Open code423n4 opened 2 years ago
As of now, the one in the contract is the optimal routing path.
I think the warden has made a reasonable find and recommendation. The sponsor used the phrase 'as of now' in disputing the report, but the idea that it may not always be the optimal path is actually specifically what the report and its mitigation addresses. That said, external factors are required so moving it to medium severity.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/strategies/StrategyPUSDConvex.sol#L311-L334
Vulnerability details
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/strategies/StrategyPUSDConvex.sol#L311-L334
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/strategies/StrategyPUSDConvex.sol#L410-L430
In the current implementation,
rewardTokens
from the underlying strategy will be swapped toweth
first thenweth
->usdc
.However, the
path
used for swapping fromrewardToken
->weth
is hardcoded as[rewardToken, weth]
, which may not be the optimal route.For example, the majority liquidity for a particular
rewardToken
may actually be in therewardToken/USDC
pool. Swapping through therewardToken/WETH
with low liquidity may end up getting only a dust amount of WETH.Recommendation
Consider allowing the admin to set a path for the rewardTokens.