Assessment reports>Y2K Finance>Threat Model>permitSwapAndBridge

Function: permitSwapAndBridge(address receivedToken, uint16 srcPoolId, uint16 dstPoolId, byte[1] dexId, PermitTransferFrom permit, SignatureTransferDetails transferDetails, byte[] sig, byte[] swapPayload, byte[] bridgePayload)

The function allows to swap with permit, bridge, and deposit to vaults using Stargate. Add check that receivedToken is equal to the last token in swap.

Inputs

  • receivedToken

    • Constraints: N/A.

    • Impact: Expected that this token is last in swap.

  • srcPoolId

    • Constraints: router.swap reverts if factory.getPool(_poolId) returns zero address.

    • Impact: The ID of SRC pool.

  • dstPoolId

    • Constraints: The owner of the router should create and activate the chain path for _dstChainId and _dstPoolId. The _dstChainId is constant ARBITRUM_CHAIN_ID.

    • Impact: The ID of DST pool.

  • dexId

    • Constraints: Revert if dexId is not 0x01, 0x02, 0x03, 0x04, or 0x05.

    • Impact: The ID of the DEX that will be used.

  • permit

    • Constraints: Checked inside the permitTransferFrom function.

    • Impact: The permit data signed over by the owner.

  • transferDetails

    • Constraints: N/A.

    • Impact: The spender's requested transfer details for the permitted token.

  • sig

    • Constraints: Checked inside the permitTransferFrom function.

    • Impact: The signature to verify.

  • swapPayload

    • Constraints: N/A.

    • Impact: The data required for swap.

  • bridgePayload

    • Constraints: Is not verified.

    • Impact: Contain the data for ZapDest, expected address receiver, uint256 vaultId, and address vaultAddress.

Branches and code coverage (including function calls)

Intended branches

  • _swapBalancer is performed properly.

  • _swapUniswapV2 is performed properly.

  • _swapUniswapV3 is performed properly.

  • SushiSwap is performed properly.

  • _swapWithCurve is performed properly.

Negative behavior

  • The invalid permit.

  • The invalid signature.

  • The receivedToken is not the last token in swap.

  • The receivedToken is zero address.

Function call analysis

  • _swap(dexId,transferDetails.requestedAmount,swapPayload); -> otherFunction(args)

    • What is controllable? dexId, transferDetails.requestedAmount, and swapPayload.

    • If return value controllable, how is it used and how can it go wrong? Returns the final number of tokens after the swap.

    • What happens if it reverts, reenters, or does other unusual control flow? Can revert if dexId is invalid --- also can revert if final amount will be less than minimum out amount.

  • _swapBalancer(swapPayload) -> balancerVault.call(swapPayload)

    • What is controllable? swapPayload.

    • If return value controllable, how is it used and how can it go wrong? Returns the final number of tokens after the swap.

    • What happens if it reverts, reenters, or does other unusual control flow? Revert if swap failed.

  • _bridge(amountIn, fromToken, srcPoolId, dstPoolId, payload) -> IStargateRouter(stargateRouterEth).swapETHAndCall{value: msgValue}

    • What is controllable? amountIn, fromToken, srcPoolId, dstPoolId, and payload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Deposit funds to the stargateEthVault and call stargateRouter.swap. Will revert if amountIn > msgValue.

  • _bridge(amountIn, fromToken, srcPoolId, dstPoolId, payload) -> IStargateRouter(stargateRouter).swap{value: msg.value}

    • What is controllable? amountIn, fromToken, srcPoolId, dstPoolId, and payload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? No problem.

Zellic © 2024Back to top ↑