Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>WOOFI Stake>Threat Model>stake
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.sol
WooStakingProxy.solcompoundAllcompoundMPemergencyUnstakeinCaseTokenGotStucksetAutoCompoundstakestakeunstakeunstakeAll
WooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Function: stake(address _user, uint256 _amount)

This is the same as stake(uint256 _amount), but it stakes msg.sender want token on behalf of _user.

Inputs

  • _user

    • Control: Fully controlled by the caller.

    • Constraints: None. Can even stake on behalf of address(0).

    • Impact: The address that is credited with the balance for the staking.

  • _amount

    • Control: Fully controlled by the caller.

    • Constraints: Has to be more than or equal to the amount sent in the transaction.

    • Impact: The amount to stake, which is added to the current balance of _user.

Branches and code coverage

Intended branches

  • Stake an amount equal to the funds sent.

Negative behavior

  • Stake more than what is being sent.

Zellic © 2025Back to top ↑