Assessment reports>Origami Finance>Threat Model>investWithToken

Function: investWithToken(address account, IOrigamiInvestment.InvestQuoteData quoteData)

This function is called by the oToken contract during the investing process.

Inputs

  • account

    • Constraints: If the global variable allowAll is true, the account is not validated. Otherwise, if the address is not a contract, the allowedAccounts should contain the account address or account should be equal to the ovToken address.

    • Impact: The address of the caller of the OToken:investWithToken function who initiated investing process.

  • quoteData.fromToken

    • Constraints: Should be equal to asset.

    • Impact: The address of the token that will be invested.

  • quoteData.fromTokenAmount

    • Constraints: No constraints.

    • Impact: The invested token amount.

Branches and code coverage

Intended branches

  • The investWithToken was executed properly

Negative behavior

  • fromToken is not approved.

  • account is not allowed.

  • _paused.investmentsPaused is true.

Function call analysis

  • this.lendingClerk.deposit(quoteData.fromTokenAmount)

    • What is controllable? quoteData.fromTokenAmount

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? The function transfers asset tokens (should be equal to the fromToken, otherwise it reverts) from this contract to the lendingClerk and allocates them to the IdleStrategyManager contract and mints debt tokens for strategy.

Zellic © 2025Back to top ↑