Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Threat Model>compoundMP
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.sol
WooStakingProxy.solcompoundAllcompoundMPemergencyUnstakeinCaseTokenGotStucksetAutoCompoundstakestakeunstakeunstakeAll
WooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: compoundMP()

This sends an LZ message of type ACTION_COMPOUND_MP on behalf of the sender.

Zellic © 2025Back to top ↑