Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>WOOFI Stake>Threat Model>setAutoCompound
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.sol
WooStakingProxy.solcompoundAllcompoundMPemergencyUnstakeinCaseTokenGotStucksetAutoCompoundstakestakeunstakeunstakeAll
WooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: setAutoCompound(bool _flag)

This enables or disables the automatic compound feature for the sender. Produces an LZ event with type ACTION_SET_AUTO_COMPOUND.

Inputs

  • _flag

    • Control: Fully controlled by the caller.

    • Constraints: None.

    • Impact: Decides if autocompound should be enabled or disabled.

Zellic © 2025Back to top ↑