Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>_bridgeToSource
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.sol
bridgeController.sol_bridgeToSource_bridgeWithCeler_bridgeWithHop_bridgeWithHyphen
curve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: _bridgeToSource(byte[1] _bridgeId, address _receiver, address _token, uint256 _amount, uint16 _sourceChainId, byte[] _withdrawPayload)

This bridges the token to the destination chain via the selected bridge.

Inputs

  • _bridgeId

    • Constraints: Has to be one of 0x01, 0x02 or 0x03.

    • Impact: The ID of the bridge to use (e.g., 0x01, 0x02, 0x03).

  • _receiver

    • Constraints: No constraints.

    • Impact: The address to receive the bridged tokens.

  • _token

    • Constraints: No constraints.

    • Impact: The address of the token to bridge.

  • _amount

    • Constraints: No constraints.

    • Impact: The amount of the token to bridge.

  • _sourceChainId

    • Constraints: No constraints.

    • Impact: The ID of the chain the token is being bridged from (always calling chain).

  • _withdrawPayload

    • Constraints: Should be encoded in the correct format based on the selected bridge.

    • Impact: The payload to decode for the extra inputs for each bridge.

Branches and code coverage (including function calls)

Intended branches

  • The function calls the appropriate _bridgeWith function based on _bridgeId.

Negative behavior

  • The function reverts if _bridgeId is not one of the supported bridge identifiers.

Function call analysis

  • _bridgeWithCeler(_receiver, _token, _amount, _sourceChainId, abi.decode(_withdrawPayload, (uint256)))

    • What is controllable? _receiver, _token, _amount, _sourceChainId, and _withdrawPayload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • _bridgeWithHyphen(_receiver, _token, _amount, _sourceChainId)

    • What is controllable? _receiver, _token, _amount, and _sourceChainId.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • _bridgeWithHop(_receiver, _token, _amount, _sourceChainId, maxSlippage, bonderFee)

    • What is controllable? _receiver, _token, _amount, _sourceChainId, maxSlippage, and bonderFee.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

Zellic © 2025Back to top ↑