Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Orderly Network>Threat Model>setAllowedSymbol
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Informational (1)
DiscussionAdditional checksOverall issues with some functionsThe `changeFeeCollector` does not revertThe `tokenHash` is not a hash from `tokenAddress`
Threat ModelWhat are threat models?AccountTypeHelper.solAccountTypePositionHelper.solCrossChainRelayUpgradeable.solFeeManager.solLedger.solLedgerComponent.solLedgerCrossChainManagerUpgradeable.solMarketManager.solOperatorManager.solOperatorManagerComponent.solSignature.solVault.solVaultCrossChainManagerUpgradeable.sol
VaultManager.soladdBalancefinishFrozenBalancefrozenBalancesetAllowedBrokersetAllowedChainTokensetAllowedSymbolsetAllowedTokensetMaxWithdrawFeesubBalance
Audit ResultsSummary

Function: setAllowedSymbol(byte[32] _symbolHash, bool _allowed)

This allows the owner of the contract to add the allowed symbol and also remove it from allowedSymbolSet.

Inputs

  • _symbolHash

    • Control: Full control by owner.

    • Constraints: N/A.

    • Impact: The executeProcessValidatedFutures function will revert if using symbols is not allowed.

  • _allowed

    • Control: Full control by owner.

    • Constraints: N/A.

    • Impact: If _allowed is true, the _symbolHash will be added; if _allowed is false, the _symbolHash will be removed.

Branches and code coverage

Intended branches

  • New hash was added successfully if _allowed is true.

  • New hash was removed successfully if _allowed is false.

Negative behavior

  • Zero hash.

  • The same hash already added if _allowed is true.

  • allowedSymbolSet does not contain the hash if _allowed is false.

  • Caller is not an owner.

Zellic © 2025Back to top ↑