Closed code423n4 closed 2 years ago
By removing a vault, you remove the ability to interact with it, however funds are not freezed. Funds are stored in the NestedReserve
, you can withdraw
(function from NestedFactory
) from there and get back the share token in your wallet to withdraw by yourself using the Beefy UI.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/operators/Beefy/BeefyVaultStorage.sol#L34-L38
Vulnerability details
Impact
Beefy vault can be removed without withdrawing all deposited tokens. Causing these token to be locked forever unless an owner is added this vault back.
Proof of Concept
Once vault is deleted, it can't be deposit or withdraw using operator anymore. as it will be reverted with "BVO: INVALID_VAULT" as shown below
deleted vault -> token = IERC20(operatorStorage.vaults(vault)); = address(0) -> revered with "BVO: INVALID_VAULT"
Tools Used
Manual
Recommended Mitigation Steps