Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>bridge
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.sol
zapFrom.solbridgepermitSwapAndBridgeswapAndBridgewithdraw
Audit ResultsSummary

Function: bridge(uint256 amountIn, address fromToken, uint16 srcPoolId, uint16 dstPoolId, byte[] payload)

There is no check that msg.value is not less than amountIn in case of fromToken == address(0). The function allows to bridge and deposit to vaults using Stargate.

Inputs

  • amountIn

    • Constraints: !=0.

    • Impact: The amount of token for the swap.

  • fromToken

    • Constraints: There is no check, but it should be the same address as pool.token().

    • Impact: The address of the token in srcPoolId.

  • srcPoolId

    • Constraints: router.swap reverts if factory.getPool(_poolId) returns zero address.

    • Impact: The ID of the SRC pool.

  • dstPoolId

    • Constraints: The owner of the router should create and activate the chain path for _dstChainId and _dstPoolId. The _dstChainId is constant ARBITRUM_CHAIN_ID.

    • Impact: The ID of the DST pool.

  • payload

    • Constraints: This is not verified.

    • Impact: Contain the data for ZapDest, expected address receiver, uint256 vaultId, and address vaultAddress.

Branches and code coverage (including function calls)

Intended branches

  • The Stargate swap() is performed properly.

Negative behavior

  • msg.value < amountIn and fromToken == address(0).

  • msg.sender does not have enough fromToken tokens.

Function call analysis

  • ERC20(fromToken).safeTransferFrom(msg.sender,address(this),amountIn)

    • What is controllable? fromToken and amountIn.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Can reenter but without negative impact.

  • _bridge(amountIn, fromToken, srcPoolId, dstPoolId, payload) -> IStargateRouter(stargateRouterEth).swapETHAndCall{value: msgValue}

    • What is controllable? amountIn, fromToken, srcPoolId, dstPoolId, and payload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Deposit funds to the stargateEthVault and call stargateRouter.swap. Will revert if amountIn > msgValue.

  • _bridge(amountIn, fromToken, srcPoolId, dstPoolId, payload) -> IStargateRouter(stargateRouter).swap{value: msg.value}

    • What is controllable? amountIn, fromToken, srcPoolId, dstPoolId, and payload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? No problem.

Zellic © 2025Back to top ↑