Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>sgReceive
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.sol
zapDest.solclaimRefundlzReceivesgReceivewithdraw
zapFrom.sol
Audit ResultsSummary

Function: sgReceive(uint16 _chainId, byte[] _srcAddress, uint256 _nonce, address _token, uint256 amountLD, byte[] _payload)

Allows to receive tokens from another chain. Only stargateRelayer (Router) can call this function. The native token will be transferred to this contract before triggering this function.

Inputs

  • _chainId

    • Constraints: N/A.

    • Impact: Not used.

  • _srcAddress

    • Constraints: N/A.

    • Impact: Not used.

  • _nonce

    • Constraints: N/A.

    • Impact: Not used.

  • _token

    • Constraints: No checks.

    • Impact: The address of token will be deposited to the vault. This address is received from pool.

  • amountLD

    • Constraints: This value is not controlled by the user who initiated the token transfer between chains. This value is a result of swap.

    • Impact: The amount of tokens received. This amount of _token will be deposited to the vault and the receiverToVaultToIdToAmount for the receiver will be increased by amountLD value.

  • _payload

    • Constraints: vaultAddress should be whitelisted.

    • Impact: Contains this data --- receiver, id, and vaultAddress.

Branches and code coverage (including function calls)

Intended branches

  • Deposit in case token == sgEth.

  • Deposit in case token != sgEth.

Negative behavior

  • msg.sender is not stargateRelayer or stargateRelayerEth.

  • vaultAddress is not whitelisted.

Function call analysis

  • _stageRefund(receiver, _token, amountLD)

    • What is controllable? receiver, _token, and amountLD.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? The function increments the global eligibleRefund[receiver][_token] by a amountLD value. This eligibleRefund value is used in the claimRefund->_claimRefund function.

  • _depositToVault(id, amountLD, _token, vaultAddress)

    • What is controllable? id, amountLD, _token, and vaultAddress.

    • If return value controllable, how is it used and how can it go wrong? Returns a boolean value, successfully or unsuccessfully the external call of deposit function was executed.

    • What happens if it reverts, reenters, or does other unusual control flow? the function deposits funds to the vaultAddress contract.

Zellic © 2025Back to top ↑