Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>WOOFI Stake>Threat Model>withdraw
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.sol
VaultV2.soldepositearninCaseNativeTokensGetStuckinCaseTokensGetStuckproposeStratupgradeStratwithdraw
WooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: withdraw(uint256 shares)

This allows a user to withdraw their funds from the vault.

Inputs

  • shares

    • Control: Fully controlled by the caller.

    • Constraints: Checked that the caller can afford.

    • Impact: The amount of shares to be burned by msg.sender.

Branches and code coverage

Intended branches

  • Ensure that msg.sender can afford the withdrawal.

  • Calculate the amount to be withdrawn.

  • Burn the calculated amount of shares from the caller.

  • If there are not enough funds for the user to withdraw, withdraw the funds from the strategy.

  • Send funds back to the user. In the case of WETH, withdraw WETH and transfer ETH to the user. Otherwise, transfer want ERC-20 tokens to the user.

Negative behavior

  • Should not allow msg.sender to deposit more than they can afford. Enforced through the balanceOf check and the explicit _burn.

Zellic © 2025Back to top ↑