Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>borrow
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.sol
WooLendingManager.solborrowinCaseTokenGotStuckrepayPrincipal
WooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: borrow(uint256 amount)

This allows borrowing and depositing the borrowed amount into WooPP.

Inputs

  • amount

    • Control: Fully controlled by the caller.

    • Constraints: Must be greater than 0.

    • Impact: The amount to be borrowed.

Branches and code coverage

Intended branches

  • Assumed there is some sort of arrangement or collateralization against borrowing between the protocol and the borrower.

  • Accrue the interest before borrowing.

  • Increase the borrowedPrincipal by the amount borrowed.

  • Borrow the amount from the SuperChargerVault.

  • Ensure that the difference between the balance before and after are equal to the amount borrowed.

  • Approve and deposit the borrowed amount into WooPP.

Negative behavior

  • Should not allow anyone other than a borrower to call this.

Zellic © 2024Back to top ↑