Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Smart Vault>Threat Model>withdraw
GeneralOverview
Findings
Medium (1)
Low (4)
Informational (3)
DiscussionReentrancy guard modifier
Threat ModelWhat are threat models?RewardVault.sol
SmartVault.solclaimdepositERC20manageDebtAndStakewithdraw
SmartVaultManager.sol
Audit ResultsAssessment Results

Function: withdraw(uint256 amount, address owner, address receiver)

This function is used to withdraw underlying assets from the smart vault. It is expected to be called from the smart vault manager.

Inputs

  • amount

    • Control: Fully controllable by the caller (smartVaultManager).

    • Constraints: Amount should be less than the shares of the owner.

    • Impact: Amount to withdraw.

  • owner

    • Control: Fully controllable by the caller (smartVaultManager).

    • Constraints: None.

    • Impact: Address of the share owner.

  • receiver

    • Control: Fully controllable by the caller (smartVaultManager).

    • Constraints: None.

    • Impact: Address of the receiver.

Branches and code coverage

Intended branches

  • Invoke the _beforeWithdraw function.

  • Check if the current timestamp is within the withdraw time range.

  • Check if the amount is within the shares of the owner.

  • Invoke the _withdraw function.

  • Update the shares for the receiver.

  • Call the safeTransfer function of the token to the receiver.

  • Update the total deposited underlying asset amount.

  • Emit the Withdraw event.

  • Invoke the _manageDebtAndStake function.

  • Skip when staking is disabled.

  • Calculate the underlying token value using the manager's fetchPrice function.

  • Calculate the target staking amount using the staking factor.

    • If the target is greater than the minted, mint the debt token and adjust the staking amount.

    • If the target is less than the minted, burn the debt token and adjust the staking amount.

Negative behavior

  • Revert if the caller is not the manager.

  • Revert if the contract is paused.

  • Revert if the amount is zero.

  • Revert if the amount is greater than the shares of the owner.

  • Revert if minting/burning debt token fails.

Function call analysis

  • this._withdraw(amount, owner, receiver) -> SafeERC20.safeTransfer(this.underlyingAsset, receiver, amount)

    • What is controllable? receiver and amount.

    • If the return value is controllable, how is it used and how can it go wrong? The return value is not used.

    • What happens if it reverts, reenters or does other unusual control flow? A revert indicates the transfer failed or the contract does not have enough underlying asset.

  • Other external call flows are the same as the depositERC20 function's _manageDebtAndStake flow of SmartVault

Zellic © 2025Back to top ↑