Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Y2K Finance>Discussion>Use reentrancy guards in deposit and withdraw functions
GeneralOverview
Findings
Critical (1)
High (3)
Medium (5)
Low (4)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary

Use reentrancy guards in deposit and withdraw functions

While our examination of the contracts did not reveal any instances of reentrancy scenarios, we strongly advise the implementation of reentrancy guards as a precautionary measure. The following functions lack protection against reentrancy:

  • ZapFrom: The swapAndBridge, permitSwapAndBridge functions.

  • ZapDest: The withdraw function.

  • StrategyVault: The deposit, withdraw, claimEmissions and withdrawFromQueue function.

This recommendation is based on the potential for certain tokens to incorporate callbacks during transfers, which can introduce vulnerabilities if not adequately safeguarded against.

The issue was fixed in commit 46d5cba.

Zellic © 2024Back to top ↑