Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Prisma Finance>Threat Models>transferAllocatedTokens
GeneralOverview
Findings
Critical (1)
Low (1)
Informational (2)
DiscussionInaccurate require stringInconsistent update of `lastDefaultInterestUpdate`Unused codeDiscrepancy between interface and implementationMissing test suite
Threat ModelsWhat are threat models?AdminVoting.solAllocationVesting.solBorrowerOperations.solConvexDepositToken.solDebtToken.solFactory.solIncentiveVoting.solLiquidationManager.solPriceFeed.solPrismaToken.solSortedTroves.solStabilityPool.solTokenLocker.sol
Treasury.solbatchClaimRewardssetBoostDelegationParamstransferAllocatedTokens
TroveManager.sol
Audit ResultsSummary
AppendixAppendix

Function: transferAllocatedTokens(address claimant, address receiver, uint256 amount)

Transfer prismaToken tokens previously allocated to the caller.

Inputs

  • claimant

    • Control: Controlled by the user.

    • Constraints: N/A.

    • Impact: Address that is claiming the tokens.

  • receiver

    • Control: Controlled by the user.

    • Constraints: N/A.

    • Impact: Address to transfer tokens to.

  • amount

    • Control: Controlled by the user.

    • Constraints: Should be larger than zero.

    • Impact: Desired amount of tokens to transfer.

Branches and code coverage (including function calls)

Intended branches

  • Successfully transfer tokens.

Negative behavior

  • Reentrancy test.

Function call analysis

  • transferAllocatedTokens -> _transferAllocated -> delegateCallback.getFeePct(account, amount, previousAmount, totalWeekly)

    • What is controllable? account and amount.

    • If return value controllable, how is it used and how can it go wrong? If return value is controllable, the delegate fee will be controlled.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reenters, it would cause no security issue due to pendingRewardFor[msg.sender] = 0;.

Zellic © 2025Back to top ↑