Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>setAutoCompound
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.sol
WooStakingManager.solclaimRewardsclaimRewardscompoundAllcompoundAllForUserscompoundMPcompoundRewardssetAutoCompoundstakeWoounstakeWoo
WooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: setAutoCompound(address _user, bool _flag)

This enables or disables automatic compounding for a given user. The user is only added if its current balance meets the threshold criteria set in the compounder module.

Inputs

  • _user

    • Control: Fully controlled by an admin but limited to be the initial caller otherwise.

    • Constraints: None, but has no direct effect if the user has no balance or does not exist. The event is always emitted.

    • Impact: The address to attempt enabling or disabling compounding for.

  • _flag

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: Decision to enable or disable automatic compounding.

Branches and code coverage

Intended branches

  • Enable automatic compounding.

  • Disable automatic compounding.

Negative behavior

  • Caller is not a service admin.

Function call analysis

  • this.compounder.addUserIfThresholdMeet(_user)

    • What is controllable? Fully controlled by an admin but limited to be the initial caller otherwise.

    • If the return value is controllable, how is it used and how can it go wrong? Return value tells if the user was added or not, but it is ignored. The event will be produced even if the user was not added.

    • What happens if it reverts, reenters or does other unusual control flow? Cannot revert, but attempting to add a user will always produce the event.

  • this.compounder.removeUser(_user)

    • What is controllable? Fully controlled by an admin but limited to be the initial caller otherwise.

    • If the return value is controllable, how is it used and how can it go wrong? Same as for addUserIfThresholdMeet, but removal can also fail if the user is under cooldown. The return value is ignored, and all events are produced as normal.

    • What happens if it reverts, reenters or does other unusual control flow? Same as above.

Zellic © 2024Back to top ↑