Assessment reportsPublic findings
Back to Zellic site
Assessment reports>STFX>Threat Models>closeSpot
GeneralOverview
Findings
High (1)
Medium (4)
DiscussionCentralizationEighteen-decimal compliance
Threat ModelsWhat are threat models?spot.solswap.sol
trade.solchangeStfxSpotchangeStfxSwapcloseSpotcloseSpotByAdminFunction: openSpot(uint96 amount, bytes calldata commands, bytes[] calldata inputs, uint256 deadline)
vesting.solvestingFactory.sol
Audit ResultsSummary

Function: closeSpot(byte[] commands, byte[][] inputs, uint256 deadline)

Closes a spot position. This triggers the universal router to swap from basetokens to deposittokens. Distributes the profit minus fees if there is a profit, otherwise just the remaining amount. Also sets status to DISTRIBUTED. Can only be called by the current manager of the STF and only when the STF has status OPENED.

Inputs

  • commands

    • Control: Full.

    • Constraints: Concatenated, 1-byte commands sent to the UniversalRouter (e.g., Uniswap).

    • Impact: Decides, for example, if transactions should be able to revert and identifies the command to be carried out.

  • inputs

    • Control: Full.

    • Constraints: Array of (ABI-encoded) inputs to each command.

    • Impact: Decides recipient, amount of tokens to trade, min. amount, trade path, and so forth. See Uniswap details.

  • deadline

    • Control: Full.

    • Constraints: None.

    • Impact: Maximum timestamp for the tx. Will revert after this time.

Branches and code coverage (including function calls)

Intended branches

  • Successfully closes the spot.

Negative behavior

  • Called by wrong address.

Function call analysis

  • closeSpot -> getManagerCurrentStfInfo(msg.sender)

    • What is controllable? Address is msg.sender only.

    • If return value controllable, how is it used and how can it go wrong? Returns the salt for the STF associated with the address.

    • What happens if it reverts, reenters, or does other unusual control flow? If address is unknown, returns the zero struct.

  • closeSpot -> _closeSpotSwap(_stf, commands, inputs, deadline) -> swap.swapUniversalRouter(_stf, commands, inputs, deadline)

    • What is controllable? commands, inputs, and deadline are fully controllable. _stf is a struct fetched from the spot, based on msg.sender.

    • If return value controllable, how is it used and how can it go wrong? If deadline expires, everything reverts. Commands/inputs are consumed further up the chain (out of scope).

    • What happens if it reverts, reenters, or does other unusual control flow? Depending on the contents of commands and the deadline, this is expected to revert if the transfers fail, or fail to execute before the deadline.

  • closeSpot -> _distribute(_stf, amount) -> spot.closeSpot(remaining, salt)

    • What is controllable? Amount is somewhat controllable by funding the STF more.

    • If return value controllable, how is it used and how can it go wrong? Depending on the ERC20 token used, the transfer functions can fail with or without a revert and with nothing or partial amounts transferred. There is also possibility for reentrancy issues with the wrong token.

    • What happens if it reverts, reenters, or does other unusual control flow? If made to revert, the STF status would not change, leading to investor claims not working as expected.

Zellic © 2024Back to top ↑