Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Stable Predeposit>Threat Model>recoverErc20
GeneralOverview
Findings
Medium (1)
DiscussionCode-quality improvementsLack of bridging gas refunds
Threat ModelWhat are threat models?HourglassStableVault.sol
HourglassStableVaultBridge.solFunction: bridgeToStable(uint256 shares, address recipient, bytes lzOpts, uint16 slippageBps)Function: bridgeToStableWithPermit(uint256 shares, address recipient, bytes lzOpts, uint16 slippageBps, uint256 deadline, uint8 v, byte[32] r, byte[32] s)recoverErc20recoverEth
HourglassStableVaultFrax.solHourglassStableVaultKYC.sol
Audit ResultsAssessment Results

Function: recoverErc20(address token, uint256 amount)

This function allows the owner to recover any ERC-20 tokens stuck in the contract, at any time.

Inputs

  • token

    • Control: Full.

    • Constraints: None, besides allowing an external call to safeTransfer(address,uint256).

    • Impact: The address of the token to recover.

  • amount

    • Control: Full.

    • Constraints: The amount cannot be zero and cannot exceed the contract's balance of the token.

    • Impact: The amount of tokens to recover.

Branches and code coverage

Intended branches

  • Successfully able to call the function with intended behavior.

Negative behavior

  • Caller must be the owner.

  • The contract has sufficient balance of the token.

Function call analysis

  • SafeERC20.safeTransfer(IERC20(token), recipient, amount)

    • What is controllable? All arguments are controllable.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? The transaction reverts.

Zellic © 2025Back to top ↑