function mint(IERC20 token, uint amount, uint poolId, uint idx, uint minOut)
external
defend
blockLocked
whenNotPaused
returns(uint _ibbtc)
{
token.safeTransferFrom(msg.sender, address(this), amount);
Pool memory pool = pools[poolId];
if (poolId < 3) { // setts
_addLiquidity(pool.deposit, amount, poolId + 2, idx); // pools are such that the #tokens they support is +2 from their poolId.
pool.sett.deposit(pool.lpToken.balanceOf(address(this)));
_ibbtc = settPeak.mint(poolId, pool.sett.balanceOf(address(this)), new bytes32[](0));
} else if (poolId == 3) { // byvwbtc
IbyvWbtc(address(pool.sett)).deposit(new bytes32[](0)); // pulls all available
_ibbtc = byvWbtcPeak.mint(pool.sett.balanceOf(address(this)), new bytes32[](0));
} else {
revert("INVALID_POOL_ID");
}
Recommendation
Change to:
function mint(IERC20 token, uint amount, uint poolId, uint idx, uint minOut)
external
defend
blockLocked
whenNotPaused
returns(uint _ibbtc)
{
require(poolId <= 3, "INVALID_POOL_ID");
token.safeTransferFrom(msg.sender, address(this), amount);
Pool memory pool = pools[poolId];
if (poolId < 3) { // setts
_addLiquidity(pool.deposit, amount, poolId + 2, idx); // pools are such that the #tokens they support is +2 from their poolId.
pool.sett.deposit(pool.lpToken.balanceOf(address(this)));
_ibbtc = settPeak.mint(poolId, pool.sett.balanceOf(address(this)), new bytes32[](0));
} else { // byvwbtc
IbyvWbtc(address(pool.sett)).deposit(new bytes32[](0)); // pulls all available
_ibbtc = byvWbtcPeak.mint(pool.sett.balanceOf(address(this)), new bytes32[](0));
}
Handle
WatchPug
Vulnerability details
Check if
poolId <= 3
earlier can avoid unnecessary code execution when this check failed.https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L93-L112
Recommendation
Change to: