Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>harvest
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.sol
StrategyAave.soldepositemergencyExitharvestretireStratwithdraw
VaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: harvest()

This allows harvesting rewards from the Aave Pool.

Branches and code coverage

Intended branches

  • Harvest all rewards to the vault.

Negative behavior

  • Should not allow anyone other than the vault or EOA to call this function.

Zellic © 2025Back to top ↑