Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>_depositToVault
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.sol
vaultController.sol_claimRefund_depositToVault_withdrawFromVault
zapDest.solzapFrom.sol
Audit ResultsSummary

Function: _depositToVault(uint256 id, uint256 amount, address inputToken, address vaultAddress)

Deposits ERC-20 or ETH to the vault.

Inputs

  • id

    • Constraints: Should be the correct epoch ID for the Y2K vault.

    • Impact: The epoch ID for the Y2K vault.

  • amount

    • Constraints: No constraints.

    • Impact: The amount of the token to deposit.

  • inputToken

    • Constraints: No constraints.

    • Impact: The address of the token to deposit.

  • vaultAddress

    • Constraints: Should be a valid vault address.

    • Impact: The address of the vault to deposit to.

Branches and code coverage (including function calls)

Intended branches

  • The function checks if inputToken is equal to sgEth to determine if an ETH or ERC-20 deposit is needed.

  • The function returns true if the deposit is successful and false if it fails.

Negative behavior

  • The function returns false if any of the deposit attempts (ETH or ERC-20) fail.

Function call analysis

  • IEarthquake(vaultAddress).depositETH{value: amount}(id, address(this))

    • What is controllable? id, amount, vaultAddress.

    • If return value controllable, how is it used and how can it go wrong? This function call does not return a value --- only success/failure.

    • What happens if it reverts, reenters, or does other unusual control flow? If the deposit of ETH fails, the function would return false.

  • IEarthquake(vaultAddress).deposit(id, amount, address(this))

    • What is controllable? id, amount, and vaultAddress.

    • If return value controllable, how is it used and how can it go wrong? This function call does not return a value --- only success/failure.

    • What happens if it reverts, reenters, or does other unusual control flow? If the deposit of ERC-20 tokens fails, the function would return false.

Zellic © 2025Back to top ↑