Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>_swapUniswapV2
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.sol
uniswapV2.sol_executeSwap_swapUniswapV2
uniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: _swapUniswapV2(byte[1] dexId, uint256 fromAmount, byte[] payload)

This decodes the payload and conducts the swaps.

Inputs

  • dexId

    • Constraints: Should be either 0x01 or 0x02,

    • Impact: The ID for the DEX being used (0x01 for UniswapV2, 0x02 for SushiSwap).

  • fromAmount

    • Constraints: No constraints,

    • Impact: The amount of the fromToken being swapped.

  • payload

    • Constraints: Should be encoded in the correct format --- abi.encode(address[] path, uint256 minAmountOut).

    • Impact: The encoded payload for the swap.

Branches and code coverage (including function calls)

Intended branches

  • The function correctly determines the initCodeHash and factory based on the dexId.

  • The swap ratios and amounts are calculated correctly.

Negative behavior

  • The function reverts if the final amountOut is less than toAmountMin.

Function call analysis

  • _getPair(fromToken, toToken, initCodeHash, factory)

    • What is controllable? fromToken and toToken.

    • If return value controllable, how is it used and how can it go wrong? The return value is used as an address for the pair; if manipulated, it can lead to swapping on the wrong pair.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • IUniswapPair(pairs[i]).getReserves()

    • What is controllable? pairs[i].

    • If return value controllable, how is it used and how can it go wrong? The return value (reserveA and reserveB) impacts the calculation of swap amounts; this cannot be controlled.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • SafeTransferLib.safeTransfer(ERC20(path[0]), pairs[0], fromAmount)

    • What is controllable? path[0], pairs[0], and fromAmount.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • _executeSwap(path, pairs, amounts)

    • What is controllable? path, pairs, and amounts.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

Zellic © 2025Back to top ↑