deposit in ConvexStakingWrapper will most certainly revert

[code423n4]

Handle

wuwe1

Vulnerability details

Proof of Concept

https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L94-L99

        address mainPool = IRewardStaking(convexBooster)
            .poolInfo(_pid)
            .crvRewards;
        if (rewards[_pid].length == 0) {
            pids[IRewardStaking(convexBooster).poolInfo(_pid).lptoken] = _pid;
            convexPool[_pid] = mainPool;

convexPool[_pid] is set to IRewardStaking(convexBooster).poolInfo(_pid).crvRewards;

crvRewards is a BaseRewardPool like this one https://etherscan.io/address/0x8B55351ea358e5Eda371575B031ee24F462d503e#code.

BaseRewardPool does not implement poolInfo

https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L238

IRewardStaking(convexPool[_pid]).poolInfo(_pid).lptoken

Above line calls poolInfo of crvRewards which causes revert.

Recommended Mitigation Steps

According to Booster's code

https://etherscan.io/address/0xF403C135812408BFbE8713b5A23a04b3D48AAE31#code

    //deposit lp tokens and stake
    function deposit(uint256 _pid, uint256 _amount, bool _stake) public returns(bool){
        require(!isShutdown,"shutdown");
        PoolInfo storage pool = poolInfo[_pid];
        require(pool.shutdown == false, "pool is closed");

        //send to proxy to stake
        address lptoken = pool.lptoken;
        IERC20(lptoken).safeTransferFrom(msg.sender, staker, _amount);

convexBooster requires poolInfo[_pid].lptoken.

change L238 to

IRewardStaking(convexBooster).poolInfo(_pid).lptoken

[GalloDaSballo]

The warden has shown how an improper assumption about the pool contract can cause reverts.

While the risk of loss of funds is non-existant because all calls will revert, I believe the core functionality of the code is broken, for that reason I think High Severity to be the proper severity