Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Threat Models>batchRedeem
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.solBondBaseSDA.solBondBaseTeller.solBondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.sol
BondFixedTermTeller.sol_handlePayoutcreateredeembatchRedeemmintToken_burnTokengetTokenId
Audit ResultsResults

Function batchRedeem(uint256[] calldata tokenIds_, uint256[] calldata amounts_) external

NO UNIT-TEST

  • Essentially performs multiple redeem calls, which could have been done manually. A good check to mention here would be that tokenIds array length has to be equal to amounts array length.

Function deploy(ERC20 underlying_, uint48 expiry_) external

NO UNIT-TEST or at least not direct test

  1. Intended behavior.

    • "Deploy" a new ERC1155 bond token for an (underlying, expiry) pair and return its address.

  2. Negative behavior.

    • It shouldn’t allow modifying an already existing underlying, expiry pair!

    • It must assure that the expiry is in the future!

  3. Preconditions.

    • Assumes that the underlying, expiry pair doesn’t already exist as a bondToken

    • That getTokenId calculates the tokenId properly and there’s no way to bypass and create an additional token with same id.

  4. Postconditions.

    • Assumes a new ERC1155 tokenId has been created with the underlying, expiry pair.

  5. Inputs.

    • ERC20 underlying_: controlled,

    • uint48 expiry_: controlled,

  6. Examine all function calls the function makes.

    • There are no function calls here.

Zellic © 2025Back to top ↑