Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Threat Models>_createMarket
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.sol
BondBaseSDA.sol_createMarketsetIntervalspurchaseBonddecayAndGetPricefunction tune( uint256 id*, uint48 time_, uint256 price_ ) internal
BondBaseTeller.solBondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.solBondFixedTermTeller.sol
Audit ResultsResults

Function _createMarket(_createMarket(MarketParams memory params_) internal returns (uint256)

  1. Intended behavior.

    • Creates a new bond market.

  2. Negative behavior.

    • add a check that vesting <= MAX_FIXED_TERM for BondFixedTermTeller

    • Shouldn’t allow creating markets when allowNewMarkets is set to false.

    • When a market is created, its id must be unique (this is ensured in aggregator ’s createMarket function)

  3. Preconditions.

    • assumes markets can be created (allowNewMarkets)

    • assumes the MarketParams are properly checked

    • assumes quoteTokens and payoutTokens are not something sketchy (since anyone can create a market)

    • disallow registering a callback if a user is not whitelisted to do so. also, what if the status of a user changes? it’s not reflected in the market the user owns, as they could still call the callback.

  4. Postconditions.

    • The new market will be stored in a mapping market [id] -> MarketParams object.

    • The new market will have its own new market terms, market metadata and market params created.

  5. Inputs.

    • The input is basically a set of marketparams that’s used to store the info of a new market.

  6. Examine all function calls the function makes.

    a. uint256 marketId = aggregator.registerMarket(params.payoutToken, params_.quoteToken);

    • What is controllable? (callee, params, return value): the parameters are controllable (supplied as function params to function where this is called); something to note is the fact that anyone can create a market for whatever payoutToken or quoteToken (even dummy ones); haven’t yet found a way to exploit the protocol through this.

    • If return value controllable, how is it used and how can it go wrong: the return value is really important, so it must always increase (e.g. to not overwrite a previous market’s details); this is ensured in the registerMarket. Hence it will always increase.

    • What happens if it reverts or tries to reenter: n/a

Zellic © 2025Back to top ↑