Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Odos>Threat Models>swapMulti
GeneralOverview
DiscussionCalls to arbitrary external addressesFees on positive slippageHardcoded slotCoding style
Threat ModelsWhat are threat models?
OdosRouterV2.solregisterReferralCodesetSwapMultiFeeswapswapCompactswapMultiswapMultiPermit2swapPermit2swapRouterFundstransferRouterFundswriteAddressList
Audit ResultsSummary

Function: swapMulti(inputTokenInfo[] inputs, outputTokenInfo[] outputs, uint256 valueOutMin, byte[] pathDefinition, address executor, uint32 referralCode)

Swaps multiple tokens or ETH in a single atomically using approval. Slippage is controlled by giving each output a weight and defining a valueOutMin that defines a lower limit for the weighted sum of all output tokens.

Inputs

  • inputs

    • Control: Arbitrary.

    • Constraints: The sum of all inputs[i].amountIn must be equal to msg.value in the case of ETH. Cannot have duplicate sources.

    • Impact: Decides token addresses to swap from, the amounts to swap, and the receiver.

  • outputs

    • Control: Arbitrary.

    • Constraints: Cannot be equal to any of the input token addresses (arbitrage) or have duplicates of destinations.

    • Impact: Specifies the output tokens, receiver, and relativeValue — which is a weighting for slippage calculations.

  • valueOutMin

    • Control: Arbitrary.

    • Constraints: Must be larger than 0.

    • Impact: Decides the minimum value the token owner will allow with respect to slippage.

  • pathDefinition

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Passed to the executor — determines the operation to be executed.

  • executor

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Determines the address of the executor to be invoked.

  • referralCode

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Referral code used for statistics and referral fees.

Branches and code coverage (including function calls)

Intended branches

  • Performs a swap using ETH as input.

  • Performs a swap using a token as input.

  • Performs a swap using multiple tokens/ETH as input.

Negative behavior

  • Execution is reverted if inputs has ETH but amount does not match msg.value.

  • Execution is reverted if there are duplicate source tokens.

  • Execution is reverted if there are any input and output tokens that are equal (arbitrage).

  • Execution is reverted if slippage limit valueOutMin is exceeded (slippage).

  • Execution is reverted if slippage limit is set too low.

Function call analysis

  • rootFunction -> _swapMultiApproval

    • What is controllable? All arguments.

    • If return value controllable, how is it used and how can it go wrong? Not used.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts are propagated upwards; reentrancy is a potential concern, but slippage checks mitigate that.

Zellic © 2024Back to top ↑