Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Trillion EVM cross chain contract>Threat Model>depositForBurn
GeneralOverview
Findings
Low (1)
Informational (3)
Threat ModelWhat are threat models?NonceManager.solTokenBurner.sol
TokenMessenger.soldepositForBurn depositForBurnWithCaller
Audit ResultsAssessment Results

Function: depositForBurn(uint256 amount, uint32 destinationDomain, bytes32 mintRecipient, address burnToken)

This function initiates the cross-chain transfer of tokens. The desired amount of tokens to be transferred will be transferred to the _localBurner account and burned from this _localBurner account. The caller must also provide the address of the token to be burned before the transfer to the destination chain. This function does not verify the provided token itself, verification is handled in the TokenBurner contract. The onlyWithinBurnLimit modifier ensures that the amount does not exceed the burnLimitsPerMessage value for the specified token. Additionally, this function emits a DepositForBurn event.

Inputs

  • amount

    • Control: Full control.

    • Constraints: The caller must hold the specified number of tokens. The amount must be greater than zero.

    • Impact: This is the amount of tokens to be burned and transferred to the destination chain.

  • destinationDomain

    • Control: Full control.

    • Constraints: The remoteTokenMessengers for the provided destinationDomain must be set by the contract owner.

    • Impact: This represents the domain of the remote TokenMessenger.

  • mintRecipient

    • Control: Full control.

    • Constraints: mintRecipient != bytes32(0)

    • Impact: The recipient of the burned tokens on the destination chain.

  • burnToken

    • Control: Full control.

    • Constraints: n/a

    • Impact: The token to be burned.

Branches and code coverage

Intended branches

  • The specified amount of tokens was successfully burned.

Negative behavior

  • The token is not supported.

  • The caller does not have enough tokens to transfer.

  • The destinationDomain is not supported.

  • The mintRecipient address is zero.

  • The amount exceeds the burnLimitsPerMessage.

Function call analysis

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _getRemoteTokenMessenger(_destinationDomain)

    • What is controllable? _destinationDomain

    • If the return value is controllable, how is it used and how can it go wrong? Returns the address of the TokenMessenger on _destinationDomain. This address is controlled by the contract owner.

    • What happens if it reverts, reenters or does other unusual control flow? Reverts if the caller provides a non-existent _destinationDomain value.

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _getLocalBurner()

    • What is controllable? n/a

    • If the return value is controllable, how is it used and how can it go wrong? Returns the address of the local burner contract, which is set by the contract owner.

    • What happens if it reverts, reenters or does other unusual control flow? Reverts if the burner contract address is not set.

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _burnToken.transferFrom(_msgSender(), address(_localBurner), _amount)

    • What is controllable? _burnTokenAddress, _amount

    • If the return value is controllable, how is it used and how can it go wrong? Returns true if the transfer of tokens was successful.

    • What happens if it reverts, reenters or does other unusual control flow? Reverts if the caller does not own enough tokens to transfer.

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _localBurner.burn(_burnTokenAddress, _amount)

    • What is controllable? _burnTokenAddress, _amount

    • If the return value is controllable, how is it used and how can it go wrong? n/a

    • What happens if it reverts, reenters or does other unusual control flow? Reverts if the provided amount exceeds the burn limit.

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _getNonceManager()

    • What is controllable? n/a

    • If the return value is controllable, how is it used and how can it go wrong? Returns the address of the nonce manager contract, which is set by the contract owner.

    • What happens if it reverts, reenters or does other unusual control flow? Reverts if the nonceManager is not set.

  • _depositForBurn(amount,destinationDomain,mintRecipient,burnToken,bytes32(0)) -> _nonceManager.reserveAndIncrementNonce()

    • What is controllable? n/a

    • If the return value is controllable, how is it used and how can it go wrong? Increments the current nonce and returns the updated nonce.

    • What happens if it reverts, reenters or does other unusual control flow? No problems.

Zellic © 2025Back to top ↑