Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Odos>Threat Models>swapMultiPermit2
GeneralOverview
DiscussionCalls to arbitrary external addressesFees on positive slippageHardcoded slotCoding style
Threat ModelsWhat are threat models?
OdosRouterV2.solregisterReferralCodesetSwapMultiFeeswapswapCompactswapMultiswapMultiPermit2swapPermit2swapRouterFundstransferRouterFundswriteAddressList
Audit ResultsSummary

Function: swapMultiPermit2(permit2Info permit2, inputTokenInfo[] inputs, outputTokenInfo[] outputs, uint256 valueOutMin, byte[] pathDefinition, address executor, uint32 referralCode)

The multiswap variant of swapPermit2. This function performs multiple swaps by utilizing PermitBatchTransferFrom and permitTransferFrom with a signature from the owner of the tokens, instead of using the regular safeTransferFrom.

Inputs

  • permit2

    • Control: Arbitrary.

    • Constraints: signature must be a valid signature for assets owned by msg.sender for the given nonce, deadline, and transferDetails.

    • Impact: Specifies the deadline, nonce, and signature used to validate the rest of the parameters.

  • inputs

    • Control: Arbitrary.

    • Constraints: The sum of all inputs[i].amountIn must be equal to msg.value in the case of ETH. Cannot have duplicate sources.

    • Impact: Decides token addresses to swap from, the amounts to swap, and the receiver.

  • outputs

    • Control: Arbitrary.

    • Constraints: Cannot be equal to any of the input token addresses (arbitrage) or have duplicates of destinations.

    • Impact: Specifies the output tokens, receiver, and relativeValue — which is a weighting for slippage calculations.

  • valueOutMin

    • Control: Arbitrary.

    • Constraints: Must be larger than 0.

    • Impact: Decides the minimum value the token owner will allow with respect to slippage.

  • pathDefinition

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Passed to the executor — determines the operation to be executed.

  • executor

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Determines the address of the executor to be invoked.

  • referralCode

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Referral code used for statistics and referral fees.

Branches and code coverage (including function calls)

Intended branches

  • Swapping ETH to tokens.

  • Swapping tokens to ETH.

  • Swapping multiple tokens.

Negative behavior

  • Execution is reverted if msg.value == expected_msg_value.

  • Same negative coverage as swapMulti().

Function call analysis

  • swapMultiPermit2 -> _swapMulti

    • What is controllable? All arguments.

    • If return value controllable, how is it used and how can it go wrong? Not used.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts are not caught and will make the entire swap revert.

  • swapMultiPermit2 -> permitTransferFrom

    • What is controllable? All arguments, except owner, which is always msg.sender.

    • If return value controllable, how is it used and how can it go wrong? Not used.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts are not caught and will make the entire swap revert.

Zellic © 2024Back to top ↑