search

code-423n4 / 2023-01-popcorn-findings

0 stars 0 forks source link

YearnAdapter previewRedeem / previewWithdraw does not consider the fee on yearn vault side #740

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/abstracts/AdapterBase.sol#L28 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/yearn/YearnAdapter.sol#L17

Vulnerability details

Impact

YearnAdapter previewRedeem / previewWithdraw does not consider the fee on yearn vault side.

Proof of Concept

According to the Yearn vault smart contract,

https://github.com/yearn/yearn-devdocs/blob/master/docs/developers/v2/SPECIFICATION.md#fees

the yearn vault charges fees:

The Treasury (which benefits Governance) collects a "management fee" based on the total assets the Vault has over a period of time, assessed each time the Strategy interacts with the Vault, and is provided as newly minted shares to the Treasury.

The Treasury (which benefits Governance) collects a "performance fee" based on the amount of returns a Strategy produces during Normal Operation, assessed each time the Strategy interacts with the Vault, and is provided as newly minted shares to the Treasury.

ach Strategist collects a "performance fee" based on the amount of positive returns their Strategy produces during Normal Operation, assessed each time the Strategy interacts with the Vault, and is provided as newly minted shares to the Strategist.

Performane fee, management fee are charged on Yearn vault side, but if we look into the implementation of YearnAdapter.sol,

contract YearnAdapter is AdapterBase {

which inherits from the regular ERC4646 inmplementation:

abstract contract AdapterBase is
    ERC4626Upgradeable,

the previewMint, previewRedeem, previewDeposit, previewWithdraw, does not consider the performance fee and maange fee charged.

This result that the preview related function over-estimate the available share can be minted nad available asset that can be withdraw / redeemed.

The result is quite miss leading and user can unexpected loss fund on the fee with interact with YearnAdapter.sol

Tools Used

Manual Review

Recommended Mitigation Steps

We recommend the protocol estimate the management fee and performance fee in the preview related functoin in YearnAdapter.sol

c4-judge commented 1 year ago

dmvt marked the issue as duplicate of #23

c4-sponsor commented 1 year ago

RedVeil marked the issue as sponsor confirmed

c4-judge commented 1 year ago

dmvt marked the issue as partial-50