Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Wasabi>Threat Models>acceptBidWithTokenId
GeneralOverview
Findings
High (4)
Medium (3)
DiscussionAbstractWasabiPool should use upgradable variants of OpenZeppelin contractsPut options operate on entire collectionsPools require well-behaved NFTs
Threat ModelsWhat are threat models?
AbstractWasabiPool.solacceptBidWithTokenIdacceptAskexecuteOptiononERC721ReceivedwriteOptionTo
WasabiOptionWasabiPoolFactory.sol
Audit ResultsSummary

Function: acceptBidWithTokenId(WasabiStructs.Bid _bid, bytes calldata _signature, uint256 _tokenId)

Accepts the bid for LPs with _tokenId.

Inputs

  • _bid

    • Control: User has full control over the input.

    • Constraints: Assuming, the _bid must be checked with the corresponding signature, however that check occurs out of scope.

    • Impact: Only valid bids can be accepted.

  • _signature

    • Control: User has full control over the input.

    • Constraints: The conduit may check the signature, but that check occurs out of scope.

    • Impact: _signature check is hopefully valid.

  • _tokenId

    • Control: User has full control over the input.

    • Constraints: TokenID must not be locked up in another option.

    • Impact: Non-lockup tokenIDs can be used.

Branches and code coverage (including function calls)

Intended branches

Negative behavior

Function call analysis

  • acceptBidWithTokenId -> factory.issueOption(_bid.buyer)

  • What is controllable? The buyer who will be issued an option.

    • If return value controllable, how is it used and how can it go wrong? Return value is the ID of the option issued, which is used to correspond with the token ID that will be locked up. Can only go wrong if an existing option has the same ID; however, that does not appear the case.

    • What happens if it reverts, reenters, or does other unusual control flow? Bid not accepted under revert condition, reentrancy, or unusual control flow is not an issue.

  • acceptBidWithTokenId -> isAvailableTokenId(_tokenId)

  • What is controllable? The token ID to check if it is available.

    • If return value controllable, how is it used and how can it go wrong? Return value is a boolean that determines if the token ID is available. Can only go wrong if this information is relayed incorrectly.

    • What happens if it reverts, reenters, or does other unusual control flow? Bid not accepted under revert condition, reentrancy, or unusual control flow is not an issue.

  • acceptBidWithTokenId -> availableBalance()

    • What is controllable? No function params.

    • If return value controllable, how is it used and how can it go wrong? Return value is the available balance of the pool and is used to check if there exists enough liquidity. Can only go wrong if this information is relayed incorrectly.

    • What happens if it reverts, reenters, or does other unusual control flow? Function could revert if there are too many bids as the loop will run out of gas. Reentrancy or unusual control flow is not an issue.

Zellic © 2024Back to top ↑