kitty-the-kat
commented
3 years ago Non critical issue, not prioritized
Open code423n4 opened 3 years ago
kitty-the-kat
commented
3 years ago Non critical issue, not prioritized
Handle
gpersoon
Vulnerability details
Impact
The function setStrategiesLength sets the strategiesLength for the yearn pools. It's difficult to check this value and prevent mistakes. However it is possible to retrieve the value from yearn by repeatedly calling withdrawalQueue(i) until you reach the value of 0 See: https://github.com/yearn/yearn-vaults/blob/master/contracts/Vault.vy#L216 NOTE: The first time a ZERO_ADDRESS is encountered, it stops withdrawing
Proof of Concept
//https://github.com/code-423n4/2021-06-gro/blob/main/contracts/vaults/BaseVaultAdaptor.sol#L90 function setStrategiesLength(uint256 _strategiesLength) external onlyOwner { strategiesLength = _strategiesLength; emit LogAdaptorStrategies(_strategiesLength); }
Tools Used
Recommended Mitigation Steps
Determine or check strategiesLength with a piece of code like: uint len=0; for (uint256 i = 0; i < MAX_STRATS; i++) { if (IYearnV2Vault(vault).withdrawalQueue(i) == 0) break; len++; }