Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Orderly Network>Threat Model>setAllowedToken
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Informational (1)
DiscussionAdditional checksOverall issues with some functionsThe `changeFeeCollector` does not revertThe `tokenHash` is not a hash from `tokenAddress`
Threat ModelWhat are threat models?AccountTypeHelper.solAccountTypePositionHelper.solCrossChainRelayUpgradeable.solFeeManager.solLedger.solLedgerComponent.solLedgerCrossChainManagerUpgradeable.solMarketManager.solOperatorManager.solOperatorManagerComponent.solSignature.solVault.solVaultCrossChainManagerUpgradeable.sol
VaultManager.soladdBalancefinishFrozenBalancefrozenBalancesetAllowedBrokersetAllowedChainTokensetAllowedSymbolsetAllowedTokensetMaxWithdrawFeesubBalance
Audit ResultsSummary

Function: setAllowedToken(byte[32] _tokenHash, bool _allowed)

This allows the owner of the contract to add the allowed token hash and also remove it from allowedTokenSet.

Inputs

  • _tokenHash

    • Control: Full control by owner.

    • Constraints: N/A.

    • Impact: There is no impact since it is not used.

  • _allowed

    • Control: Full control by owner.

    • Constraints: N/A.

    • Impact: If _allowed is true, the _tokenHash will be added to the allowedTokenSet; if _allowed is false, the _tokenHash will be removed from allowedTokenSet.

Branches and code coverage

Intended branches

  • New hash was added successfully if _allowed is true.

  • New hash was removed successfully if _allowed is false.

Negative behavior

  • Zero hash.

  • The same hash already added if _allowed is true.

  • allowedTokenSet does not contain the hash if _allowed is false.

  • Caller is not an owner.

Zellic © 2025Back to top ↑