code-423n4 / 2021-11-badgerzaps-findings

0 stars 0 forks source link

`Zap.sol#mint()` Validation of `poolId` can be done earlier to save gas #35

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

Check if poolId <= 3 earlier can avoid unnecessary code execution when this check failed.

https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L93-L112

function mint(IERC20 token, uint amount, uint poolId, uint idx, uint minOut)
    external
    defend
    blockLocked
    whenNotPaused
    returns(uint _ibbtc)
{
    token.safeTransferFrom(msg.sender, address(this), amount);

    Pool memory pool = pools[poolId];
    if (poolId < 3) { // setts
        _addLiquidity(pool.deposit, amount, poolId + 2, idx); // pools are such that the #tokens they support is +2 from their poolId.
        pool.sett.deposit(pool.lpToken.balanceOf(address(this)));
        _ibbtc = settPeak.mint(poolId, pool.sett.balanceOf(address(this)), new bytes32[](0));
    } else if (poolId == 3) { // byvwbtc
        IbyvWbtc(address(pool.sett)).deposit(new bytes32[](0)); // pulls all available
        _ibbtc = byvWbtcPeak.mint(pool.sett.balanceOf(address(this)), new bytes32[](0));
    } else {
        revert("INVALID_POOL_ID");
    }

Recommendation

Change to:

function mint(IERC20 token, uint amount, uint poolId, uint idx, uint minOut)
    external
    defend
    blockLocked
    whenNotPaused
    returns(uint _ibbtc)
{
    require(poolId <= 3, "INVALID_POOL_ID");

    token.safeTransferFrom(msg.sender, address(this), amount);

    Pool memory pool = pools[poolId];
    if (poolId < 3) { // setts
        _addLiquidity(pool.deposit, amount, poolId + 2, idx); // pools are such that the #tokens they support is +2 from their poolId.
        pool.sett.deposit(pool.lpToken.balanceOf(address(this)));
        _ibbtc = settPeak.mint(poolId, pool.sett.balanceOf(address(this)), new bytes32[](0));
    } else { // byvwbtc
        IbyvWbtc(address(pool.sett)).deposit(new bytes32[](0)); // pulls all available
        _ibbtc = byvWbtcPeak.mint(pool.sett.balanceOf(address(this)), new bytes32[](0));
    }
GalloDaSballo commented 2 years ago

Agree with the finding