Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Stable Predeposit>Threat Model>redeemKyc
GeneralOverview
Findings
Medium (1)
DiscussionCode-quality improvementsLack of bridging gas refunds
Threat ModelWhat are threat models?HourglassStableVault.solHourglassStableVaultBridge.solHourglassStableVaultFrax.sol
HourglassStableVaultKYC.solbatchSetKycStatusdepositmodifyPendingDepositWindowmodifyStartedDepositWindowpreviewRedeemFunction: recoverErc20(address token, address to)recoverEthredeemBridgeredeemKycredeemNonKycredeemRecoveryKycsetBridgeContractsetDepositCapsetTreasuryAddresstransferToTreasurytransitionToKycModetransitionToRecoveryModetransitionToWithdrawModetransitionToYieldMode
Audit ResultsAssessment Results

Function: redeemKyc(uint256 shares, address receiver, address owner)

This function is a bridge-only redemption path during the Withdraw phase that burns KYC-approved shares and sends pro-rata USDT to the receiver based on the vault’s available USDT liquidity. It is only callable by the bridge contract during the Withdraw phase.

Inputs

  • shares

    • Control: N/A.

    • Constraints: Must be nonzero, owned/approved by owner, and only available in the Withdraw phase.

    • Impact: Reduces sharesKyc, burns the shares, and releases USDT equal to the user’s pro-rata portion.

  • receiver

    • Control: N/A.

    • Constraints: N/A.

    • Impact: Receives the computed USDT amount.

  • owner

    • Control: KYC-approved account whose shares are burned.

    • Constraints: onlyKycApproved enforces status and onlyCallerIsBridge ensures the bridge triggers redemption.

    • Impact: Loses shares while their claim in USDT diminishes proportionally.

Branches and code coverage

Intended branches

  • Burn shares and transfer USDT to the receiver (bridge).

  • The caller is the bridge contract and calls inside the Withdraw phase.

Negative behavior

  • The caller is not the bridge contract, and calls outside the Withdraw phase revert.

Function call analysis

  • this.previewRedeem(owner, shares)

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • SafeERC20.safeTransfer(HourglassStableVaultKYC.USDT, receiver, usdtOut)

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑