Part 2

Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Submission Details
Severity: low
Invalid

In ZlpVault.maxDeposit multiple external calls may occur within the same transaction but the second call may never be executed if a prior call fails

Summary

An issue was identified in the ZlpVault contract—specifically in the maxDeposit(address) function—where multiple external calls may occur within the same transaction. Although this practice isn’t always inherently dangerous, there is a potential risk that the second call may never be executed if a prior call fails. This can be problematic if a malicious callee deliberately causes a failure or revert.

Vulnerability Details

Location

Description

The function maxDeposit(address) relies on multiple external calls:

  1. Fetching the ZlpVaultStorage pointer (via _getZlpVaultStorage()).

  2. Fetching depositCap by calling marketMakingEngine.getDepositCap(...).

  3. Reading the vault’s total asset balance using totalAssets(), which in turn can involve another external call (asset.balanceOf(address(this)) in the default ERC4626 flow).

Executing multiple external calls in a single transaction introduces a risk if any upstream call reverts. A malicious or faulty callee could block subsequent calls intentionally. While this scenario is low-risk in well-audited code (especially if the external calls are to contracts you trust and control), it’s still a recognized pattern flagged by SWC-113.

Impact

There is minimal direct financial risk; however, the user experience or the transaction flow may be disrupted if an unexpected revert from an external call blocks subsequent calls within the same transaction.

Tools Used

Manual Review.

Recommendations

If possible, refactor the function to minimize sequential external calls within the same transaction. Alternatively, if these calls must remain, ensure all external contracts (e.g., the Market Making Engine) are trusted.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.