Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Stable Predeposit>Threat Model>redeemRecoveryKyc
GeneralOverview
Findings
Medium (1)
DiscussionCode-quality improvementsLack of bridging gas refunds
Threat ModelWhat are threat models?HourglassStableVault.solHourglassStableVaultBridge.solHourglassStableVaultFrax.sol
HourglassStableVaultKYC.solbatchSetKycStatusdepositmodifyPendingDepositWindowmodifyStartedDepositWindowpreviewRedeemFunction: recoverErc20(address token, address to)recoverEthredeemBridgeredeemKycredeemNonKycredeemRecoveryKycsetBridgeContractsetDepositCapsetTreasuryAddresstransferToTreasurytransitionToKycModetransitionToRecoveryModetransitionToWithdrawModetransitionToYieldMode
Audit ResultsAssessment Results

Function: redeemRecoveryKyc(uint256 shares, address receiver, address owner)

This function is emergency redemption for KYC users during the Recovery phase — burns shares and returns both pro-rata USDT and any remaining undeployed USDC.

Inputs

  • shares

    • Control: N/A.

    • Constraints: Must be nonzero and owned/approved.

    • Impact: Burns the shares, reduces sharesKyc, and may decrease usdcKycDeployable if undeployed USDC is returned.

  • receiver

    • Control: N/A.

    • Constraints: N/A.

    • Impact: Obtains both asset types calculated by previewRedeem.

  • owner

    • Control: N/A.

    • Constraints: Must be marked KYC via onlyKycApproved.

    • Impact: Share balance drops.

Branches and code coverage

Intended branches

  • Burn shares and return both USDT and undeployed USDC.

  • The caller is not the owner, and calls outside the Recovery phase revert.

Negative behavior

  • The caller is the owner and calls inside the Recovery phase.

Function call analysis

  • this.previewRedeem(owner, shares)

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • SafeERC20.safeTransfer(HourglassStableVaultKYC.USDT, receiver, usdtOut)

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • SafeERC20.safeTransfer(HourglassStableVaultKYC.USDC, receiver, usdcOut)

    • What is controllable? N/A.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑