c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor acknowledged
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago dmvt changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L171
Vulnerability details
Impact
The current implementation of the the
YearnAdapter.solcontract does not allow to withdraw specifying themaxLossparameter. Thewithdrawfunction of Vault.vy sets to default value of 0.01%.Although it seems appropiate, it can also be set to zero if no loss is desired. Moreover there are certain cases also where
maxLossneeds to be incremented or the funds can be locked. This is easier to happen with bigger positions on the vault.The withdraw function will go through the withdrawal queue, adding up losses (if any) to the caller.
Tools Used
Static analysis
Recommended Mitigation Steps
Consider adding the possibility to support maxLoss values. It can be set to zero if no loss is desired and also it can be increased if necessary when withdrawing with more losses avoiding funds to be locked in the vault.