Open code423n4 opened 1 year ago
dmvt marked the issue as duplicate of #370
RedVeil marked the issue as sponsor confirmed
dmvt marked the issue as not a duplicate
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/beefy/BeefyAdapter.sol#L155 https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/beefy/BeefyAdapter.sol#L176
Vulnerability details
Impact
Stragety withdrawal fee estimation is not accurate in BeefAdapter.sol
Proof of Concept
In the current implementation of the BeefAdapter.sol, when calling previewWithdraw and and previewRedeem, the code tries to estimate the withdrawal fee from Beefy's stragety contract.
and
However, the withdrawalFee estimate is not accuare.
If we look into the stragety contract if the Beefy finance.
First of all, Beefy finance integrate and develop a lot of stragety.
Some stragety has withdrawalFee exposed.
https://github.com/beefyfinance/beefy-contracts/blob/1a92ee47db78bb625445e8425f53af31fe5e3543/contracts/BIFI/strategies/Curve/StrategyConvex.sol#L102
While others expose the hardcoded parameter:
https://github.com/beefyfinance/beefy-contracts/blob/1a92ee47db78bb625445e8425f53af31fe5e3543/contracts/BIFI/strategies/Mdex/StrategyMdexLP.sol#L79
If a stragety does not expose withdrawalFee as a read-only parameter, clearly function below does not work
Also even though the stragety contract exposes the parameter withdrawalFee,
the fee estimation does not match the fee implementation in the Beefy stragety contract.
The fee estimation used is:
However, in the Beefy stragety, is
which is:;
https://github.com/beefyfinance/beefy-contracts/blob/1a92ee47db78bb625445e8425f53af31fe5e3543/contracts/BIFI/strategies/Curve/StrategyConvex.sol#L131
Or if the WITHDRAWAL_FEE is used, the withdrawal fee is calculated as:
which is:
https://github.com/beefyfinance/beefy-contracts/blob/1a92ee47db78bb625445e8425f53af31fe5e3543/contracts/BIFI/strategies/Mdex/StrategyMdexLP.sol#L163
withdrawal max is 10000
Because the estimation of fee when previewing the withdraw and redeem asset does not match the underlying stragety's wtihdrawal fee calcuation.
The number reported by BeefAdapter.sol is previewWithdraw and previewRedeem is wrong.
Tools Used
Manual Review
Recommended Mitigation Steps
We reommend the protocol make the stragety withdrawal fee estimation match the Beefy stragety estimation. This can be difficult to implementation, the protocol may need to may the stragety name to the withdrawal fee.