Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Orderly Network>Threat Model>accountWithDrawFinish
GeneralOverview
Findings
Critical (1)
High (4)
Medium (3)
Informational (1)
DiscussionAdditional checksOverall issues with some functionsThe `changeFeeCollector` does not revertThe `tokenHash` is not a hash from `tokenAddress`
Threat ModelWhat are threat models?AccountTypeHelper.solAccountTypePositionHelper.solCrossChainRelayUpgradeable.solFeeManager.sol
Ledger.solaccountDepositaccountWithDrawFinishexecuteAdlexecuteLiquidationexecuteProcessValidatedFuturesexecuteSettlementexecuteWithdrawActionsetCrossChainManagersetFeeManagersetMarketManagersetOperatorManagerAddresssetVaultManager
LedgerComponent.solLedgerCrossChainManagerUpgradeable.solMarketManager.solOperatorManager.solOperatorManagerComponent.solSignature.solVault.solVaultCrossChainManagerUpgradeable.solVaultManager.sol
Audit ResultsSummary

Function: accountWithDrawFinish(AccountTypes.AccountWithdraw withdraw)

This function is called in the process of cross-chain withdrawal of funds. At first, the executeWithdrawAction function is triggered in this chain — after that, withdrawal in Vault contract in destination chain. And then, the Vault contract triggers a cross-chain message that triggers this function to finish the withdraw process, after successfully transferring funds to receiver.

This is the structure of input withdraw object:

struct AccountWithdraw { bytes32 accountId - The ID of the initiator of withdraw. This value is validated in the `executeWithdrawAction` function. address sender - The address of the initiator related to the accountId. This value is validated in the `executeWithdrawAction` function. address receiver - The address of the receiver of withdrawn funds. There is no validation. bytes32 brokerHash - The broker hash, related to the deposited funds. bytes32 tokenHash - The deposited token hash. uint128 tokenAmount - The amount of withdrawn tokens. uint128 fee - A withdrawn fee. The receiver of the fee is controlled by feeManager. uint256 chainId; - The destination chain ID where withdrawal happened. uint64 withdrawNonce - The unique nonce of the withdraw action. }

Branches and code coverage

Intended branches

  • Withdraw process finished properly.

  • The frozen balance is zero after call.

Negative behavior

  • accountId is not registered.

  • sender is not related to the accountId.

  • receiver is the zero address.

  • brokerHash is not allowed.

  • tokenHash is not allowed.

  • chainId is untrusted.

  • withdrawNonce already used.

Function call analysis

  • account.finishFrozenBalance(withdraw.withdrawNonce, withdraw.tokenHash, withdraw.tokenAmount);

    • External/Internal? Internal.

    • Argument control? All arguments are controlled by operator.

    • Impact: Function deletes the frozen account funds to finish withdraw process.

  • vaultManager.finishFrozenBalance(withdraw.tokenHash, withdraw.chainId, withdraw.tokenAmount - withdraw.fee);

    • External/Internal? External.

    • Argument control? All arguments are controlled by operator.

    • Impact: Function deletes the frozen vaultManager funds to finish withdraw process.

  • feeManager.getFeeCollector(IFeeManager.FeeCollectorType.WithdrawFeeCollector);

    • External/Internal? External.

    • Argument control? Is not controlled by operator.

    • Impact: Returns id of the account that receives the fee.

  • feeCollectorAccount.addBalance(withdraw.tokenHash, withdraw.fee);

    • External/Internal? Internal.

    • Argument control? All arguments are controlled by operator.

    • Impact: Add fee to the fee receiver balance.

Zellic © 2024Back to top ↑