Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Y2K Finance>Threat Model>beforeDeploy
GeneralOverview
Findings
Critical (1)
High (3)
Medium (5)
Low (4)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.sol
HookAave.solafterCloseafterDepositbeforeDeploybeforeWithdrawsetStrategyVaultupdatePath
HookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: beforeDeploy()

This borrows the max amount from Aave and sends it to the strategyVault.

Branches and code coverage (including function calls)

Intended branches

  • The function calls _borrow() to borrow the max amount from Aave and transfers the borrowed amount to msg.sender.

Negative behavior

  • The function reverts if _borrow() fails.

  • The function reverts if the caller is an address other than strategy.

Function call analysis

  • _borrow()

    • What is controllable? No external control.

    • If return value controllable, how is it used and how can it go wrong? The return value is not controllable, but its impact is significant as it represents the borrowed amount from Aave.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • strategyBorrowToken.safeTransfer(msg.sender, borrowAmount)

    • What is controllable? msg.sender.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

Zellic © 2024Back to top ↑