Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Y2K Finance>Threat Model>withdraw
GeneralOverview
Findings
Critical (1)
High (3)
Medium (4)
Low (5)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.sol
zapFrom.solbridgepermitSwapAndBridgeswapAndBridgewithdraw
Audit ResultsSummary

Function: withdraw(byte[] payload)

This allows to send a message to withdraw funds from the ARBITRUM chain. The message can trigger one of these functions: withdraw, withdrawAndBridge, or withdrawSwapAndBridge.

Inputs

  • payload

    • Constraints: No verifications.

    • Impact: It contains all the necessary data for withdrawal: funcSelector, bridgeId, receiver, ID (the ID for the epoch being withdraw from), and vaultAddress. Also can contain data for swap --- swapId, toAmountMin, dexId, toToken, and fee --- and for bridging: maxSlippage in case of _bridgeWithCeler, maxSlippage and bonderFee in case of _bridgeWithHop. The receiver address will be changed to the msg.sender address.

Function call analysis

  • ILayerZeroRouter(layerZeroRouter).send

    • What is controllable? payload.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Can revert in case of unpaid fee.

Zellic © 2025Back to top ↑