Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>setAutoCompound
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.sol
WooStakingLocal.solcompoundAllcompoundMPemergencyUnstakeinCaseTokenGotStucksetAutoCompoundstakeunstakeunstakeAll
WooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: setAutoCompound(bool _flag)

This enables or disables the automatic compound feature for the sender.

Inputs

  • _flag

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: Decides if autocompound should be enabled or disabled.

Branches and code coverage

Intended branches

  • Enable autocompound.

  • Disable autocompound.

Function call analysis

  • this.stakingManager.setAutoCompound(_user, _flag)

    • What is controllable? The flag is controllable.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value, but it should have one.

    • What happens if it reverts, reenters or does other unusual control flow? Disabling compounding will call compounder.removeUser(_user) inside the WooStakingCompounder module. In turn, removeUser will call _removeUser, which returns a boolean stating if the user was actually removed or not. Removal can fail if the user is not in the list of users with autocompound or if the user is still under cooldown (in which a RemoveAbortedInCooldown event will be emitted). However, this return code is never checked, and the final SetAutoCompoundOnLocal event will still be emitted despite the removal failing.

Zellic © 2024Back to top ↑