Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Stable Predeposit>Threat Model>recoverEth
GeneralOverview
Findings
Medium (1)
DiscussionCode-quality improvementsLack of bridging gas refunds
Threat ModelWhat are threat models?
HourglassStableVault.soldeployToSparkdepositmintmodifyPendingDepositWindowmodifyStartedDepositWindowpreviewRedeemBridgerecoverErc20recoverEthredeemredeemBridgeredeemRecoverysetBridgeContractsetDepositCaptotalAssetstransitionToRecoveryModetransitionToUnwindModetransitionToWithdrawModetransitionToYieldModewithdrawwithdrawFromSparkwithdrawFromSparkRecovery
HourglassStableVaultBridge.solHourglassStableVaultFrax.solHourglassStableVaultKYC.sol
Audit ResultsAssessment Results

Function: recoverEth(address to)

This function enables admins to sweep accidental ETH deposits — only callable by ADMIN_ROLE holders.

Inputs

  • to

    • Control: N/A.

    • Constraints: Must be nonzero.

    • Impact: Receives the full ETH balance from the vault in a single transfer.

Branches and code coverage

Intended branches

  • Revert if the ETH balance is zero.

  • Forward all ETH to the recipient.

Negative behavior

  • Non-admin callers revert.

  • Revert if the recipient is the zero address.

Function call analysis

  • payable(to).call{ value: recoverable }("")

    • What is controllable? Admin specifies to, while recoverable equals the contract's entire ETH balance at call time.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? success is checked, and if false, the transaction reverts.

Zellic © 2025Back to top ↑