Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Origami Finance>Threat Model>exitToToken
GeneralOverview
Findings
Low (3)
DiscussionPossible share-price inflationLack of validationExemplary codebasePotential price arbitrage
Threat ModelWhat are threat models?LinearWithKinkInterestRateModel.solMintableToken.solOrigamiAaveV3IdleStrategy.solOrigamiAbstractLovTokenManager.solOrigamiCircuitBreakerAllUsersPerPeriod.solOrigamiCircuitBreakerProxy.solOrigamiCrossRateOracle.solOrigamiDebtToken.solOrigamiElevatedAccessBase.solOrigamiIdleStrategyManager.sol
OrigamiInvestmentVault.solexitToTokeninvestWithTokensetPerformanceFee
OrigamiLendingClerk.solOrigamiLendingRewardsMinter.solOrigamiLendingSupplyManager.solOrigamiLovToken.solOrigamiLovTokenErc4626Manager.solOrigamiOToken.solRepricingToken.solTokenPrices.sol
Audit ResultsSummary

Function: exitToToken(ExitQuoteData quoteData, address recipient)

Allows users to withdraw investment funds from the Origami investment vault.

### Inputs

  • quoteData.investmentTokenAmount

    • Constraints: Cannot be zero, and the caller must own a sufficient amount.

    • Impact: The amount of shares to sell. Shares will be burned from the caller account.

  • quoteData.toToken

    • Constraints: Can be equal to the reserveToken or approved ERC-20.

    • Impact: The recipient will receive these tokens in return — toToken should be an accepted ERC-20 token or reserveToken.

  • quoteData.underlyingInvestmentQuoteData

    • Constraints: No constraints.

    • Impact: Extra quote parameters that will be provided to the reserveToken.exitToToken().

  • recipient

    • Constraints: Cannot be zero address.

    • Impact: The receiver of the toToken.

Branches and code coverage

Negative behavior

  • Verify that result does not depend on user's underlyingQuoteData.underlyingExitQuoteData.investmentTokenAmount (the user controls this field, but it will be overwritten by the function thus, the user's value should not affect the result).

  • toToken is not approved.

  • The caller owns fewer than quoteData.investmentTokenAmount shares tokens.

Function call analysis

  • this._redeemReservesFromShares(quoteData.investmentTokenAmount, msg.sender, quoteData.minToTokenAmount, recipient)

    • What is controllable? quoteData.investmentTokenAmount, quoteData.minToTokenAmount, and recipient.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? The function converts user's shares amount to reserve tokens and burns this sharesAmount from the user balance. If quoteData.toToken == reserveToken, this contract will transfer reserveToken to receiver. Also, the function performs a slippage check that reserveTokenAmount is not less than expected minReserveTokenAmount.

  • IOrigamiInvestment(this.reserveToken).exitToToken(underlyingQuoteData.underlyingExitQuoteData, recipient)

    • What is controllable? underlyingQuoteData.underlyingExitQuoteData and recipient.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the number of tokens received by the recipient. If toTokenAmount < quoteData.minToTokenAmount, the function will revert.

    • What happens if it reverts, reenters or does other unusual control flow? The function can revert if underlyingQuoteData.underlyingExitQuoteData.toToken is not accepted by the reserveToken contract.

Zellic © 2025Back to top ↑