Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Odos>Threat Models>swapPermit2
GeneralOverview
DiscussionCalls to arbitrary external addressesFees on positive slippageHardcoded slotCoding style
Threat ModelsWhat are threat models?
OdosRouterV2.solregisterReferralCodesetSwapMultiFeeswapswapCompactswapMultiswapMultiPermit2swapPermit2swapRouterFundstransferRouterFundswriteAddressList
Audit ResultsSummary

Function: swapPermit2(permit2Info permit2, swapTokenInfo tokenInfo, byte[] pathDefinition, address executor, uint32 referralCode)

This function allows to perform a swap, taking the assets to be used as input for the swap by using permitTransferFrom with a signature from the owner of the tokens instead of the regular transferFrom.

Inputs

  • permit2

    • Control: Arbitrary.

    • Constraints: signature must be a valid signature for assets owned by msg.sender for the supplied nonce, deadline, token address, and amount.

    • Impact: Specifies part of the data required to call permitTransferFrom — the contract to call, nonce, deadline, and signature.

  • tokenInfo

    • Control: Arbitrary.

    • Constraints: Same constraints as swap; additionally, the input token must be the same used by the signature.

    • Impact: Specifies the input and output tokens, their amounts, slippage, and receiver addresses.

  • pathDefinition

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Passed to the executor — determines the action to be executed.

  • executor

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Determines the address of the executor contract.

  • referralCode

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Referral code used for statistics and referral fees.

Branches and code coverage (including function calls)

While only a basic test for this specific function is included in the test suite, we note the function shares the same logic used by swap and swapCompact, invoking the same _swap function. Therefore, only additional logic is documented here.

Negative behavior

No negative tests exist in the codebase for this specific function; however, we note that most failure cases are shared with swap and swapCompact.

Function call analysis

  • rootFunction -> permitTransferFrom)

    • What is controllable? All arguments are controllable except the owner of the tokens, which is always msg.sender.

    • If return value controllable, how is it used and how can it go wrong? Not used.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts are propagated upwards; reentrancy is a concern, mostly mitigated by slippage checks.

Zellic © 2024Back to top ↑