Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Origami Finance>Threat Model>exitToToken
GeneralOverview
Findings
Low (3)
DiscussionPossible share-price inflationLack of validationExemplary codebasePotential price arbitrage
Threat ModelWhat are threat models?LinearWithKinkInterestRateModel.solMintableToken.solOrigamiAaveV3IdleStrategy.solOrigamiAbstractLovTokenManager.solOrigamiCircuitBreakerAllUsersPerPeriod.solOrigamiCircuitBreakerProxy.solOrigamiCrossRateOracle.solOrigamiDebtToken.solOrigamiElevatedAccessBase.solOrigamiIdleStrategyManager.solOrigamiInvestmentVault.solOrigamiLendingClerk.solOrigamiLendingRewardsMinter.solOrigamiLendingSupplyManager.solOrigamiLovToken.solOrigamiLovTokenErc4626Manager.sol
OrigamiOToken.solamoBurnamoMintexitToNativeexitToTokeninvestWithNativeinvestWithToken
RepricingToken.solTokenPrices.sol
Audit ResultsSummary

Function: exitToToken(ExitQuoteData quoteData, address recipient)

Allows to sell oTokens and receive one of the accepted ERC-20 tokens in return. Firstly, the oToken will be transferred to the _manager account from the caller's account. Then, _manager will process these tokens and determine the amount of quoteData.toToken to be received in exchange and send to the recipient. Finally, this calculated amount of quoteData.toToken will be burned from the manager's account.

Inputs

  • quoteData.investmentTokenAmount

    • Constraints: Cannot be zero, and the caller must own a sufficient amount.

    • Impact: The amount of oTokens to sell. Tokens will be transferred from the caller to the manager contract. At the end of transactions, tokens will be burned from the manager account.

  • quoteData.toToken

    • Constraints: There is no verification, but the manager.exitToToken() function verifies that quoteData.toToken is equal to the asset address; otherwise, it reverts.

    • Impact: The recipient will receive these tokens in return — toToken should be an accepted ERC-20 token.

  • recipient

    • Constraints: Cannot be zero address.

    • Impact: The receiver of the toToken.

Branches and code coverage

Intended branches

  • Successful exitToToken execution

Negative behavior

  • toToken is not approved.

  • quoteData.investmentTokenAmount is zero.

  • The caller owns fewer than the quoteData.investmentTokenAmount of oToken.

Zellic © 2025Back to top ↑