_getDepositedBalance gives balance of account + collateral(balance of all vaults)
if a malicious party removes the vault of the user(since anyone can add/remove vaults of anyone if they are present in the cauldron) before some critical action involving a call to _getDepositedBalance, it will be miscalculated
_getDepositedBalance is used in _checkpoint and _checkpointAndClaim in state changing manner
hence during wrap, unwrap and getRewards function calls (which has at least one call to _getDepositedBalance) will result in miscalculation(lower) of rewards in _calcRewardIntegral due to not accounting for collateral of removed vaults
the worst-case scenario is the user is not able to claim any rewards because a frontrunning bot can always remove all vaults of the user before the call to wrap, unwrap, or getRewards function
Tools Used
Manual Review
Recommended Mitigation Steps
Put a condition so that only the user can remove his/her vaults.
iamsahu
commented
2 years ago
Handle
hack3r-0m
Vulnerability details
Location: https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexYieldWrapper.sol#L100
_getDepositedBalancegives balance of account + collateral(balance of all vaults)_getDepositedBalance, it will be miscalculated_getDepositedBalanceis used in_checkpointand_checkpointAndClaimin state changing mannerwrap,unwrapandgetRewardsfunction calls (which has at least one call to_getDepositedBalance) will result in miscalculation(lower) of rewards in_calcRewardIntegraldue to not accounting for collateral of removed vaultsthe worst-case scenario is the user is not able to claim any rewards because a frontrunning bot can always remove all vaults of the user before the call to wrap, unwrap, or getRewards function
Tools Used
Manual Review
Recommended Mitigation Steps
Put a condition so that only the user can remove his/her vaults.