Open code423n4 opened 2 years ago
Agree with finding, I also believe inCaseStrategyGetStuck
and inCaseTokenGetStuck
are vectors for admin rugging, may want to add checks to ensure only non strategy token can be withdrawn from the vaults and strats
Handle
cmichel
Vulnerability details
The
Controller.inCaseStrategyGetStuck
withdraws from a strategy but does not callupdateBalance(_vault, _strategy)
afterwards.Impact
The
_vaultDetails[_vault].balances[_strategy]
variable does not correctly track the actual strategy balance anymore. I'm not sure what exactly this field is used for besides getting the withdraw amounts per strategy ingetBestStrategyWithdraw
. As the strategy contains a lower amount than stored in the field,Controller.withdraw
will attempt to withdraw too much.Recommended Mitigation Steps
Call
updateBalance(_vault, _strategy)
ininCaseStrategyGetStuck
.