Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>uniswapV3SwapCallback
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.sol
uniswapV3.sol_executeSwap_swapUniswapV3uniswapV3SwapCallback
vaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Function: uniswapV3SwapCallback(int256 amount0Delta, int256 amount1Delta, byte[] _data)

This is the callback implementation for UniswapV3 pools.

Inputs

  • amount0Delta

    • Constraints: Either one of amount0Delta or amount1Delta should be greater than zero.

    • Impact: The amount of token0 received.

  • amount1Delta

    • Constraints: Either one of amount0Delta or amount1Delta should be greater than zero.

    • Impact: The amount of token1 received.

  • _data

    • Constraints: Should correctly decode to tokenIn, tokenOut, and fee.

    • Impact: The encoded pool address, fee, and tokenOut address.

Branches and code coverage (including function calls)

Intended branches

  • The function requires either amount0Delta or amount1Delta to be greater than zero.

Negative behaviour

  • The function reverts if neither amount0Delta nor amount1Delta are greater than zero.

  • The function reverts if the caller is the incorrect pool.

Function call analysis

  • decodePool(_data)

    • What is controllable? _data.

    • If return value controllable, how is it used and how can it go wrong? The return value is used to extract tokenIn, tokenOut, and fee; if manipulated, it could lead to incorrect token transfers.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • getPool(tokenIn, tokenOut, fee)

    • What is controllable? tokenIn, tokenOut, and fee.

    • If return value controllable, how is it used and how can it go wrong? The return value is used as the caller of the function; if manipulated, an incorrect pool could be considered as the caller.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

  • SafeTransferLib.safeTransfer(ERC20(tokenIn), msg.sender, amount0Delta > 0 ? uint256(amount0Delta) : uint256(amount1Delta))

    • What is controllable? tokenIn, msg.sender, amount0Delta, and amount1Delta.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? If this reverts, the entire call fails --- no reentrancy issues.

Zellic © 2025Back to top ↑