An issue was identified in the ZlpVault
contract—specifically in the maxDeposit(address)
function—where multiple external calls may occur within the same transaction. Although this practice isn’t always inherently dangerous, there is a potential risk that the second call may never be executed if a prior call fails. This can be problematic if a malicious callee deliberately causes a failure or revert.
Contract: ZlpVault
Function: maxDeposit(address)
SWC ID: 113
File Reference:
The function maxDeposit(address)
relies on multiple external calls:
Fetching the ZlpVaultStorage
pointer (via _getZlpVaultStorage()
).
Fetching depositCap
by calling marketMakingEngine.getDepositCap(...)
.
Reading the vault’s total asset balance using totalAssets()
, which in turn can involve another external call (asset.balanceOf(address(this))
in the default ERC4626
flow).
Executing multiple external calls in a single transaction introduces a risk if any upstream call reverts. A malicious or faulty callee could block subsequent calls intentionally. While this scenario is low-risk in well-audited code (especially if the external calls are to contracts you trust and control), it’s still a recognized pattern flagged by SWC-113.
There is minimal direct financial risk; however, the user experience or the transaction flow may be disrupted if an unexpected revert from an external call blocks subsequent calls within the same transaction.
Manual Review.
If possible, refactor the function to minimize sequential external calls within the same transaction. Alternatively, if these calls must remain, ensure all external contracts (e.g., the Market Making Engine) are trusted.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.