Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>_swapBalancer
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.sol
swapController.sol_swap_swapBalancer
uniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: _swapBalancer(byte[] swapPayload)

This swaps using the balancerVault.

Inputs

  • swapPayload

    • Constraints: No constraints.

    • Impact: The payload for the swap --- varies by DEX.

Branches and code coverage (including function calls)

Intended branches

  • The function calls the balancerVault with the provided swapPayload.

  • The function checks if the provided selector matches for a single swap or assumes multiswap if not.

  • In case of single swap, returns the decoded uint256 amount of toToken received.

  • In case of multiswap, checks negative asset deltas for received amounts and reverts if none are found.

Negative behavior

  • The function reverts if the balancerVault call is not successful.

Function call analysis

  • balancerVault.call(swapPayload)

    • What is controllable? swapPayload.

    • If return value controllable, how is it used and how can it go wrong? Success used for condition; data used for decoding results.

    • What happens if it reverts, reenters, or does other unusual control flow? This function call can revert if the balancerVault call fails --- no reentrancy scenarios.

Zellic © 2025Back to top ↑