Steal directly transferred funds via backrunning

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L132

Vulnerability details

Issue: If BPT is sent to the contract for any reason, an attacker can call deposit and claim the BPT for themselves.

Consequences: Loss of any BPT sent to the contract directly.

Proof of Concept:

• User mistakenly sends BPT directly to the contract, possibly intending to call deposit afterwards.
• Attacker is watching and backruns the BPT transfer with their own deposit call.
• The attacker provides a trivial amount of their own BAL to pass the checks in _investBalToPool.
• The BPT from the attacker's BAL, as well as the victim's BPT, are both locked in the Balancer gauge and credited to the attacker.

Mitigations: User education and documentation.

[dmvt]

As I've said in other issues, users who directly send funds randomly to smart contracts should expect to lose them. Invalid.