Assessment reportsPublic findings
Back to Zellic site
Assessment reports>StakeKit>Threat Model>redeem
GeneralOverview
Findings
Critical (1)
High (1)
Medium (3)
Low (1)
Patch ReviewPatch Review
Threat ModelWhat are threat models?
AllocatorVaultV1.soldepositharvestmintredeemwithdraw
Audit ResultsAssessment Results

Function: redeem(uint256 shares, address receiver, address owner)

This function allows for the specification of the desired amount of shares to be burned directly, followed by the withdrawal of assets from the ERC-4626 vault.

Inputs

  • shares

    • Control: Arbitrary.

    • Constraints: It must be greater than zero and less than or equal to the balance of the owner.

    • Impact: Specifies the amount of shares to be burned.

  • receiver

    • Control: Arbitrary.

    • Constraints: A value of type address.

    • Impact: It is the address of the wallet receiving the assets.

  • owner

    • Control: Arbitrary.

    • Constraints: It must not be address(0).

    • Impact: Specifies the address of the wallet that will burn the shares.

Branches and code coverage

Intended branches

  • A normal withdrawal occurs when shares greater than zero and less than or equal to the owner's balance is provided.

Negative behavior

  • The transaction reverts when the shares value is zero.

  • The transaction reverts when the shares value is less than the owner's balance.

Function call analysis

  • this.strategy.convertToAssets(assets)

    • What is controllable? The assets value.

    • If the return value is controllable, how is it used and how can it go wrong? No impact.

    • What happens if it reverts, reenters or does other unusual control flow? If reentrancy is possible, it may lead to an increase in the totalSupply() value through repetitive calls to the harvest function, potentially resulting in the permanent freezing of funds.

  • SafeERC20.safeTransfer(IERC20(address(this.strategy)), receiver, assets)

    • What is controllable? The assets value and the receiver value.

    • If the return value is controllable, how is it used and how can it go wrong? No impact.

    • What happens if it reverts, reenters or does other unusual control flow? While a reentrancy scenario is possible, it may not provide sufficient incentive for an attack, as shares are burned in advance.

  • this.strategy.redeem(assets, receiver, address(this))

    • What is controllable? The assets value and the receiver value.

    • If the return value is controllable, how is it used and how can it go wrong? No impact.

    • What happens if it reverts, reenters or does other unusual control flow? While a reentrancy scenario is possible, it may not provide sufficient incentive for an attack, as shares are burned in advance.

  • this.strategy.convertToAssets(this.totalAssets())

    • What is controllable? It is uncontrollable.

    • If the return value is controllable, how is it used and how can it go wrong? The fee process can be maliciously manipulated.

    • What happens if it reverts, reenters or does other unusual control flow? While a reentrancy scenario is possible, it may not provide sufficient incentive for an attack, as shares are burned in advance.

Zellic © 2025Back to top ↑