Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Threat Models>purchaseBond
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.sol
BondBaseSDA.sol_createMarketsetIntervalspurchaseBonddecayAndGetPricefunction tune( uint256 id*, uint48 time_, uint256 price_ ) internal
BondBaseTeller.solBondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.solBondFixedTermTeller.sol
Audit ResultsResults

function purchaseBond(uint256 id_, uint256 amount_, uint256 minAmountOut_ ) external

  1. Intended behavior.

    • Exchange quote tokens for a bond in a specified market

  2. Negative behavior.

    • Should only be callable by the BondBaseTeller inheriting contract, revert otherwise (this check is put in place)

    • Shouldn’t allow the purchase of bonds from ids that have no registered market

    • Should disallow the purchase if the amount of bonds is less than the minAmountOut (this check is put in place) #slippagecheck

  3. Preconditions.

    • Assumes that a teller is working properly and that the msg.sender is the teller in the cause.

    • Assumes that the market exists (through its id) and that it’s not closed

    • Also, the check on currentTime should be > than term.conclusion since it may close within same block.

  4. Postconditions..

    • If maxDebt was reached, the market has to be closed, otherwise, tuned accordingly.

    • market.capacity will decrease based on the amount or payout values.

    • market.purchase += amount_

    • market.sold += payout

  5. Inputs.

    • uint256 id_: full control, check that the market[id] has not concluded.

    • uint256 amount_: full control.

    • uint256 minAmountOut_: slippage check, is checked properly.

  6. Examine all function calls the function makes.

    a. (price, payout) = decayAndGetPrice(id, amount_, uint48(block.timestamp))

    • What is controllable? (callee, params, return value): id - controllable; amount - controllable - affects the number of payout tokens; block.timestamp - partially controlled

    • If return value is controllable, how is it used and how can it go wrong: price - even if something goes wrong, the price cannot be less than the market.minPrice; payout - if it is calculated incorrectly and the capacity value wasn't set (in a case when it was set for quoteToken) and market.minPrice value wasn’t set properly by the market owner, then it can be possible to steal the owner's funds.

    • What happens if it reverts or tries to reenter: not a problem.

Zellic © 2025Back to top ↑