Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Y2K Finance>Threat Model>_executeSwap
GeneralOverview
Findings
Critical (1)
High (3)
Medium (5)
Low (4)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.sol
uniswapV3.sol_executeSwap_swapUniswapV3uniswapV3SwapCallback
vaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: _executeSwap(address tokenIn, address tokenOut, uint256 fromAmount, uint24 fee)

This executes the swap with the simulated V3 pool from tokenIn, tokenOut, and fee.

Inputs

  • tokenIn

    • Constraints: Should be a valid input token, such that the pool address generated is correct.

    • Impact: The address of the fromToken.

  • tokenOut

    • Constraints: Should be a valid output token, such that the pool address generated is correct

    • Impact: The address of the toToken.

  • fromAmount

    • Constraints: No constraints.

    • Impact: The amount of fromToken to swap.

  • fee

    • Constraints: Should be the valid fee, such that the pool address generated is correct.

    • Impact: The fee for the pool.

Branches and code coverage (including function calls)

Intended branches

  • The function handles swaps from tokenIn to tokenOut correctly.

Function call analysis

  • getPool(tokenIn, tokenOut, fee)

    • What is controllable? tokenIn, tokenOut, and fee.

    • If return value controllable, how is it used and how can it go wrong? The return value is used to select the pool for the swap.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • IUniswapV3Pool(getPool(tokenIn, tokenOut, fee)).swap(...)

    • What is controllable? tokenIn, tokenOut, fee, address(this), zeroForOne, int256(fromAmount), sqrtPriceLimitX96, and data.

    • If return value controllable, how is it used and how can it go wrong? The return value is used to extract the amountOut.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

Zellic © 2024Back to top ↑