature.

    • Impact: Receiver of the borrow.

  • owner

    • Control: Fully controlled by the caller.

    • Constraints: None here --- not included in the signature.

    • Impact: Owner of the collateral used for the borrow.

  • v

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be a valid signature.

    • Impact: Signature v.

  • r

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be a valid signature.

    • Impact: Signature r.

  • s

    • Control: Fully controlled by the caller.

    • Constraints: Checked to be a valid signature.

    • Impact: Signature s.

Branches and code coverage (including function calls)

Intended branches

  • Ensure that the signature constructed from authorizer, market, price, deadline, v, r, and s is valid.

  • Ensure the authorizer is the owner of the contract.

  • Ensure that the market is the address of the contract.

  • Ensure that the deadline is in the future.

  • Validate the amount to be borrowed against the price.

  • Debt balance of the owner should be increased by the calculated amount.

  • Credit balance of the receiver should be increased by the amount borrowed.

Negative behavior

  • Signature should not be replayable. Currently it is.

  • Assumes _owner cannot be address(0).

Zellic © 2025Back to top ↑