Open code423n4 opened 3 years ago
WatchPug
Router#initialize() will set reserve which will later be used for reserve.reimburseImpermanentLoss().
Router#initialize()
reserve
reserve.reimburseImpermanentLoss()
However, there is no validation to make sure the asset managed by the reserve contract matches the nativeAsset on the Router.
nativeAsset
This is an important validation. If let's say a reserve for a more valuable token Vader is set for a Router for the stable coin USDV.
Vader
USDV
Then Vader will be wrongly used to reimburseImpermanentLoss causing fund loss to the protocol.
reimburseImpermanentLoss
https://github.com/code-423n4/2021-11-vader/blob/429970427b4dc65e37808d7116b9de27e395ce0c/contracts/reserve/VaderReserve.sol#L76-L91
function reimburseImpermanentLoss(address recipient, uint256 amount) external override { require( msg.sender == router, "VaderReserve::reimburseImpermanentLoss: Insufficient Priviledges" ); uint256 actualAmount = _min(reserve(), amount); vader.safeTransfer(recipient, actualAmount); emit LossCovered(recipient, amount, actualAmount); }
Validate the reserve.vader() and make sure it matchs Router.nativeAsset.
reserve.vader()
Router.nativeAsset
Handle
WatchPug
Vulnerability details
Router#initialize()will setreservewhich will later be used forreserve.reimburseImpermanentLoss().However, there is no validation to make sure the asset managed by the
reservecontract matches thenativeAsseton the Router.This is an important validation. If let's say a reserve for a more valuable token
Vaderis set for a Router for the stable coinUSDV.Then
Vaderwill be wrongly used toreimburseImpermanentLosscausing fund loss to the protocol.https://github.com/code-423n4/2021-11-vader/blob/429970427b4dc65e37808d7116b9de27e395ce0c/contracts/reserve/VaderReserve.sol#L76-L91
Recommendation
Validate the
reserve.vader()and make sure it matchsRouter.nativeAsset.