Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Perennial>Threat Model>_vaultUpdate
GeneralOverview
Findings
Critical (1)
High (1)
Medium (1)
Low (2)
DiscussionUnnecessary storage assignments in `MappingStorageLib` waste gasIncorrect documentation in Vault `Mapping`Market user interface may be misleadingMissing fee claim mechanismUndercollateralized positions possible
Threat ModelWhat are threat models?Market.solMarketFactory.sol
MultiInvoker.sol_update_vaultUpdateinvoke
Oracle.solOracleFactory.solVault.solVaultFactory.sol
Audit ResultsSummary
AppendixVault inflation POC codeNegative Liquidation PoC codeMultiInvoker drain POC code

Function: _vaultUpdate(IVault IVault, UFixed6 UFixed6, UFixed6 UFixed6, UFixed6 UFixed6, bool bool)

Calls vault.update with msg.sender as the account and the specified arguments. Optionally routes and optionally wraps tokens to send to market or receive from market.

Inputs

  • vault

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Contract makes a call to vault.update with some attacker-controlled arguments.

  • depositAssets

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Argument to vault.update call. Assets are deposited if positive.

  • redeemShares

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Argument to vault.update call.

  • claimAssets

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Argument to vault.update call. Difference in owned assets is sent to sender if positive.

  • wrap

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Whether DSU is used directly or USDC is used with this function wrapping/unwrapping it.

Function call analysis

Same as _update. Only calls into USDC/DSU and batcher, both of which do not reasonably reenter. Even if they did, the only potential impact is that DSU may be taken from this contract, and the contract is not meant to hold DSU.

Zellic © 2025Back to top ↑