Summary

An issue was identified in the ZlpVault contract—specifically in the maxDeposit(address) function—where multiple external calls may occur within the same transaction. Although this practice isn’t always inherently dangerous, there is a potential risk that the second call may never be executed if a prior call fails. This can be problematic if a malicious callee deliberately causes a failure or revert.

Vulnerability Details

Location

• Contract: ZlpVault

• URL: https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/zlp/ZlpVault.sol#L80-L110

• Function: maxDeposit(address)

• SWC ID: 113

• File Reference:

  /2025-01-zaros-part-2/lib/node_modules/openzeppelin-contracts-upgradeable/contracts/token/ERC20/extensions/ERC4626Upgradeable.sol:140

Description

The function maxDeposit(address) relies on multiple external calls:

1. Fetching the ZlpVaultStorage pointer (via _getZlpVaultStorage()).

2. Fetching depositCap by calling marketMakingEngine.getDepositCap(...).

3. Reading the vault’s total asset balance using totalAssets(), which in turn can involve another external call (asset.balanceOf(address(this)) in the default ERC4626 flow).

Executing multiple external calls in a single transaction introduces a risk if any upstream call reverts. A malicious or faulty callee could block subsequent calls intentionally. While this scenario is low-risk in well-audited code (especially if the external calls are to contracts you trust and control), it’s still a recognized pattern flagged by SWC-113.

Impact

There is minimal direct financial risk; however, the user experience or the transaction flow may be disrupted if an unexpected revert from an external call blocks subsequent calls within the same transaction.

Tools Used

Manual Review.

Recommendations

If possible, refactor the function to minimize sequential external calls within the same transaction. Alternatively, if these calls must remain, ensure all external contracts (e.g., the Market Making Engine) are trusted.