Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SyncSwap>Threat Models>deposit
GeneralOverview
Findings
High (1)
DiscussionClassic poolStable poolAttack surface evaluation
Threat ModelsWhat are threat models?
SyncSwapVault.soldepositdepositETHtransfertransferAndDepositwithdrawwithdrawAlternativewithdrawETH
VaultFlashLoans.sol
Audit ResultsSummary

Function: deposit(address token, address to)

Allows to deposit assets (both native ETH and other ERC20 tokens) into the vault. The caller should first transfer the assets to the vault and then call deposit. This must be accomplished whithin the same transaction to prevent others from stealing the deposit.

Inputs

  • token

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Determines the asset that is being deposited.

  • to

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Determines the recipient of the deposit.

Branches and code coverage (including function calls)

Intended branches

Allows to deposit native ETH.

Allows to deposit an ERC20 token.

Negative behavior

ETH sent to the contract when depositing an ERC20 token.

Function call analysis

  • rootFunction -> IERC20(wETH).balanceOf(address(this))

    • What is controllable? None.

    • If return value controllable, how is it used and how can it go wrong? Not controllable.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

  • rootFunction -> IWETH(wETH).withdraw(amount)

    • What is controllable? None.

    • If return value controllable, how is it used and how can it go wrong? Not controllable.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

Zellic © 2024Back to top ↑