search

code-423n4 / 2023-01-popcorn-findings

0 stars 0 forks source link

lack of cooldown period for Yearn adapter operation. #792

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/yearn/YearnAdapter.sol#L17

Vulnerability details

Impact

lack of cooldown period for Yearn adapter operation.

Proof of Concept

In the current implemntation, in YearnAdapter, the user can deposit or withdraw with the yearn vault. however, according to the Yearn documentation,

https://github.com/yearn/yearn-devdocs/blob/master/docs/developers/v2/SPECIFICATION.md#normal-operation

NOTE: Users should only withdraw "free" assets as some strategies need to divest "gracefully", and a large withdrawal could incur a loss, which will get passed back to the withdrawer.

This basically means that once the user deposit the fund into the vault, the vault may need to invest the fund into stragety and it takes for stragty to generate yield.

For example, a lending stragety may have lending term mature period, redeem before mature period can incur loss.

As the doc said: and a large withdrawal could incur a loss, which will get passed back to the withdrawer. This could be the high early withdrawal fee charged by underlying stragety or large trade slippage when exiting the position.

without implementation cooldown period for withdraw and deposit, the heedless withdraw by user can result in loss of fund.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement the cooldown period for yearn adapter deposit / withdraw operation to avoid the loss.

c4-sponsor commented 1 year ago

RedVeil marked the issue as sponsor disputed

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Insufficient quality