Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ostium>Threat Model>deposit
GeneralOverview
Findings
Critical (2)
High (3)
Medium (6)
Low (6)
Informational (2)
DiscussionRemoval of trading pairs is not supportedIncorrect last updated block number for TP and SLTradeUtils used as a library for address
Threat ModelWhat are threat models?Delegatable.solOstiumOpenPnl.solOstiumTrading.sol
OstiumVault.sol_executeDiscountAndLockcancelWithdrawRequestdepositdepositWithDiscountAndLockdistributeRewardmakeWithdrawRequestmintmintWithDiscountAndLockreceiveAssetsredeemtransfertransferFromtryNewOpenPnlRequestOrEpochtryResetDailyAccPnlDeltatryUpdateCurrentMaxSupplyunlockDepositwithdraw
Audit ResultsSummary

Function: deposit(uint256 assets, address receiver)

Deposits assets into the vault in order to mint shares corresponding to the value.

Inputs

  • assets

    • Control: Arbitrary.

    • Constraints: Must be less than max deposit. Asset transfer must succeed.

    • Impact: Amount of assets to deposit.

  • receiver

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Receiver of the shares.

Branches and code coverage

Intended branches

  • Deposit succeeds.

Negative behavior

  • Deposit fails due to whitelist.

  • Deposit fails due to being over max deposit.

  • Deposit fails due to asset transfer failure.

Function call analysis

  • this._deposit(this._msgSender(), receiver, assets, shares) -> SafeERC20Upgradeable.safeTransferFrom(this._asset, caller, address(this), assets)

    • What is controllable? Quantity of assets.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? Tail call, so reentrancy due to an ERC-20 hook is safe.

Zellic © 2024Back to top ↑