Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>compoundAll
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.sol
WooStakingManager.solclaimRewardsclaimRewardscompoundAllcompoundAllForUserscompoundMPcompoundRewardssetAutoCompoundstakeWoounstakeWoo
WooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: compoundAll(address _user)

This is a utility function to compound all the MP and rewards for a given user.

Inputs

  • _user

    • Control: Not controlled by a non-admin caller.

    • Constraints: It is set to the initial caller.

    • Impact: The address to compound all for.

Zellic © 2025Back to top ↑