Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Prisma Finance>Discussion>Inaccurate require string
GeneralOverview
Findings
Critical (1)
Low (1)
Informational (2)
DiscussionInaccurate require stringInconsistent update of `lastDefaultInterestUpdate`Unused codeDiscrepancy between interface and implementationMissing test suite
Threat ModelsWhat are threat models?AdminVoting.solAllocationVesting.solBorrowerOperations.solConvexDepositToken.solDebtToken.solFactory.solIncentiveVoting.solLiquidationManager.solPriceFeed.solPrismaToken.solSortedTroves.solStabilityPool.solTokenLocker.solTreasury.solTroveManager.sol
Audit ResultsSummary
AppendixAppendix

Inaccurate require string

The function burn in the DebtToken contract has a require statement as shown below. Here, the require string implies that the function can be called either by BorrowerOperations, TroveManager, or StabilityPool, but the require statement only checks if the function is called by troveManager. 

function burn(address _account, uint256 _amount) external {
    require(
        troveManager[msg.sender],
        "Debt: Caller is neither BorrowerOperations nor TroveManager nor StabilityPool"
    );
    _burn(_account, _amount);
}```

The expected caller of this function is only `troveManager`, so the require string should be modified to imply the same.
Zellic © 2025Back to top ↑