Open code423n4 opened 2 years ago
Given no funds would be at risk as this is an issue that would exist at the time of admin's market creation, i'd probably say that this issue is likely ~low or so
Given no funds would be at risk as this is an issue that would exist at the time of admin's market creation, i'd probably say that this issue is likely ~low or so
Agreed that funds are not necessarily at risk but this is a broken functionality of the protocol. Given:
There are a few primary targets for concern:
- Ensuring the new
Compounding.sol
library properly calculates the exchangeRate for each external protocol.- Ensuring the new
withdraw
anddeposit
methods onSwivel.sol
properly encapsulate external protocol interactions.
I believe this should be a Medium Risk issue.
lol... market forces at work
the example given is incorrect. Compounding.Underlying()
is correct as Compounding
is our library that abstracts the actual call to get the asset in question.
the actual error is in the Compounding lib where .Protocol resolves to Protocols.Yearn
Lines of code
https://github.com/code-423n4/2022-07-swivel/blob/fbf94f87994d91dce75c605a1822ec6d6d7e9e74/Marketplace/Compounding.sol#L55-L56 https://github.com/code-423n4/2022-07-swivel/blob/fbf94f87994d91dce75c605a1822ec6d6d7e9e74/Marketplace/MarketPlace.sol#L64-L73
Vulnerability details
Impact
Yearn integration is broken, making it impossible to create a
MarketPlace
associated with a Yearn vault.Proof of Concept
Compounding.sol
attempts to resolve theunderlying
token implemented by supported protocols:https://github.com/code-423n4/2022-07-swivel/blob/fbf94f87994d91dce75c605a1822ec6d6d7e9e74/Marketplace/Compounding.sol#L50-L64
As can be seen in the excerpt above, the contract will attempt to access
IYearnVault(c).underlying();
when integrating with a Yearn vault. Problem is this property is not present in Yearn vaults. Therefore this operation will always revert.In particular, this would not allow to create a
MarketPlace
associated with a Yearn vault even though the protocol is stated as supported.https://github.com/code-423n4/2022-07-swivel/blob/fbf94f87994d91dce75c605a1822ec6d6d7e9e74/Marketplace/MarketPlace.sol#L64-L73
Correct underlying token address in Yearn vaults is stored in the
token
property.https://github.com/yearn/yearn-vaults/blob/beff27908bb2ae017ed73b773181b9b93f7435ad/contracts/Vault.vy#L74
Tools Used
vim
Recommended Mitigation Steps
Access the underlying token of a Yearn vault through the
token
property instead of the non-existentunderlying
which will cause a revert and the inability to create marketplaces associated with the protocol.