Closed code423n4 closed 1 year ago
RedVeil marked the issue as sponsor disputed
dmvt marked the issue as unsatisfactory: Invalid
From the sponsor:
the booster contract returns assets 1:1 and there cant be any liquidity crunch or withdrawalFee nor slippage so its basically not possible that the booster returns smth else than the exact amount of assets we are asking for
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/adapter/beefy/BeefyAdapter.sol#L210-L211 https://github.com/beefyfinance/beefy-contracts/blob/18ffce2c4c8f66865636efb92a24f7dc8f258e20/contracts/BIFI/vaults/BeefyVaultV6.sol#L143
Vulnerability details
When withdrawing from an adapter, the function does an internal call to
_protocolWithdraw()
This is the function in case of the
BeefyAdapter
If there is a booster, the call will first withdraw
beefyShares
frombeefyBooster
, before withdrawing the same amount from thebeefyVault
.The issue is that if a booster does not send back that exact amount of shares, the call to
beefyVault
will revert here asbalanceOf(adapter) < beefyShares
.This can happen for a number of reason: (liquidity crunch, or a case where the booster charges a fee on withdrawal, keeping some of the shares).
In such case, withdrawals are essentially broken
Impact
Medium
Tools Used
Manual Analysis
Mitigation
Add a share balance check before and after the call to
beefyBooster.withdraw(beefyShares)
, and use that difference as the input tobeefyVault.withdraw()