Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Smart Vault>Threat Model>transferCallback
GeneralOverview
Findings
Medium (1)
Low (4)
Informational (3)
DiscussionReentrancy guard modifier
Threat ModelWhat are threat models?RewardVault.solSmartVault.sol
SmartVaultManager.solclaimdepositERC20fetchPricefetchPriceUnsafemanageDebtAndStaketransferCallbackvaultBurnDebtTokenCallbackvaultMintDebtTokenCallbackwithdraw
Audit ResultsAssessment Results

Function: transferCallback(IERC20 token, address from, uint256 amount)

This function is used to transfer ERC-20 tokens to smart vault. It is expected to be called from the smart vault during _depositERC20.

Inputs

  • token

    • Control: Not controllable, declared underlyingAsset.

    • Constraints: None.

    • Impact: Address of the token.

  • from

    • Control: Not controllable,

    • Constraints: Should be the address of the depositor (caller of depositERC20).

    • Impact: Address of the depositor.

  • amount

    • Control: Fully controllable by the caller.

    • Constraints: Should be approved by the depositor.

    • Impact: Amount of token.

Branches and code coverage

Intended branches

  • Check if the caller is the smart vault.

  • Call safeTransferFrom on the token.

  • Check if the balance of the token is changed correctly.

Negative behavior

  • Revert if the caller is not the smart vault.

  • Revert if the balance of the token is changed unexpectedly.

Function call analysis

  • token.balanceOf(msg.sender)

    • What is controllable? token, but underlyingAsset is declared in the vault.

    • If the return value is controllable, how is it used and how can it go wrong? Even without an actual token transfer, the callback can still succeed.

    • What happens if it reverts, reenters or does other unusual control flow? A revert indicates that the token address is not valid ERC-20.

  • SafeERC20.safeTransferFrom(token, from, msg.sender, amount)

    • What is controllable? token, but underlyingAsset is declared in the vault.

    • If the return value is controllable, how is it used and how can it go wrong? Even without an actual token transfer, the callback can still succeed.

    • What happens if it reverts, reenters or does other unusual control flow? A revert indicates that the token is not a valid ERC-20 or that the sender lacks sufficient balance or approval.

  • token.balanceOf(msg.sender)

    • What is controllable? token, but underlyingAsset is declared in the vault.

    • If the return value is controllable, how is it used and how can it go wrong? Even without an actual token transfer, the callback can still succeed.

    • What happens if it reverts, reenters or does other unusual control flow? A revert indicates that the token address is not valid ERC-20.

Zellic © 2025Back to top ↑