search

code-423n4 / 2021-07-sherlock-findings

0 stars 0 forks source link

Possible inaccurate stake balance after withdrawing funds from strategies #145

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

When withdrawing funds from the strategy, the PoolStrategy assumes that the exact amount of want tokens is withdrawn and increases the stake balance by amount. However, this may not always be true, depending on the strategy or the yield source of the strategy. The actual return number of tokens could be less than the provided parameter amount, thus resulting in an inaccurate stake balance. (For example, some vaults return only their total balance when the desired withdrawal amount exceeds it.)

Proof of Concept

Referenced code: PoolStrategy.sol#L79-L80

Recommended Mitigation Steps

Consider modifying the withdraw function of IStrategy to return a uint indicating the actual withdraw amount from the yield source. Take AaveV2 as an example, directly return the result from Aave (line 95), which is the actual withdraw amount according to Aave's documentation.

Evert0x commented 3 years ago

44

Evert0x commented 3 years ago

However, this may not always be true, depending on the strategy or the yield source of the strategy.

True, but currently only the AaveV2 strategy is used.

ghoul-sol commented 3 years ago

Duplicate of #44 so low risk