shafu0x
commented
3 months ago this is a user error. we don't check for user errors.
Closed Al-Qa-qa closed 3 months ago
shafu0x
commented
3 months ago this is a user error. we don't check for user errors.
Al-Qa-qa
commented
3 months ago You are right. Although there may be some situations where the likelihood increases, it remains a user error as you said.
In this case, The issue is invalid as it is not from the design choice to check for input user errors.
You can comment on the issue if you want to add something.
Description
VaultManagerV3::deposit()allows depositing to any vault even if it is unlicensed. Since a specific vault can get unlicenced at any time, the user can end up depositing funds in a vault that is unlicensed.Another thing is that the Developer Team can added and removed vaults recently, and there are some upgrades that happened to the vaultManager to mitigate people's funds. So there is a chance that the users can deposit to a vault that got unlicensed by the team recently.
This can happen when doing the Migration funds process, which is happening right now by the protocol. where there may be new vault supports and some got deprecated, and the chance of mistakes by users will not be low in this case.
If the team decided to unlicence a vault, we can not guarantee that all users knew about this before unlicencing. So some users may deposit in that vault, thinking it is licensed, but it is actually not.
If there are further protocol integrations with the DYAD (like a contract mints an NFT to mint dyad, let users participate in the process by splitting shares). there may be a problem in that case, as if the vault gets unlicenced, the further protocol that is interacting with DYAD may get affected and users too. (this is OOS but we should care for all cases).
Recommendations
We should check that the vault used to deposit funds is licensed, before making the deposit function.
VaultManagerV3.sol#L86-L98
NOTE: It is not recommended to add this in
withdraw/redeemfunctions, as if the vault gets unlicensed, users should be able to withdraw their funds from that unlicensed vault. So if we add this check inwithdraw/redeem, users' funds will get locked in the case of unlicensing a vault.