Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Odos Router V3>Findings>Patch Review 1
GeneralOverview
FindingsPatch Review 1Patch Review 2
Audit ResultsSummary

Patch Review 1

This section documents notable and minor changes applied to the in-scope code from commit to commit for our review on November 5th, 2024.

Notable changes

The following were notable changes made to the codebase.

ReferralRegistry contract

The ReferralRegistry contract provided functionality to register a new referral code and add information about referralFee, beneficiary, and managers. However, since the referral-management logic has been moved off chain, this contract has been deleted as it is no longer necessary.

OdosRouterV3 contract

The swapCompact, swap, swapPermit2, swapMultiCompact, swapMulti, and swapMultiPermit2 now accept the data structure swapReferralInfo instead of the referralCode value.

struct swapReferralInfo {
    uint64 code;
    uint64 fee;
    address feeRecipient;
}

The swapCompact and swapMultiCompact functions have been modified to correctly decode the provided swapReferralInfo data from the calldata.

function swapMulti(
  inputTokenInfo[] memory inputs,
  outputTokenInfo[] memory outputs,
  bytes calldata pathDefinition,
  address executor,
- uint32 referralCode
+ swapReferralInfo memory referralInfo
) [...]

The _swap and _swapMulti have been modified to include additional require statements that verify the validity of the provided referral information: the feeRecipient should not be zero address, and the fee cannot exceed FEE_DENOM / 50.

if (referralInfo.fee > 0) {
    require(referralInfo.feeRecipient != address(0), "Null fee recipient");
    require(referralInfo.fee <= FEE_DENOM / 50, "Fee too high");

Minor differences

The following were minor changes made to the codebase.

OdosRouterV3 contract

The Swap and SwapMulti events have been updated to include new fields: referralCode, referralFee, and referralFeeRecipient. 

event Swap(
    address sender,
    uint256 inputAmount,
    address inputToken,
    uint256 amountOut,
    address outputToken,
    int256 slippage,
-   uint32 referralCode
+   uint64 referralCode,
+   uint64 referralFee,
+   address referralFeeRecipient
);

event SwapMulti(
    address sender,
    uint256[] amountsIn,
    address[] tokensIn,
    uint256[] amountsOut,
    address[] tokensOut,
    int256[] slippage,
-   uint32 referralCode
+   uint64 referralCode,
+   uint64 referralFee,
+   address referralFeeRecipient
);

The registerReferralCode, referralLookup, referralNumManagers, and referralManager functions have been deleted since all of them interacted with the deprecated ReferralRegistry contract.

Zellic © 2025Back to top ↑