Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>deployPosition
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.sol
StrategyVault.solclaimEmissionsclearQueuedDepositsclosePositiondeployPositiondepositrequestWithdrawalsetWeightStrategyunrequestWithdrawalupdateActiveListwithdrawwithdrawFromQueue
SwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: deployPosition()

The fundsDeployed should be false. After the call, fundsDeployed = true.

Branches and code coverage (including function calls)

Negative behavior

  • The fundsDeployed is true.

  • Second call after successful deploy of position

Function call analysis

  • hook.addr.beforeDeploy()

    • What is controllable? N/A.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? This function is called if hook.command.shouldCallBeforeDeploy() == true. In the case of the HookAave contract, this function borrows the max amount from Aave and sends it to the strategyVault. It can revert if the strategyBorrowToken balace of the hook.addr contract is less than borrowAmount.

  • fetchDeployAmounts()

    • What is controllable? N/A.

    • If return value controllable, how is it used and how can it go wrong? With incorrect matching of elements between lists.

    • What happens if it reverts, reenters, or does other unusual control flow? There is no problem.

  • _deployPosition(vaults, epochIds, amounts, vaultType);

    • What is controllable? N/A.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Deposit tokens to vaults. It can revert if balance of asset token is not enough.

  • hook.addr.afterDeploy()

    • What is controllable? N/A.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? This function is called if hook.command.shouldCallAfterDeploy() == true.

Zellic © 2025Back to top ↑