Zellic - Audit Reports

Assessment reports Public findings

Back to Zellic siteBack

Assessment reports>Smart Vault>Threat Model>addAllocated

GeneralOverview

Findings

Informational (3)

DiscussionReentrancy guard modifier

Threat ModelWhat are threat models?

RewardVault.sol addAllocated removeAllocated transferAllocatedTokens

SmartVault.sol SmartVaultManager.sol

Audit ResultsAssessment Results

Function: `addAllocated(Allocation[] allocations)`

This function is used to add allocated tokens to the reward vault. Only the owner can call this function.

Inputs

allocations
- Control: Fully controllable by the caller (contract owner).
- Constraints: None.
- Impact: Address of asset, address of recipient, and amount of tokens.

Branches and code coverage

Intended branches

Add the amount to the allocation, for each allocation.
Test coverage
Transfer the amount to the contract.
Test coverage
Emit the AddAllocation event.
Test coverage

Negative behavior

Revert if the caller is not the contract owner.
Negative test

Function call analysis

SafeERC20.safeTransferFrom(IERC20(allocation.asset), this.owner(), address(this), allocation.amount)
- What is controllable? asset and amount.
- If the return value is controllable, how is it used and how can it go wrong? The return value is not used.
- What happens if it reverts, reenters or does other unusual control flow? A revert indicates the transfer fails.

Zellic © 2025Back to top ↑